xworm | hxxps://gofile[.]io/d/Etlbu7

Analysis

max time kernel
102s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Etlbu7

Score

10^/10

xworm discovery execution pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

89.213.177.171:7000

Mutex

Y84cQ8sTyNg3D9Ue

Attributes

Install_directory
%ProgramData%
install_file
VLC_Medai.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000022ec9-419.dat	family_xworm
behavioral1/memory/3124-421-0x00000000007A0000-0x00000000007B2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4576	powershell.exe
1524	powershell.exe
1296	powershell.exe
5104	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3880	sms.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
81	raw.githubusercontent.com
82	raw.githubusercontent.com
88	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
90	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000400000002202e-406.dat	pyinstaller
behavioral1/files/0x000400000002202e-409.dat	pyinstaller
behavioral1/files/0x000400000002202e-455.dat	pyinstaller

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sms.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133701862678674222"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3488	chrome.exe
3488	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 184	3488	chrome.exe	83
PID 3488 wrote to memory of 184	3488	chrome.exe	83
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1956	3488	chrome.exe	85
PID 3488 wrote to memory of 1532	3488	chrome.exe	86
PID 3488 wrote to memory of 1532	3488	chrome.exe	86
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87
PID 3488 wrote to memory of 752	3488	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/Etlbu7
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffae16cc40,0x7fffae16cc4c,0x7fffae16cc58
  2⤵
  PID:184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3776,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3804,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4960,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5292,i,13023024919977544925,16948239448818065652,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:1612

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1524

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\rel\" -spe -an -ai#7zMap25809:68:7zEvent4362
1⤵
PID:3684

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\rel\" -spe -an -ai#7zMap7490:68:7zEvent4992
1⤵
PID:3232

C:\Users\Admin\Downloads\rel\data\sms.exe
"C:\Users\Admin\Downloads\rel\data\sms.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3880
- C:\Users\Admin\Downloads\rel\data\._cache_sms.exe
  "C:\Users\Admin\Downloads\rel\data\._cache_sms.exe"
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Roaming\sms.exe
    "C:\Users\Admin\AppData\Roaming\sms.exe"
    3⤵
    PID:3272
  - - C:\Users\Admin\AppData\Roaming\sms.exe
      "C:\Users\Admin\AppData\Roaming\sms.exe"
      4⤵
      PID:4904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:2660
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3236
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4460
- - C:\Users\Admin\AppData\Roaming\api.exe
    "C:\Users\Admin\AppData\Roaming\api.exe"
    3⤵
    PID:3124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\api.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'api.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Medai.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Medai.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5104
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  PID:3264
- - C:\Users\Admin\Downloads\rel\data\._cache_Synaptics.exe
    "C:\Users\Admin\Downloads\rel\data\._cache_Synaptics.exe" InjUpdate
    3⤵
    PID:3508
  - - C:\Users\Admin\AppData\Roaming\sms.exe
      "C:\Users\Admin\AppData\Roaming\sms.exe"
      4⤵
      PID:2148
    - - C:\Users\Admin\AppData\Roaming\sms.exe
        
        "C:\Users\Admin\AppData\Roaming\sms.exe"
        5⤵
        
        PID:3376
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        6⤵
        
        PID:4616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:1296
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:4924
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:536
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:4068
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:3284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:4032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:4544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:4600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:3668
  - - C:\Users\Admin\AppData\Roaming\api.exe
      "C:\Users\Admin\AppData\Roaming\api.exe"
      4⤵
      PID:1968

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
9.2MB

MD5
e65532a142e06f6f561a5e23d1b875f9

SHA1
cb1eb06ad204748c4d193249fd185b4316db49f1

SHA256
d3abe9bc769b35cdb2dc28caa2a81a66c589c77575ef67a4f2692b4998904c5c

SHA512
688bf28ca6c42df5521a6cf28a541592c9a34f0e4e613d603b6f1d6e0d28f6ffb39cf8020de3882901957736721d4a0f015c6c13b889206df63efe5f93c02036

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
9.1MB

MD5
4de7bcd42aea3be8eb6370ca83f6e4a2

SHA1
fa1e6e2abd137b813a30ad07a5ea3270f58145b7

SHA256
7da449399a91cd9c305dc5d59a1f1bc8766ffe41f1db17d7f84a4fd273404cbc

SHA512
e2e4b12e3a423248d5467d7333e49c0489a951dba1fdf236a69b622f6267e9348a02581fa0cc95b6deb1b4b4ca0751ccae0131abc8cf4e2a358d31fcbd72d86d

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.6MB

MD5
47c8fc44b528d64483b62675f5399bb0

SHA1
f07d36245d74827fb0c7926ad7f7dc739c4b02c9

SHA256
cbd98f44092ad40ba528f82541893a0c32c5b85039ee6138946e6d3ef638b25e

SHA512
0ba3dd2a67085606363ad4418172a44f0aaf992f54db2a7bbfac756710919afae8857fd4fc7248af7a86678aac5f2c1819c32c306c22d2942a1cdcd0d2b6f8b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9d6402efd9d5ae4f12447e3e854f498d

SHA1
972a9c242ee12861c85c9cb45c8164478292b843

SHA256
4594d4eb3c43c195f3d998a359e492f625c12ef99b829d8c7013e07c24a407a7

SHA512
ff336b7ffff8c59323e4b644c4c79d86b1967b37e4f29fc2cd2d487347c595a2930974ff4fb44d240b7fcd299fc488bcdba5092192f954e1c036a668bb42629c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
3d5daf3cf58d47961c74ab8e96ba6a67

SHA1
32e29e831784dc020da6f57556b804ec549ed15c

SHA256
7985a50ce31cb9ee090476ab26c9e23089e5cd40d26d30a30f522972ebe4f40e

SHA512
6cb5db488b063c43854243f1f71926dd50749b7eb83e61286d539ddf0e7bc89674508cc7c17f3482ab0cdfcce8bce7ae9e5401fc5cb4411a5a069c787f57837a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e5e0f8d0697fb9b9f141d85cfa98ecac

SHA1
e8184b3f04ba148de64f4e4a2327cc730dc10d71

SHA256
c0f89f8a19796c927e422d321272c42059e667abd425783878a229e7079a871a

SHA512
df980e5f5cbafb83645c3b21aa413b528dd62b3468c7b33990e712e5a0e594d7d1becceffe2379847e516a6cfd3380e90ef9759b7a1079ac34ca49fe2effd694

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
0a4c9012d8671055dcc7ef03ca16e2cb

SHA1
b1dca939b4c37115561328b95a1f6417eff39119

SHA256
cb9d668eeab425ff68c02d4f9acf5bba005b175739aa5d15a70cd4d3c6fdde05

SHA512
50d1335aaf6e0a7b523434cf02c4dc89cd7cfe8e20ae501b094836ccdb1bc28bcd99cf539012140b70f453cc0ef51d3f9df55a1f1ddf70d158a6de727fe380ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
97af4365fbd4df5773783c7cfe5bb675

SHA1
2ac1857601cdadb16cdd9c75563331cc89d867d4

SHA256
c5f94d6c4e71ba4ca2302d0de67594cd24acad2f7e5481c7ce17f98cb42b14b7

SHA512
cc01ea42775f537237340463dec2797b58905ee91b5e217473ddf570beb149b1e75d03828c2097cd9265be343593be33a0e4355797d04be683d2368ffbc66a6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
edbd93bcd7f0b53ee0f14f8da57a11c9

SHA1
b03a9a8486c5f6d0905fb1e2ddae5076f1f1dc63

SHA256
7315db0bb7549a7895ae37449b769dc9868ffa529753d5c96817ea777215575a

SHA512
5467d9a032bb559d6ad302375cf6cf8ccfafd28abc3bdadb104d486f6347a13ba7d0edbdcf9ca542790536933c944ba07a942925c4b70a7f7f007a0d13f37f16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d73b78999a7af8666c6281d17e9050b

SHA1
2791aadd0684fe527c124378b31956916e40241b

SHA256
196ec6bd791cd84eb80a6df97a6621bba7af2d9487cd2cf04bc79d8fd55a036a

SHA512
d74a18fab1b23917ec1bfe8d3d0e12d33ba8f5c9855b74658180de463a3bcbcb1e66cb4eaf0006882624e3ba137a2c2b7039f1187b3e3b0474e613018e6fbc02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2c69f135fb9b752203c8488abbce0ca5

SHA1
8c7bb20e75e545d120b16a46eb507ff4d524fa60

SHA256
feeeedfe45ff32512ee0fe1dc8dc37e9fca03e5f032200a5d9b324e2e8276f5a

SHA512
b0590fe09d6caf88eaa2bfde3be4e7a5168555880649234bbaa1e1968b4ccd752fa92a83bf1d4de573be9e3dce1b2d63d0e5574cb547eb4e6f1140ebd9845fdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b6bf90c7e0419c8ddf2a2bc34b072ae0

SHA1
3916f5e5b17ad4cd5706d802a0fed7912356cab2

SHA256
73f66cd916ef99b278b2a9c55feebad220791c4367ee8dd52aa6ff9ee400a8d6

SHA512
4e80225421c13b99709419d9a8e8ab9300ec84488e113b518efcde460cbc2eac549cc414bfe2eb6ff55b8e483bd710858317b10583f28cf39553b6fc025e68b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e50db3594dc91da2ee168d0e2053077

SHA1
5b3b429424b8e1fccf6bc548d13b5eb5a7a1a284

SHA256
6ffb973aca6e840f7f30485faa85b4f4436707a6d6db44f1e38353cddaa1ceeb

SHA512
3b9dead5a2c0f15e2e0e087398ddeac494df4681426f12b37e85073f46c9f16ff98272f3af4a0b8975c101487b5c031e8fab103cbf00f46d8ffd1ff26c66e14d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80c68295d3a04e9542049ace7b70c8dd

SHA1
67fb69ba7f89ac99855be7e94de1d795ae9f6f75

SHA256
a56999f22a3b2ef59b2364c68e4cbd07c39b594dc8a238743fb389086c0db26d

SHA512
d59cebc6d11d34c4501bbfd98419d939dd5ccb687a2877792db04bcf36b5f308e9ebf5a3ba881a5d085280b1d15fefcd15dcaf0faac5c4068b8b60c00c688ade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3e39b08c4e8ea5f2c95772e6bd359057

SHA1
28e76878c8c206f9f2501e6b98449eccfb990065

SHA256
db5680f012332e22696ed3e6cac44f85f26219157619d422755b3ad233236236

SHA512
b0efbdb55f044369a69e03690f16fcb798f5bce6047eb5b98eeb079a87e7f285eb73a06406f865ab0ad1d2a6ffcc1bb6ce891ba871d935602a05b5e4ad7f7d09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
6b09fa0f3169a89bf0621afae486135a

SHA1
cab9c3080d18a200e0dae376630850d320808e9b

SHA256
e38d03c06eb2705fa5a761dd21b1dce542ae6046589d83ea83d854048bcd6d94

SHA512
5ab71aee3a0a4c4011df1dade9115671429fe4e28bbbdad654a72587936e19af623c9625fc06f3dfc8c71663945705788f1d6e0c94d2de18fc8c30ddde4ec11b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
4789442b2e26568da9e58968a9c66afa

SHA1
eeed3e121c2ac1b30ee4ab818af1d86e31f53cda

SHA256
6e39eef33cdf79331fddc4b66bb565b8632383257ad629abb712590cbd44e60f

SHA512
32fccb00724e34774e5d45bdf494d01a15098b94e68b65c3e837bfe6d96a27be3c94a76f6ad6a73603cff5ec5a074553a86a96eb6df92fc0f322361cd6975207

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7495E00

Filesize
25KB

MD5
fbbe8193e77216fd9c105b44871b6c2c

SHA1
93c83a18f57e11db4a94fd70d5b060de635db907

SHA256
16555000fc4272cc87ee8fea4dcbab2e66516ba60fa062b855037b42fd3ba5d4

SHA512
1b2d974d42b15511c4f85ab84b07700a3da783f46f2271a13bb1797ccf9fbef3f169867c41bed4352edfc57345ac35434a5f9f9aff69c9addf0c9ed62e68b0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_ctypes.pyd

Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_queue.pyd

Filesize
31KB

MD5
6e0cb85dc94e351474d7625f63e49b22

SHA1
66737402f76862eb2278e822b94e0d12dcb063c5

SHA256
3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b

SHA512
1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_ssl.pyd

Filesize
174KB

MD5
5b9b3f978d07e5a9d701f832463fc29d

SHA1
0fcd7342772ad0797c9cb891bf17e6a10c2b155b

SHA256
d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa

SHA512
e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\base_library.zip

Filesize
1.3MB

MD5
08332a62eb782d03b959ba64013ac5bc

SHA1
b70b6ae91f1bded398ca3f62e883ae75e9966041

SHA256
8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288

SHA512
a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\certifi\cacert.pem

Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_byk0gvfy.gjb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\api.exe

Filesize
50KB

MD5
4b35086a870a2f7a2bad2552cb623b0f

SHA1
0e8f5e5df57bfe267a465f04ca43d91b412bc618

SHA256
a0ae2e320fb5decbe74a6e244a72aec0910698b6adb1af8e6231839d8bfdf6ea

SHA512
09973f31cd6d61b886f4704fec8fea20941e3424875f5904b89b69c67bfa1d0afcb615771b3555a4c63f00f00db1bfdd17d345ec8312aeac906eb08241b46295

Download Submit
C:\Users\Admin\AppData\Roaming\sms.exe

Filesize
8.1MB

MD5
d7eebd20010b7b4d9d5666dc6ca64f61

SHA1
92535fd19e7cfd8f03637f982e83fdad3a1c81b7

SHA256
a728e840e106db6d016fa012fb571c5c4715badb43176a4bda3409879d0d714a

SHA512
56ea0447fbbcb9cccbe3df050fc8577e5b94e3237f0d0aea622d8fe48f7fda1a28fffefbe7ebbb58e96d9936e72219dabced0ac87bb3043b0e410fe3d849dc64

Download Submit
C:\Users\Admin\AppData\Roaming\sms.exe

Filesize
8.1MB

MD5
62daff9e9f1cd6587b5259759cf7d40c

SHA1
75805737bce6063d3bf2642d7ab6c2ec2ea5764c

SHA256
6b5839f6b7110367f81b092d5e02ec13f3057f0811b1036df22f3eeba1d87a10

SHA512
414c4ea992c3899fc378b6cc268ddc3bcdd8d5b13a1b2b143210eeeb6d94e92cb508254f83521198e8e5a17681280515f1c5baf242e52f30c8a2f20abef8528f

Download Submit
C:\Users\Admin\AppData\Roaming\sms.exe

Filesize
8.4MB

MD5
510d3870a1be7dca6364fbea89ab77f3

SHA1
89b9dc9e741c4710aa3a930f7b2f6c3999add786

SHA256
aba6f840e2fdff76e560d6262fdf6614ef99fad5e7990690eb4bdfc0dfa8da79

SHA512
a2d8b92f4b21deccd17d5d130d120810e4267797f74c90f8b19987721add42efa4b9e343b79d6fd9cc71af1bd2802791e948ba483f7f0c832cbf3a623ff92d88

Download Submit
C:\Users\Admin\Downloads\rel\X_ATTACKER-V5.9.exe

Filesize
8.6MB

MD5
2e0e8590671d4eb9595fcaf458508830

SHA1
77ff5b7ec4340fd5b8b9bd813b0406f5341bdd2c

SHA256
f8bfa0243b387ace0d9169019d0355a0623d3dfef8c34cf2a40cd891daeac0ea

SHA512
b6c155977465f972484333afbdfd39f2fe279f5477ffec08996bf1cb7899827946a90ba246c82946ff2823a880bc9c0f22ee0b0150db8ed210c57a0d78cd8974

Download Submit
C:\Users\Admin\Downloads\rel\X_ATTACKER-V5.9.exe

Filesize
8.1MB

MD5
e4c635f04496e8cd2f116ded076bf3da

SHA1
6e22bba64f02001d97cabeab37dc85f3255b27eb

SHA256
0bd8089d30b66a9abe039f11b1855c59fba7b83e260840feef40fd651ade1b2b

SHA512
4850acfb6244d3d6c14fad52122adc56b62a0ac1f0083029432aebaa30d9262fe71054d69d5be9c616e125bbb31c605243cd1d70577f3826f58143fce9cd7df9

Download Submit
C:\Users\Admin\Downloads\rel\X_ATTACKER-V5.9.exe

Filesize
8.9MB

MD5
a6678d97db3b071aaa02ae9e9fb9137c

SHA1
0e1e97772505e2ba85d8b7c3ec798cff2c845d56

SHA256
9d60357994c19c5fdffd06a60cb9cb4ddb351928cf06f775417cdd50573e775a

SHA512
a302a59f4f23562070d1852c2499bea41632fd1c3e8b369e2c4040af0c42d6c3cfdfb2fbd1d7292443cf53a92ce73298be059a2c2fbba9f434b085661c1348c2

Download Submit
C:\Users\Admin\Downloads\rel\data\._cache_Synaptics.exe

Filesize
8.1MB

MD5
c8536fb9bbae298aa597985b95f3c5e6

SHA1
d19e81aadffa28d8593cedeada3f6f6f9dae7545

SHA256
7e107af4c0d398db351c293b299aa4953060cdf0547547b64607c5fc37c9546d

SHA512
1873c49ed381330121ddd35edc9e77882afddbe5ebd45d9939e77a6f51e8c1c22eb896ec90899e61f7b57713b3934853d4b77dc92a2f9311607b9231babc3608

Download Submit
C:\Users\Admin\Downloads\rel\data\._cache_sms.exe

Filesize
8.6MB

MD5
6a72160119af48fdf259c1c62f588d3c

SHA1
0edf9f884423fa9346019a26265a8e8c63c956a5

SHA256
efb134deb93a04c7a7a5c8d00bf7b393c008c23d6016d2ad3aa92959b88e7603

SHA512
fbfd85c77bf85b7ab2c40d9e480e6e61a10ec6d6a3bf2f00f472913873aa34886e763b7ad594dd6d100cb401af0d7b194a8ee5d53ffb95e9ba14076312f8a5f9

Download Submit
C:\Users\Admin\Downloads\rel\data\sms.exe

Filesize
9.3MB

MD5
2fda729af7be83624fe7b5c61d2d36a0

SHA1
68ee34c9d368b0a201f9a574c19fe700974a6563

SHA256
0c2e058f82341a8b2b4460cd0bdbf2ed9156295e5e9a64b68aa320b817f2fb1d

SHA512
869a40de2075764b03720f9a176615a15fd67b69d0e04bdfa1c596f9315ca4aaae1161aadcd1ae47cc23fdb9872e7b7c58f0ee8b00784f2559e3a4664ce2883e

Download Submit
memory/1860-480-0x00007FFF7D130000-0x00007FFF7D140000-memory.dmp

Filesize
64KB

Download
memory/1860-504-0x00007FFF7AF10000-0x00007FFF7AF20000-memory.dmp

Filesize
64KB

Download
memory/1860-477-0x00007FFF7D130000-0x00007FFF7D140000-memory.dmp

Filesize
64KB

Download
memory/1860-476-0x00007FFF7D130000-0x00007FFF7D140000-memory.dmp

Filesize
64KB

Download
memory/1860-475-0x00007FFF7D130000-0x00007FFF7D140000-memory.dmp

Filesize
64KB

Download
memory/1860-515-0x00007FFF7AF10000-0x00007FFF7AF20000-memory.dmp

Filesize
64KB

Download
memory/1860-479-0x00007FFF7D130000-0x00007FFF7D140000-memory.dmp

Filesize
64KB

Download
memory/3124-421-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/3264-632-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/3880-350-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/4032-341-0x0000000000D00000-0x0000000001594000-memory.dmp

Filesize
8.6MB

Download
memory/4576-581-0x000001FBDC160000-0x000001FBDC182000-memory.dmp

Filesize
136KB

Download