xworm | 271beba7b37bad8ceb9b40f95ca7ac8076ff1c1670bc04825e78b0647ab25bbd

Analysis

max time kernel
58s
max time network
61s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-01-2025 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

691f6e3c-9102-4b60-a878-346573162d06.exe
Size

24.6MB
MD5

a083ae48ef54dd491872b9da1383730c
SHA1

6c00f38f5e033273275e36c77a40955caa190a80
SHA256

271beba7b37bad8ceb9b40f95ca7ac8076ff1c1670bc04825e78b0647ab25bbd
SHA512

7c843395838afadc565705c3b6ee22f1dbc66ef6fbe195f9050a08936ba661425b9f9cb44adf91ef347b1d1481cfb11de9fed99f4132d30333c75a337b3146eb
SSDEEP

786432:/3mbQPobZvANWHOR4YdRSbKZ+fnTkQfSzy:/3SoWuDjSpbZH

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

tranny.racoongang.com:3389

174.89.155.190:3389

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000029df4-6.dat	family_xworm
behavioral1/memory/4644-13-0x0000000000B20000-0x0000000000B3A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
4644	svchost.exe
412	VC_redist.x64 real.exe
4720	VC_redist.x64 real.exe
1284	VC_redist.x64.exe
3564	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
4720	VC_redist.x64 real.exe
3496	VC_redist.x64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{804e7d66-ccc2-4c12-84ba-476da31d103d} = "\"C:\\ProgramData\\Package Cache\\{804e7d66-ccc2-4c12-84ba-476da31d103d}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	3644	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DFFB19E3B2502F9F09.TMP	msiexec.exe
File created	C:\Windows\Installer\e5d236c.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF32A8CCA3DB968DC2.TMP	msiexec.exe
File created	C:\Windows\Installer\e5d2381.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF848C18331079EADA.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF63046A134B99C009.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2638.tmp	msiexec.exe
File created	C:\Windows\Installer\e5d236b.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9DE443D8424109C6.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E1902FC6-C423-4719-AB8A-AC7B2694B367}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CC3.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF754DFCD4C85875D7.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e5d2359.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{382F1166-A409-4C5B-9B1E-85ED538B8291}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5d236c.msi	msiexec.exe
File created	C:\Windows\Installer\e5d2359.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA86E991C69A9BF1A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AFD.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF219BED6C62D66A60.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64 real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64 real.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008e4795fcec2d58710000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008e4795fc0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008e4795fc000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8e4795fc000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008e4795fc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76\VC_Runtime_Additional	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{E1902FC6-C423-4719-AB8A-AC7B2694B367}v14.42.34433\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\6611F283904AB5C4B9E158DE35B82819	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Version = "237667969"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.42,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.42.34433"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6611F283904AB5C4B9E158DE35B82819\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6611F283904AB5C4B9E158DE35B82819\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.42.34433"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\PackageCode = "C029B57ADC55135439F2BCC435C9148F"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6611F283904AB5C4B9E158DE35B82819	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{804e7d66-ccc2-4c12-84ba-476da31d103d}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.42,bundle\Dependents\{804e7d66-ccc2-4c12-84ba-476da31d103d}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{E1902FC6-C423-4719-AB8A-AC7B2694B367}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6611F283904AB5C4B9E158DE35B82819\VC_Runtime_Minimum	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{804e7d66-ccc2-4c12-84ba-476da31d103d}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.42,bundle\ = "{804e7d66-ccc2-4c12-84ba-476da31d103d}"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{382F1166-A409-4C5B-9B1E-85ED538B8291}v14.42.34433\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3108	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4644	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4644	svchost.exe
3644	msiexec.exe
3644	msiexec.exe
3644	msiexec.exe
3644	msiexec.exe
3644	msiexec.exe
3644	msiexec.exe
3644	msiexec.exe
3644	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	svchost.exe
Token: SeBackupPrivilege	3732	vssvc.exe
Token: SeRestorePrivilege	3732	vssvc.exe
Token: SeAuditPrivilege	3732	vssvc.exe
Token: SeDebugPrivilege	4644	svchost.exe
Token: SeShutdownPrivilege	1284	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1284	VC_redist.x64.exe
Token: SeSecurityPrivilege	3644	msiexec.exe
Token: SeCreateTokenPrivilege	1284	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	1284	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	1284	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1284	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	1284	VC_redist.x64.exe
Token: SeTcbPrivilege	1284	VC_redist.x64.exe
Token: SeSecurityPrivilege	1284	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	1284	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	1284	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	1284	VC_redist.x64.exe
Token: SeSystemtimePrivilege	1284	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	1284	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	1284	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	1284	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	1284	VC_redist.x64.exe
Token: SeBackupPrivilege	1284	VC_redist.x64.exe
Token: SeRestorePrivilege	1284	VC_redist.x64.exe
Token: SeShutdownPrivilege	1284	VC_redist.x64.exe
Token: SeDebugPrivilege	1284	VC_redist.x64.exe
Token: SeAuditPrivilege	1284	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	1284	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	1284	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	1284	VC_redist.x64.exe
Token: SeUndockPrivilege	1284	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	1284	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	1284	VC_redist.x64.exe
Token: SeManageVolumePrivilege	1284	VC_redist.x64.exe
Token: SeImpersonatePrivilege	1284	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	1284	VC_redist.x64.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4720	VC_redist.x64 real.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4644	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 4644	2220	691f6e3c-9102-4b60-a878-346573162d06.exe	77
PID 2220 wrote to memory of 4644	2220	691f6e3c-9102-4b60-a878-346573162d06.exe	77
PID 2220 wrote to memory of 412	2220	691f6e3c-9102-4b60-a878-346573162d06.exe	78
PID 2220 wrote to memory of 412	2220	691f6e3c-9102-4b60-a878-346573162d06.exe	78
PID 2220 wrote to memory of 412	2220	691f6e3c-9102-4b60-a878-346573162d06.exe	78
PID 412 wrote to memory of 4720	412	VC_redist.x64 real.exe	79
PID 412 wrote to memory of 4720	412	VC_redist.x64 real.exe	79
PID 412 wrote to memory of 4720	412	VC_redist.x64 real.exe	79
PID 4720 wrote to memory of 1284	4720	VC_redist.x64 real.exe	81
PID 4720 wrote to memory of 1284	4720	VC_redist.x64 real.exe	81
PID 4720 wrote to memory of 1284	4720	VC_redist.x64 real.exe	81
PID 4644 wrote to memory of 3108	4644	svchost.exe	85
PID 4644 wrote to memory of 3108	4644	svchost.exe	85
PID 1284 wrote to memory of 4988	1284	VC_redist.x64.exe	93
PID 1284 wrote to memory of 4988	1284	VC_redist.x64.exe	93
PID 1284 wrote to memory of 4988	1284	VC_redist.x64.exe	93
PID 4988 wrote to memory of 3496	4988	VC_redist.x64.exe	94
PID 4988 wrote to memory of 3496	4988	VC_redist.x64.exe	94
PID 4988 wrote to memory of 3496	4988	VC_redist.x64.exe	94
PID 3496 wrote to memory of 2164	3496	VC_redist.x64.exe	95
PID 3496 wrote to memory of 2164	3496	VC_redist.x64.exe	95
PID 3496 wrote to memory of 2164	3496	VC_redist.x64.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\691f6e3c-9102-4b60-a878-346573162d06.exe
"C:\Users\Admin\AppData\Local\Temp\691f6e3c-9102-4b60-a878-346573162d06.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3108
- C:\Users\Admin\AppData\Roaming\VC_redist.x64 real.exe
  "C:\Users\Admin\AppData\Roaming\VC_redist.x64 real.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\Temp\{97D6E87C-FF62-4FDE-B1ED-30AF3F8B11F3}\.cr\VC_redist.x64 real.exe
    "C:\Windows\Temp\{97D6E87C-FF62-4FDE-B1ED-30AF3F8B11F3}\.cr\VC_redist.x64 real.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\VC_redist.x64 real.exe" -burn.filehandle.attached=756 -burn.filehandle.self=760
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\Temp\{BF898AA9-3B7F-4E42-99D0-99FA770E6FAC}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{BF898AA9-3B7F-4E42-99D0-99FA770E6FAC}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{F57E88E9-0DCB-454B-9B6C-3EA086194D28} {659EF413-16E3-4BF9-9B74-16F5C68B5B47} 4720
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=956 -burn.embedded BurnPipe.{3916AEE8-44BE-47B5-A867-99C33544624B} {514CF8E7-BBB4-4F1F-89A3-B23A4564BE2B} 1284
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=956 -burn.embedded BurnPipe.{3916AEE8-44BE-47B5-A867-99C33544624B} {514CF8E7-BBB4-4F1F-89A3-B23A4564BE2B} 1284
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{7CC0DD5D-B80E-48A8-A764-EED4A5F89993} {3437BB02-004E-4E6B-90B2-5181EB2FF493} 3496
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:228

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5d235e.rbs

Filesize
19KB

MD5
3118c90bd5821292387e1d95f7796cde

SHA1
d3e637de459a1a88e03c1a19de12b184d494697e

SHA256
2c431bd2579e9a3290f3d7b9523f4f21d3cfd4429e105ec427eeb74769ec1966

SHA512
29a29c0006a51fd9e02c1f25cc9d18bd6d17572432e90ff0afe8e77966fcc0749d36160a1c9f5392cd3843613207903164e2774c42d795623107be901de672a8

Download Submit
C:\Config.Msi\e5d236a.rbs

Filesize
19KB

MD5
e68a1098dd104bf12cfb3d927d0deb63

SHA1
23171e693325b4a038c4af14e7e7dd81ff53491f

SHA256
c73c4859bf95353343c257776ffdbc15af61e1f3d85795d8ae9813d33fa7c750

SHA512
301c7beadac08f28280620bf0449393f7ac31e4b2fee1bc5cd3e72f8e421a3b96715efbcdb9365e148c5f99f6d65a97e952dd47934711ac6efc4f918bd70e0bc

Download Submit
C:\Config.Msi\e5d2371.rbs

Filesize
21KB

MD5
fd5941175d66068559a4a80d525e2af3

SHA1
a5e68416746e08550adba5b6a2a0be5c8cab0a7b

SHA256
2515ab1f9cf770b02a797cc9a8f499fd698d45ecf412fe0ed4333c3ab5225319

SHA512
91a907a056a04c0025b8cbc08f7b162e8f5e51a81262aabea9214456e33527a43bdd6872d2338bad4196507f600a38bbc4935a4cd409ce43c04f72fbfec27b77

Download Submit
C:\Config.Msi\e5d2380.rbs

Filesize
21KB

MD5
0ecd73c791d6a2aff49d5046f4c87497

SHA1
ad44deac7f7d79d048bf98a2122c9bbd8f7cd7f7

SHA256
36ea9f0e852d0df3301d8d75b85696bc1327373203c07612cadeb38745a87d9d

SHA512
e8ffb17b2d527eae1f3ccf9c10f1c2d26476bca0acbd3fc2ae4d9f201c1af867b169fd55ec960644f78fa75d9c756005b112006acdfc0bd273ed6605c384684f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20250119190321_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
5cfed10f1922c2d4b97922d7a6224be7

SHA1
7912cd0cc083caea330a0a1a418c6f390cb880f6

SHA256
5c94e28ad0dfc5dcfdb187d4f89c9783b78608e12961c31dbeef312922604bbd

SHA512
87da838d86536e6461e78a2c064d6afb6fce5498fed45404c7cb6d0753975c0590878e210586f30700a4f715b71694f43019bd311488abcc3f165c2457d65006

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20250119190321_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
77b11c266c5edc7179359c5076280562

SHA1
efb263cbd5f44fe4d29a1a9c26daefb6c540ef10

SHA256
dd1c1912739ae7e9f98ae4be274f2df1eae9c40df20f30cb48813099ab8ddac0

SHA512
7299f043e09bc746d37b1913b1c8c5c33b20dac5e43757657dc599f74d85a9b12b2ed75982e2637dc150715a63a5a5e75252cba53c043a28d7dcea880368461f

Download Submit
C:\Users\Admin\AppData\Roaming\VC_redist.x64 real.exe

Filesize
24.5MB

MD5
223a76cd5ab9e42a5c55731154b85627

SHA1
38b647d37b42378222856972a1e22fbd8cf4b404

SHA256
1821577409c35b2b9505ac833e246376cc68a8262972100444010b57226f0940

SHA512
20e2d7437367cb262ce45184eb4d809249fe654aa450d226e376d4057c00b58ecfd8834a8b5153eb148960ffc845bed1f0943d5ff9a6fc1355b1503138562d8d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
82KB

MD5
2296b5af1a68a6d5d3507b8065f9c408

SHA1
5a76c7a1a18d1b32bd71f33f04e5cdd7269fe9f9

SHA256
18aa9be2dca83ee05f662fface2e064231c9b0c9b27edc1463b5e72c2ddc3d11

SHA512
fc8aca38cdc2777cb19ce18274d35dd458ed0f8d6787cc97a82de7ec15b713e17a25c831db14a5183b4f1dc6b73a0bc891b6dff6e44ba17b60d432cd0880dd75

Download Submit
C:\Windows\Temp\{97D6E87C-FF62-4FDE-B1ED-30AF3F8B11F3}\.cr\VC_redist.x64 real.exe

Filesize
670KB

MD5
3f32f1a9bd60ae065b89c2223676592e

SHA1
9d386d394db87f1ee41252cac863c80f1c8d6b8b

SHA256
270fa05033b8b9455bd0d38924b1f1f3e4d3e32565da263209d1f9698effbc05

SHA512
bddfeab33a03b0f37cff9008815e2900cc96bddaf763007e5f7fdffd80e56719b81341029431bd9d25c8e74123c1d9cda0f2aefafdc4937095d595093db823df

Download Submit
C:\Windows\Temp\{BF898AA9-3B7F-4E42-99D0-99FA770E6FAC}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{BF898AA9-3B7F-4E42-99D0-99FA770E6FAC}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
C:\Windows\Temp\{BF898AA9-3B7F-4E42-99D0-99FA770E6FAC}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
5866203168b27f18c1b47abfa6823e02

SHA1
3b696be0a4cf750965d74263e43b8e302cb1b318

SHA256
7d48e0905ebea9b14a07cff687705dfdc50d795cd4c32e5ed87a0e344884b430

SHA512
037f793f60be84f1da005d47e21783e719a85b5c12c4d20050ad9d3254ac99ba8eb30b4b1378bac69379dbc659427dc1ae4a19062ecd337d47d480d047afb669

Download Submit
C:\Windows\Temp\{BF898AA9-3B7F-4E42-99D0-99FA770E6FAC}\cab5046A8AB272BF37297BB7928664C9503

Filesize
969KB

MD5
8c302e40fbf614896ba36a75f3f8977e

SHA1
991af1495f7783173d0c5691be38ff8648f2df12

SHA256
b384b812dc59c2081cee080ea6bba748e02ecf3c0800d8dcaf9607a20a4f3290

SHA512
53b1d7d8ab495931f50b5d815afe04d52f9e0bbafa0a5f3e4f6605b6e4f2a85c583abf9014dec41481439827bb6bab23ac439d4fd7d0c3f191f21b2bf5afb11d

Download Submit
C:\Windows\Temp\{BF898AA9-3B7F-4E42-99D0-99FA770E6FAC}\vcRuntimeAdditional_x64

Filesize
208KB

MD5
351d8e8c804f6c6aab4c718977b1817d

SHA1
1b680e5e2ed548e5636f9d656c49c87cf9a70da8

SHA256
cf584e5132ef3766a088f824bd038494713a7168cdddd44e3f8c4ad581e2206e

SHA512
d0613c6b1a72c73013c0519619c557811a1d20fcddc8361d391a31fc4aa9c70173b907957babb049067111427a81e48a82e5467a15dae8bebb55b048993c93a4

Download Submit
C:\Windows\Temp\{BF898AA9-3B7F-4E42-99D0-99FA770E6FAC}\vcRuntimeMinimum_x64

Filesize
208KB

MD5
09042ba0af85f4873a68326ab0e704af

SHA1
f08c8f9cb63f89a88f5915e6a889b170ce98f515

SHA256
47cceb26dd7b78f0d3d09fddc419290907fe818979884b2192c834034180e83b

SHA512
1c9552a8bf478f9edde8ed67a8f40584a757c66aaf297609b4f577283469287992c1f84ebe15df4df05b0135e4d67c958a912738f4814440f6fd77804a2cfa7d

Download Submit
C:\Windows\Temp\{F2F29FA6-0492-4ECF-9DEF-A37C827362AD}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/2164-230-0x0000000000220000-0x0000000000297000-memory.dmp

Filesize
476KB

Download
memory/2220-1-0x0000000000600000-0x0000000001E92000-memory.dmp

Filesize
24.6MB

Download
memory/2220-0-0x00007FF8D8073000-0x00007FF8D8075000-memory.dmp

Filesize
8KB

Download
memory/3496-267-0x0000000000220000-0x0000000000297000-memory.dmp

Filesize
476KB

Download
memory/4644-14-0x00007FF8D8070000-0x00007FF8D8B32000-memory.dmp

Filesize
10.8MB

Download
memory/4644-13-0x0000000000B20000-0x0000000000B3A000-memory.dmp

Filesize
104KB

Download
memory/4644-85-0x00007FF8D8070000-0x00007FF8D8B32000-memory.dmp

Filesize
10.8MB

Download
memory/4644-308-0x000000001D890000-0x000000001D89C000-memory.dmp

Filesize
48KB

Download
memory/4644-311-0x000000001ED00000-0x000000001EDB0000-memory.dmp

Filesize
704KB

Download
memory/4644-312-0x0000000020040000-0x0000000020568000-memory.dmp

Filesize
5.2MB

Download
memory/4988-268-0x0000000000220000-0x0000000000297000-memory.dmp

Filesize
476KB

Download