xworm | 091833fb986ac8a78a9a33ae7852d2b02d510348bdcb915d4e2e51a6de27f64a

Analysis

max time kernel
1261s
max time network
1301s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 10:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MMLo7 Rat.exe
Size

2.8MB
MD5

2dc24c81438806bd03b492b9a3f3c55c
SHA1

1b62f6d53570d7cd3c8d04e6ea7e349b5de5cc89
SHA256

3edd74d68dd78681ed9eae3973ee2fb878c60e6e24dfa313ea2b4547008b1149
SHA512

f03ef03ffd926c35a6c88be065a8b6174af323a9fc633fc8d0c1ee55bf8b2eb5ef824d9c9feda21104dd10ff7f0d8d0660e9d4ba0cd8a932dd5d8e342f023ce1
SSDEEP

49152:cTtjEoXzJndn324ktdDyXqimfg9vdsIvQBLjEWdK/EEj8iG/MRmJ:stnXzJ12lDyXJMsvGs8Ljc7oRR

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 23 IoCs

pid	Process
60	Software.exe
3192	conhost.exe
4456	conhost.exe
3928	conhost.exe
1972	conhost.exe
2908	conhost.exe
1336	conhost.exe
4064	conhost.exe
4160	conhost.exe
116	conhost.exe
3324	conhost.exe
1644	conhost.exe
1052	conhost.exe
1068	conhost.exe
3384	conhost.exe
3536	conhost.exe
3404	conhost.exe
4972	conhost.exe
3888	conhost.exe
4744	conhost.exe
4212	conhost.exe
4688	conhost.exe
1364	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
552	powershell.exe
552	powershell.exe
60	Software.exe
60	Software.exe
60	Software.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	MMLo7 Rat.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	60	Software.exe
Token: SeDebugPrivilege	3192	conhost.exe
Token: SeDebugPrivilege	3192	conhost.exe
Token: SeDebugPrivilege	4456	conhost.exe
Token: SeDebugPrivilege	3928	conhost.exe
Token: SeDebugPrivilege	1972	conhost.exe
Token: SeDebugPrivilege	2908	conhost.exe
Token: SeDebugPrivilege	1336	conhost.exe
Token: SeDebugPrivilege	4064	conhost.exe
Token: SeDebugPrivilege	4160	conhost.exe
Token: SeDebugPrivilege	116	conhost.exe
Token: SeDebugPrivilege	3324	conhost.exe
Token: SeDebugPrivilege	1644	conhost.exe
Token: SeDebugPrivilege	1052	conhost.exe
Token: SeDebugPrivilege	1068	conhost.exe
Token: SeDebugPrivilege	3384	conhost.exe
Token: SeDebugPrivilege	3536	conhost.exe
Token: SeDebugPrivilege	3404	conhost.exe
Token: SeDebugPrivilege	4972	conhost.exe
Token: SeDebugPrivilege	3888	conhost.exe
Token: SeDebugPrivilege	4744	conhost.exe
Token: SeDebugPrivilege	4212	conhost.exe
Token: SeDebugPrivilege	4688	conhost.exe
Token: SeDebugPrivilege	1364	conhost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
60	Software.exe
60	Software.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
60	Software.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
60	Software.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 60	4124	MMLo7 Rat.exe	83
PID 4124 wrote to memory of 60	4124	MMLo7 Rat.exe	83
PID 4124 wrote to memory of 552	4124	MMLo7 Rat.exe	84
PID 4124 wrote to memory of 552	4124	MMLo7 Rat.exe	84
PID 4124 wrote to memory of 552	4124	MMLo7 Rat.exe	84
PID 4124 wrote to memory of 3192	4124	MMLo7 Rat.exe	88
PID 4124 wrote to memory of 3192	4124	MMLo7 Rat.exe	88
PID 3192 wrote to memory of 1348	3192	conhost.exe	91
PID 3192 wrote to memory of 1348	3192	conhost.exe	91

C:\Users\Admin\AppData\Local\Temp\MMLo7 Rat.exe
"C:\Users\Admin\AppData\Local\Temp\MMLo7 Rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\Software.exe
  "C:\Users\Admin\AppData\Local\Temp\Software.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:60
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\conhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Users\Admin\AppData\Local\Temp\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "conhost" /tr "C:\ProgramData\conhost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1348

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\ProgramData\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Software.exe

Filesize
5.0MB

MD5
a03565cf42ca83d7494117d7e3cc82e4

SHA1
7a4bc05fe549484bd831c8f0397d7c1a0fe288c2

SHA256
c8406d3bcc1ecf408d6f66991a711fb8bddd7ca48a5a3cb4144d7ba20e3754cf

SHA512
3084c9df0e9e81746b67435e2f5653e5cc49f176df209112fc9b8de5340bd68fe6ed39a2cfd7fc50f2d4a7b33834c4530cf77754903f1036a6fdd9af5624fa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Software.exe

Filesize
5.0MB

MD5
a03565cf42ca83d7494117d7e3cc82e4

SHA1
7a4bc05fe549484bd831c8f0397d7c1a0fe288c2

SHA256
c8406d3bcc1ecf408d6f66991a711fb8bddd7ca48a5a3cb4144d7ba20e3754cf

SHA512
3084c9df0e9e81746b67435e2f5653e5cc49f176df209112fc9b8de5340bd68fe6ed39a2cfd7fc50f2d4a7b33834c4530cf77754903f1036a6fdd9af5624fa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Software.exe

Filesize
5.0MB

MD5
a03565cf42ca83d7494117d7e3cc82e4

SHA1
7a4bc05fe549484bd831c8f0397d7c1a0fe288c2

SHA256
c8406d3bcc1ecf408d6f66991a711fb8bddd7ca48a5a3cb4144d7ba20e3754cf

SHA512
3084c9df0e9e81746b67435e2f5653e5cc49f176df209112fc9b8de5340bd68fe6ed39a2cfd7fc50f2d4a7b33834c4530cf77754903f1036a6fdd9af5624fa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pydwsgsj.wzv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
64KB

MD5
4b08ce9062f3be1e89b4ad335e4b9fca

SHA1
cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f

SHA256
7ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff

SHA512
8d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.xml

Filesize
426B

MD5
08eaf0a087c3a7d35c1c0e50dd304cbd

SHA1
e6f8463ad17ae7ef4b28b33ad6d6742791bfa628

SHA256
f638d7332e5b55ac336f8f6f2692a3db9df3b51f95771720d923f4db439e3fdb

SHA512
ccc6b132eebe3536671bff04fc6d7664abdfe5dd8022fa64bf6a678927791f39b55b7d890f210570378b16fb59dd219e216a979f7da2fec0b3814b05da95cd2c

Download Submit
memory/60-151-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/60-190-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/60-174-0x00000247FD570000-0x00000247FD580000-memory.dmp

Filesize
64KB

Download
memory/60-159-0x00000247FD570000-0x00000247FD580000-memory.dmp

Filesize
64KB

Download
memory/60-152-0x00000247FDAC0000-0x00000247FDF18000-memory.dmp

Filesize
4.3MB

Download
memory/60-150-0x00000247FAB40000-0x00000247FB04A000-memory.dmp

Filesize
5.0MB

Download
memory/60-197-0x00000247FD570000-0x00000247FD580000-memory.dmp

Filesize
64KB

Download
memory/116-249-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/116-248-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/552-158-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/552-199-0x00000000074B0000-0x00000000074B8000-memory.dmp

Filesize
32KB

Download
memory/552-202-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/552-198-0x00000000074D0000-0x00000000074EA000-memory.dmp

Filesize
104KB

Download
memory/552-196-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/552-195-0x00000000073C0000-0x00000000073CE000-memory.dmp

Filesize
56KB

Download
memory/552-194-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/552-193-0x0000000007410000-0x00000000074A6000-memory.dmp

Filesize
600KB

Download
memory/552-192-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/552-191-0x00000000060A0000-0x00000000060AA000-memory.dmp

Filesize
40KB

Download
memory/552-189-0x0000000007180000-0x000000000719A000-memory.dmp

Filesize
104KB

Download
memory/552-188-0x00000000077E0000-0x0000000007E5A000-memory.dmp

Filesize
6.5MB

Download
memory/552-187-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/552-176-0x0000000007070000-0x00000000070A2000-memory.dmp

Filesize
200KB

Download
memory/552-177-0x000000006FF60000-0x000000006FFAC000-memory.dmp

Filesize
304KB

Download
memory/552-175-0x000000007F750000-0x000000007F760000-memory.dmp

Filesize
64KB

Download
memory/552-173-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/552-171-0x0000000005E70000-0x0000000005E8E000-memory.dmp

Filesize
120KB

Download
memory/552-161-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/552-160-0x0000000004E90000-0x0000000004EB2000-memory.dmp

Filesize
136KB

Download
memory/552-155-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/552-157-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/552-156-0x0000000004F30000-0x0000000005558000-memory.dmp

Filesize
6.2MB

Download
memory/552-153-0x00000000048C0000-0x00000000048F6000-memory.dmp

Filesize
216KB

Download
memory/1336-240-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1336-239-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-254-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1972-233-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1972-234-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/2908-236-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/2908-237-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-217-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-218-0x0000000000F30000-0x0000000000F46000-memory.dmp

Filesize
88KB

Download
memory/3192-219-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/3192-221-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-222-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/3324-251-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3324-252-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3928-231-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3928-230-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-242-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-243-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4124-216-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/4124-133-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/4124-172-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4124-154-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/4124-138-0x000000000110B000-0x000000000110C000-memory.dmp

Filesize
4KB

Download
memory/4124-137-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/4124-136-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/4124-135-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4124-134-0x0000000000E70000-0x0000000001138000-memory.dmp

Filesize
2.8MB

Download
memory/4160-246-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-245-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4456-225-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4456-227-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

Filesize
10.8MB

Download