blackguard | 9897c692bdfe80626c96d8825834be9158979c2926f65b761e41cba607895d8b

Analysis

max time kernel
46s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

betabuild2.exe
Size

8.0MB
MD5

f8e150ff0e3788bfc18558eafc94d921
SHA1

26e06740e70783caaf20fb4ef9bf6e7e57cea678
SHA256

9897c692bdfe80626c96d8825834be9158979c2926f65b761e41cba607895d8b
SHA512

52b11e5afe60d792b64136053aac00057ac3888e93f028a3fffecb3b8f0dda2ae4fe2b8c6a74e9972538d377a51907f13fe8e2ee08d2d6906952a4d892269ffc
SSDEEP

196608:O8t3afccVSE+mfkSV6qfwI7fRxzpkhuUgF5io9:xt3afccqmfLh7pfdF5iK

Score

10^/10

blackguard xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

5.39.43.50:5060

Attributes

Install_directory
%AppData%
install_file
svh0st.exe

Extracted

Family

blackguard

https://api.telegram.org/bot6890098459:AAHjv04XcY7xWyP2Vkp5g2wyR9vE4yvtyHs/sendMessage?chat_id=937347419

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023205-4.dat	family_xworm
behavioral1/files/0x0008000000023205-10.dat	family_xworm
behavioral1/files/0x0008000000023205-9.dat	family_xworm
behavioral1/memory/1364-14-0x00000000003A0000-0x00000000003FE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	betabuild2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	VegaStealer_v2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	buildbeta1.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svh0st.lnk	buildbeta1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svh0st.lnk	buildbeta1.exe

Executes dropped EXE 3 IoCs

pid	Process
1364	buildbeta1.exe
4188	VegaStealer_v2.exe
4184	v2.exe

Loads dropped DLL 5 IoCs

pid	Process
4184	v2.exe
4184	v2.exe
4184	v2.exe
4184	v2.exe
4184	v2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svh0st = "C:\\Users\\Admin\\AppData\\Roaming\\svh0st.exe"	buildbeta1.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	freegeoip.app
6	freegeoip.app
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4184	v2.exe
4184	v2.exe
4184	v2.exe
4184	v2.exe
2088	powershell.exe
2088	powershell.exe
5016	powershell.exe
5016	powershell.exe
4512	powershell.exe
4512	powershell.exe
4940	powershell.exe
4940	powershell.exe
1364	buildbeta1.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	buildbeta1.exe
Token: SeDebugPrivilege	4184	v2.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	1364	buildbeta1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1364	buildbeta1.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 1364	4064	betabuild2.exe	85
PID 4064 wrote to memory of 1364	4064	betabuild2.exe	85
PID 4064 wrote to memory of 4188	4064	betabuild2.exe	86
PID 4064 wrote to memory of 4188	4064	betabuild2.exe	86
PID 4064 wrote to memory of 4188	4064	betabuild2.exe	86
PID 4188 wrote to memory of 4184	4188	VegaStealer_v2.exe	87
PID 4188 wrote to memory of 4184	4188	VegaStealer_v2.exe	87
PID 4188 wrote to memory of 4184	4188	VegaStealer_v2.exe	87
PID 1364 wrote to memory of 2088	1364	buildbeta1.exe	99
PID 1364 wrote to memory of 2088	1364	buildbeta1.exe	99
PID 1364 wrote to memory of 5016	1364	buildbeta1.exe	92
PID 1364 wrote to memory of 5016	1364	buildbeta1.exe	92
PID 1364 wrote to memory of 4512	1364	buildbeta1.exe	94
PID 1364 wrote to memory of 4512	1364	buildbeta1.exe	94
PID 1364 wrote to memory of 4940	1364	buildbeta1.exe	97
PID 1364 wrote to memory of 4940	1364	buildbeta1.exe	97
PID 1364 wrote to memory of 4044	1364	buildbeta1.exe	101
PID 1364 wrote to memory of 4044	1364	buildbeta1.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\betabuild2.exe
"C:\Users\Admin\AppData\Local\Temp\betabuild2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\buildbeta1.exe
  "C:\Users\Admin\AppData\Local\Temp\buildbeta1.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'buildbeta1.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svh0st.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svh0st.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\buildbeta1.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svh0st" /tr "C:\Users\Admin\AppData\Roaming\svh0st.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4044
- C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
  "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\v2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
98KB

MD5
22ad67ec5f5676e1603c7ea69019cacb

SHA1
e1c07e8e6ade9c8a77298e1d50f7531919af7832

SHA256
1ba1e3401be6ad9ce47b13b05e46c9a0a8ed748e19148e84b63f036bea388028

SHA512
fbf053e8afe672cf26cf5561ae68edf429d91feb0dd5a7233c3d58f3d45c8d0e54a422549727ca877026566ba625ace02c668d4fd8634eb7b01f20ef218fbdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
162KB

MD5
cf2428fef06816f75e160da0be4d61d2

SHA1
20a7753ae71b20b8e9c66d2161ed63ab51349c68

SHA256
4c03e02e9f51bab56fbcd04e4f22f638fd486a49345d91dabb2715480e6436c7

SHA512
45b386939abdd700d78e50b0b55f9eac949cb86a7d14a8ff9de78c4b1a140d5b1df1797186d10200c42f7aa3052ae4da43fcdf55cc0dbdcf85784a9ea9cc0107

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
81KB

MD5
9899b5ee9eab2a8af299ff3c7a26d37f

SHA1
8548cd3725e0a7fc5071235cda1f761e9f860557

SHA256
3969062edd506525bde7afa634d96a5afeac26aa30706d843212878d3daacc2a

SHA512
8b5ee5222ebcea08556f4b6c7926c763454e40ea485e560b2404ae3bf5e3baac111b0ad67300345f68a9dbc6738dd953aa0a81c2445c80ae21776c090d416666

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
138KB

MD5
415cd014658f80916d89b2e24ea947dd

SHA1
3035cc245d4c5dc868863a036471607c3c97f1ac

SHA256
eca3012de8b15a5023125cf68a4da499ca449c6b47da315fe76014636c1d1502

SHA512
4c62b646954ac175c96f8128d784194170d90975ce5b768a42fef5d8ace3ef13b77b247422cfa0c564cd00f6068e95a594a7410a16d8d0c8b58c9b0b224705f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
72KB

MD5
e10952a66f522bc0b4cba16c7248aec8

SHA1
3f1b2e84c71beb23b090632bd6bea8864e189cd0

SHA256
b3a1d78d42b67429ce9f77bb58ab57afb20caff820fe32bf2d791b5603ced227

SHA512
2b1724c4ba5cd8f461278ed033a02cbcb679c444e102f4538a11c9f9f67b04ed573012f51bd6497da8761edc88cdfbb3206cede5f19e3966ede41265c60d682c

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
108KB

MD5
dfdbf99e1402fdfc1e6f21037589b0fd

SHA1
2a9c792dd5b9ab8dfa4d454704014552f19cf736

SHA256
ddefeab943e9dd210aecb52c22169c6dfe30c5f45faa2f29c6e0bb04bb7408e8

SHA512
c06a64ebb4583647a77438670e8fca427c6a04e5149cd4d3359d9baac315fce03a14824f50457bb6d0e9e50a35b6646f6181f55060e984b43f3dffd8bebeba45

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
149KB

MD5
839654501d7f69926997ef5a9ad00187

SHA1
2e07a23120fa2870b0178afb33a5f085b8c57d5d

SHA256
2055d73379fa269256cb900a7a271a7d3b121135976ddc7f02820539a712aabb

SHA512
b84560bf0d75f3f8f70b9a9145b31ec997479dff7d9215cf34e1b2bc01a428e6b9bf0f56657c5e776ac31ec933977406e38662881d3273a39ecc550773649de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
159KB

MD5
9c9b00c3e17752776678d46c6d29e29e

SHA1
6cdba3a9566e0c68594fcb74f9d38ce432624b9d

SHA256
052fc467e293a0bbd0e4cb4fae27694fe3d025cb72aac62406c104e5f25b4d2d

SHA512
08d7d77344b03c7cb347885bffed4712eda3c052cb941d6d4d2377eae6dbb9cea9997519ae0632d266c6b088b12cb70d869cd41a5351767c0c27d02d89fce7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
266KB

MD5
44cf6df54dd45f1806c4a04d029e4e39

SHA1
f11405838aad8969dbbec4d7e4fe673768fedc8e

SHA256
e240c7e78ccf8c4fc5b913289ded8b1f82f165b5173720a6e0bee36878933e8a

SHA512
89fbc621d88029b04f325ac676227d9136571ca3c693cde141badbb24abf5b1faa7ced98aa9a25de85ec44232156f77d5ad51b8904def9a6bad1bc972033a895

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
315KB

MD5
128590951218ccf2f43d5bb9d6909bdc

SHA1
dce082ba597e499982580b658308dc5e07ad81ba

SHA256
1fb48c0bd23139d35bab117e07888efad758db67fd17a186747fbb76c87cf986

SHA512
b11b8051af94a24fde31ca1449053a7cc5cfbd9560ee64c459559ec2770ac427a658a005066a567aef317b7e7aed4a5b4d0a5b793a2126d62c3448e83d6f128e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
258KB

MD5
b719916bc3b27de79d5f15ae1ba5a1f9

SHA1
b6b65922c205f964358e4069a6d7b847eb3812e6

SHA256
768d668c0dd117bcbfd184bfda4376b262392a80567773c38de520ae5ed4b4e8

SHA512
7751f11b56ff3daacc5ab70ca3ce5faea1b992bb694c272015d1f2efea00f1d923902c301d256999f4c651880537a450a71b69dd9cff62478296b540d1c79939

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_on52v4of.nqg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\buildbeta1.exe

Filesize
184KB

MD5
bf53720ac36b5275edad8cad1ef543de

SHA1
44972383bf9fb6613ffa949f73e13902e4fdc2f7

SHA256
71c3f7ab1d4cb61debdd1282ddf78dc2333ced050f575ffa9bc8321dde206fd5

SHA512
598f82d43adece31fa954f3d46370d7c02e6d679e08607cc7c0c902729bd51e6680e0b4e67bd906190ad29393ca4474a330ddf27248a57c03a0f37b7f8797688

Download Submit
C:\Users\Admin\AppData\Local\Temp\buildbeta1.exe

Filesize
280KB

MD5
b382bb6d17f61048b5c0ab8d75fba7d1

SHA1
c6d440b659b4491da2abf455a7c4c73080820b47

SHA256
ed0c085573381a20846bec56d2a55fe1759ed57ed61bb79ae4208b560c96206b

SHA512
8ab94d986def3d73f583be3d666cd35955dc5dae549a5430706a654ba1288479ba2ab3ed7fbb69bbedb6e4a3a8fa4690e52cbea1c8d2bfe46a86516b53aa6f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\buildbeta1.exe

Filesize
244KB

MD5
c523ebd4c89bcbc11b4be5ba496d827f

SHA1
27ed79f099c1c818270fe40937bffbdb708ab13d

SHA256
b21394168c65dc585c9f5e4119b87398be0ecb920aed122d26a1c417ede89b68

SHA512
dcfccd0cdcd69f47e87e7377ab6edfe3eb24840945e7e759e65b0415968cd9025c0a03f3b5ebbc30a8a1e62a026515acd98dbcc9a1103e30c0aa288fb88aec8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
164KB

MD5
1298b355d9fcd7dfb675725a1ef96a9a

SHA1
ceb87ab029c2a839bdd17c9769432a5c5a4cee34

SHA256
1512762ec571fc73329940bf0001b54ace3dd4cdbc8a93e4dbb499e8e8d12bae

SHA512
ff71875a2bbd8cc6dda9ca74d064f48f80c72091f0ae82fb3eb7a286394dd692f66b5d44cc9e8e8514ed325adbed8240358946a7004f2a839dfe661eef35e439

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
148KB

MD5
15a38a68ffccc69dfe74429f63a3fa35

SHA1
9ee5de5e351e86f718b0efe1d5daa356536ef893

SHA256
96fd92eb10c006dd60f54bf175e8cdf62e0e7154ff45b6c04bcc7eba0b5a3939

SHA512
8f0dcf91191722a27552c62175a696037dc80dce0fa8bffce11dc782a5c1a9c48ce79b85ae2a4efcf2d5a2b45a57de1e94072d0eaaf09b6748881787d213f9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
141KB

MD5
f334b1bc54993a17cdf95bb6c70d085a

SHA1
e28394d797d64841fa532571df79c4448f6d3d18

SHA256
324e5960fe15bfc590dccfc678ffb74002fd748aa9e34943142af1ed970cffe6

SHA512
d5499a27d9d06c10836f663c52091b2fe85cd5a4b1ce72eb8a839617e10a3bec5f9fec71f5c68bef101f95a73a8dc41d9c4bb239b3da64a1bcc1ad7962c2ceba

Download Submit
C:\Users\Admin\AppData\Roaming\NFFNDBZXuwuZwPwPyLBVAAKWQUEG.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\NFFNDBZXuwuZwPwPyLBVAAKWQUEG.Admin\Process.txt

Filesize
401B

MD5
ebe3c09afe2f986c714f68cb040dc652

SHA1
a58709f705c7b5b100cf92a88becc725a2f83ce8

SHA256
fe33803d707f29f703ee6f468288bbb4794ae17d62b9f83449dd569827838f7c

SHA512
05183c0601a5bed0b96e8924f8781533cfe68595e7e8a5ff329348f78166fd961fd01e0e7f725774bd71008a073bf1c0f2a94233c9892f904588e604fa0fca5e

Download Submit
C:\Users\Admin\AppData\Roaming\NFFNDBZXuwuZwPwPyLBVAAKWQUEG.Admin\Process.txt

Filesize
1KB

MD5
1f2e77119a821285fc4859d0de8ebeb3

SHA1
526639f0de192be5d56e1dac675390a51b6a6562

SHA256
d55c46d43edf2cafbc6f50e5e7ef1f350164bbe728000513ee0a6a921094228c

SHA512
8ab0eaec36eea02d31f6bab350026413c3dba9c6a2d2e5db62ba20ee0f6b41ffc485ec970325f86c0995b69ee56836dd7792db59a2fbb509711d54a7dcdbe5c0

Download Submit
C:\Users\Admin\AppData\Roaming\NFFNDBZXuwuZwPwPyLBVAAKWQUEG.Admin\Process.txt

Filesize
1KB

MD5
0804aedd04831eae56f96e2cc765c593

SHA1
f11182f88cc83796fe0f26b48ac08e7736d1b930

SHA256
b85c33be6daef84d76ea68947ab79c217638d496a1f7aa7c790be72f6aafbd2f

SHA512
b59886d11ca7a29e623a10eb9675efe24a1fce90587ae35720e328a890b72f6a16f078513d4602d1c6536ec90b4513b68df58309b065399441f7ee796ed46c88

Download Submit
C:\Users\Admin\AppData\Roaming\NFFNDBZXuwuZwPwPyLBVAAKWQUEG.Admin\Process.txt

Filesize
1KB

MD5
66678a82213f3c5e71522b3af520937a

SHA1
2aab9b7f5146619788e723c076b8d288e5f61971

SHA256
372385305aa4234e562bb9fbc28aacee2f4acae68bed53c3dcc3a70067d009ca

SHA512
3ac8b8bc42c72719395f15c16c1d40dfb04f6fa1122f5f39e9dc1e116ef93f40a98faebada38e16c7d1783b9d3e2e01526d8b24a2ef4f81939bc713c057b643d

Download Submit
memory/1364-216-0x000000001B020000-0x000000001B030000-memory.dmp

Filesize
64KB

Download
memory/1364-21-0x00007FFC321C0000-0x00007FFC32C81000-memory.dmp

Filesize
10.8MB

Download
memory/1364-14-0x00000000003A0000-0x00000000003FE000-memory.dmp

Filesize
376KB

Download
memory/1364-288-0x000000001B020000-0x000000001B030000-memory.dmp

Filesize
64KB

Download
memory/1364-281-0x00007FFC321C0000-0x00007FFC32C81000-memory.dmp

Filesize
10.8MB

Download
memory/2088-232-0x000002BFBB940000-0x000002BFBB950000-memory.dmp

Filesize
64KB

Download
memory/2088-226-0x000002BFBBB70000-0x000002BFBBB92000-memory.dmp

Filesize
136KB

Download
memory/2088-236-0x00007FFC321C0000-0x00007FFC32C81000-memory.dmp

Filesize
10.8MB

Download
memory/2088-231-0x00007FFC321C0000-0x00007FFC32C81000-memory.dmp

Filesize
10.8MB

Download
memory/2088-233-0x000002BFBB940000-0x000002BFBB950000-memory.dmp

Filesize
64KB

Download
memory/4064-20-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/4184-215-0x0000000007510000-0x0000000007586000-memory.dmp

Filesize
472KB

Download
memory/4184-214-0x00000000070C0000-0x0000000007126000-memory.dmp

Filesize
408KB

Download
memory/4184-110-0x0000000005E20000-0x0000000005E88000-memory.dmp

Filesize
416KB

Download
memory/4184-117-0x0000000006270000-0x00000000062AC000-memory.dmp

Filesize
240KB

Download
memory/4184-106-0x0000000005340000-0x0000000005362000-memory.dmp

Filesize
136KB

Download
memory/4184-217-0x0000000007150000-0x000000000716E000-memory.dmp

Filesize
120KB

Download
memory/4184-220-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/4184-105-0x0000000005630000-0x0000000005680000-memory.dmp

Filesize
320KB

Download
memory/4184-111-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/4184-54-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4184-88-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/4184-118-0x00000000061F0000-0x0000000006211000-memory.dmp

Filesize
132KB

Download
memory/4184-56-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/4184-127-0x0000000007910000-0x0000000007EB4000-memory.dmp

Filesize
5.6MB

Download
memory/4184-123-0x0000000007190000-0x0000000007352000-memory.dmp

Filesize
1.8MB

Download
memory/4184-53-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/4184-52-0x0000000000050000-0x000000000009A000-memory.dmp

Filesize
296KB

Download
memory/4184-112-0x0000000005680000-0x00000000056CC000-memory.dmp

Filesize
304KB

Download
memory/4512-267-0x00007FFC321C0000-0x00007FFC32C81000-memory.dmp

Filesize
10.8MB

Download
memory/4512-264-0x0000021057A20000-0x0000021057A30000-memory.dmp

Filesize
64KB

Download
memory/4512-262-0x00007FFC321C0000-0x00007FFC32C81000-memory.dmp

Filesize
10.8MB

Download
memory/4512-263-0x0000021057A20000-0x0000021057A30000-memory.dmp

Filesize
64KB

Download
memory/4940-280-0x000001D56C0E0000-0x000001D56C0F0000-memory.dmp

Filesize
64KB

Download
memory/4940-279-0x000001D56C0E0000-0x000001D56C0F0000-memory.dmp

Filesize
64KB

Download
memory/4940-283-0x00007FFC321C0000-0x00007FFC32C81000-memory.dmp

Filesize
10.8MB

Download
memory/4940-277-0x00007FFC321C0000-0x00007FFC32C81000-memory.dmp

Filesize
10.8MB

Download
memory/5016-252-0x00007FFC321C0000-0x00007FFC32C81000-memory.dmp

Filesize
10.8MB

Download
memory/5016-249-0x000002D7A51D0000-0x000002D7A51E0000-memory.dmp

Filesize
64KB

Download
memory/5016-250-0x000002D7A51D0000-0x000002D7A51E0000-memory.dmp

Filesize
64KB

Download
memory/5016-248-0x00007FFC321C0000-0x00007FFC32C81000-memory.dmp

Filesize
10.8MB

Download