Malware Analysis Report

2024-09-23 00:26

Sample ID 240510-ql5hkagf71
Target XWorm V5.2.rar
SHA256 05fada2e6713448dbbe9d21ebb526de06dc06e7c330288f571e929cd6f6e7e6c
Tags
agilenet agenttesla stormkitty keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05fada2e6713448dbbe9d21ebb526de06dc06e7c330288f571e929cd6f6e7e6c

Threat Level: Known bad

The file XWorm V5.2.rar was found to be: Known bad.

Malicious Activity Summary

agilenet agenttesla stormkitty keylogger spyware stealer trojan

AgentTesla

StormKitty payload

Agenttesla family

AgentTesla payload

Contains code to disable Windows Defender

Stormkitty family

AgentTesla payload

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-10 13:22

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 13:21

Reported

2024-05-10 13:26

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2656 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2656 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 13:21

Reported

2024-05-10 13:25

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

95s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 840 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 4244 wrote to memory of 840 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 2.17.107.128:443 www.bing.com tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 128.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp

Files

memory/840-13-0x00007FFEF9920000-0x00007FFEF9954000-memory.dmp

memory/840-12-0x00007FF6D2F40000-0x00007FF6D3038000-memory.dmp

memory/840-14-0x00007FFEF8CD0000-0x00007FFEF8F86000-memory.dmp

memory/840-15-0x00007FFEE8A20000-0x00007FFEE9AD0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 13:21

Reported

2024-05-10 13:25

Platform

win7-20240508-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000002d2b301439e77532019cde4bcc1e1cd13368241b7cf307173a97ab2297d188e4000000000e8000000002000020000000d29400ec5f46a0fb6ceb413317f2581940987ac88c24c2aae0bc7f6e278c896ae0030000a4efd518a3d593a92dcd16c9fadc05b8140340c33e4f0fb54e382502aa92768550bee3b801f33f0b8aaaacda81fe9556cbb718205f24db64fc6b6277fad47db6ffd47d10bf678c957ff5157c9f3a66892340093924687ea8a89a6c1ac8e4ed4c78de6078a97e15547c2f30c682cdc7715ae6024be3f7adc388930f28d74c202f17b577b0eb4bb47e187b3b3c6ca425c39a1e0f17a4fb22cfcb3499536e00e6be725a8c6facaf422ce5fbd036b3408f1e397a42073ac2effdc17c1896d0c3486c57cc413b94588e9e0271579baa71d057b9d4aa5454212d6232c41937a2c996d47430eac11c45c9ef35d986e2a14075db40ae060aa0034c7d32dd553765e06f829f37e505c803fbd6382fdfecdeebc4c7b8da084a94d154f5660badc8cd121f397b04ebf2877c5e90e184211c7bc47322280228a9d7bf77330cdac6cc65bbe3e0c959a07d08f05de08b73fe9dc7d5fee5d55c90f558c59f811550b1de4d6b130d727843c462283deb28f086b0fe6de67ac938f7e4b2b7b0654a5f628a08b4566c8945f00559477613b8c91fccd6a1531f73a5e0fed77c6ed25c62972e4563f87dd7b683d07097e91367827f788905ec33bdf890283ed1ae155c309f922c1f45ac1787fb490b516eb8a56fb7a167d9e5fd222442bf9112a7511d42b6ee39270893c51a3c7aa4c85aba5efa005fc6f319817a50c5b658b88046ecba16f67822bfd39bcef2733166f6eebfbe0ff6ad7d44a558bf0a7387305292866f7d9c10d7b4cda30237a571142c51766c06c6650b3ca23127b739c61c53a37037e7183601d8e54e8e2b23fa52408f01d8e13cdc5564c4291c3bdcc5fed9ceaafa6eb86acf50465ccb6b636b657a6d03b2fc4b97fdec510e8f3c88a04308619e86bfa9a936fa7d11cce8e98ff1b675eb5b474679d8de7072694c8d9bb7950ae15bf402b9c9be2b09e719ba2ec1c0c226eb76e6e7cfc4f9321c9e3142f9cd682a98b9932053a05a62604be79e060abc7386926928a0bb4491e7ad4ace56da5d0c06b6c5adde0e0c6302e1031cd6abdaf442814cb309b77a73176d8b8c1910521e0f69019dcafca03064970139b7ff434b2ba6fad26bfe4ba1236ad9196c871df88f0dbfc66d52ec7b381ca2a1b3f6a561dfd65698841291e17c92d0e6248f23fb8e5ada28018667ff4fb6ad39010e9d2f9c935ef2ec2a27c5a620519561fc42980eb3201474da029f9a24196ff7a87f74d9aab4a44efe97be4e3617cb241e73206e376ad6960a5801c561331a84515c87df08ab9334fced23d21017e1f8cf8c942bb97eb780b2ae89ca4022158eb69ffeabeaf85e9198d220462742513fee8a1f525456f8de040460623e216ed7e47c329c4c8f11e6cc0de6a2e767ffbf923b776714ed67346dd5400000000da9acce9ffda9aa3d99de31d2076ee0493ae2aaff169f09ee745e8d61044e522f8979effbadf7abf6e8e0cd9bc6b9457a0ff18d52bec8edcbdfc9916186e95f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2070b350dda2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7ABCAAD1-0ED0-11EF-91CF-DEECE6B0C1A4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000720e08d3b342b38417fcd621f27ffa1cddfe47ec2d7d4e8a47afde16d0b27483000000000e8000000002000020000000580f071f7648288e1b249b9d33e99b936a6f71238100419886095554da208b1a20000000ff022ed1a89c8267bfebb9e41c664d6b90ae16b5efaf7e0da45afdecdae86f1940000000b83ea186cea750e3283a5fe90274a261dd5283db4ba8040d8b383a7eeb4901b6807b49dbcb4114d5251d1c7e69119145445fdaf71cb543661b191ead5cd81a12 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=XWormLoader 5.2 x64.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 dotnet.microsoft.com udp
US 13.107.246.64:443 dotnet.microsoft.com tcp
US 13.107.246.64:443 dotnet.microsoft.com tcp
US 13.107.246.64:443 dotnet.microsoft.com tcp
US 13.107.246.64:443 dotnet.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3A06.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3A28.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c004f9a06b27b3e2aa4c8f541618031b
SHA1 6d0b72282b2e62cbca54fbdd76b17c7a4121c801
SHA256 0b6f64342603e6cddf586e6072dd211c2b39d2924a4a4a88091962feffe839fe
SHA512 8d7e294c874e46bb43d80975416c22101364224b62b19541df94bc0d16aca9f69e87697860e93f20f486f8c29e81c1d2fa58a2029fbee3d1c33b8e06cb7189b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f58e7b5acda464c1cc1f96834a29427
SHA1 8fca6b1f900906704e1b6547b4ba65804290ba2c
SHA256 5ac7e27d0b17b245bb6e5a9bef170d6e6333b64c78f33841dfa8d17dc4ffeb41
SHA512 cc18ff2480b2facd1cecc4e03899a6d2e2284e35c15caaca6155d8d1de4208074aeb9d669951db6cc17c9e05ea4ad07e85bff1573007337cb0a4d929c4fe88ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bca6a40234d54da4b91e90e19e244d97
SHA1 e7cb487a8a627b0353946ced9770b1ff8e4b7499
SHA256 24c57709b3831fd5b74be5757a9b1c780848ee690f2d0d63735ba9f2c0305ae1
SHA512 b496f12e501ca5781ace678ea9c21f23d2110db9a7e74ef77857cea6d8efdcf093a9533c20566efce44d156501735fcf778c1c414308f6210e7584f430a14cb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 392ca394c0be6ebec9dbd1dd2a9a9e37
SHA1 454d790941931d0601b3de9c2ce0c15d00db04a9
SHA256 92d2a95ddf7e45e8815ce6e02d7897e94b4a461b85bc83afba644b55181e78bf
SHA512 ea3905c0353efee9288ac5def0071a177e22daa2cea722fd503240d12d24b18e0332c251c7a806b60ee135002d7b476e345f919a5801e055697c1e802a7e67a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02939135859066a305b385e7f4ee5fb5
SHA1 e8e473110c83f123370e88c108831a27b7976628
SHA256 64692cdfb3610548c5bda4b2f3401d824ae1a7a9d0a8a1d290a4b392b8fe07d8
SHA512 a79dbcbece40fdd2e57f95f23046d864859499eee2298d55c0c362451524f5d7ad5450603394f691a2c59861e70323954a7dd5f956e2f3e01cbfad25a6ac8f34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f6a23a13075916b81e61ca8b718acdf
SHA1 16b610929d1b68995d4644201b147f97ec349274
SHA256 9febcdc42903bd478e9347fcdf136ee6e412202f697755a11acc389d7c2a1a7c
SHA512 b8c1a0c70f6a6311a4c048592c59690e3fe2b2c40d898fd90fc76b4d69437cd012c08126c3ddb50880444222380a6709672cf01f8506edf1d236d702a6fec7ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91bfa07d2410cd9a9ef0f362c0dd548f
SHA1 f4d11df60650c016fa4c3ecb0e3821ff64142587
SHA256 ff7a17d8af65b3a94e3c27731216515220c1d46646ba03b8253423d20f50e3dc
SHA512 047e4b2fd63b91cd6d4471a1926701ba34d794d3cc5bda08a4ba958198a0cc330180d64d9e47aaa1eb91e70d54b847be786811c71553b6bea09a9dff3375c451

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1166b6693414ab64f664b725faac3ab1
SHA1 dff0b67229bbf07790780e48b030a9a8445a30d9
SHA256 936b0a2117608c6fb48b28becef0d5119da5a06612c35d59ba815c2b132bbc4d
SHA512 5956a7778f83a4973c6d03a8f201df6e8c6715efeffc896aacfbd45b5c79e677e819bc84050a61787bc3543d818b2b6fed04e3ef07ae0c2eecef8054bcb21361

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05dabe425200c12789080c83b795e433
SHA1 4f3aa78a44c0d113e9a135722606deda08c131d7
SHA256 8db9fe6ed5c12a455832335966420e0c6420683af25ba291b1efc62f57f341d2
SHA512 88cf64469f098d26a7078863035adacd5c311a74144da4658fa21ce07494d2054fd8f63259eb03a79798f21a106f083e54f49fc5c1b885022f65a6cdff3e3611

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9923ddcc7ea6ecdaa470a831126b12f
SHA1 d8a8d56f1f7749aa36f1a5f11d1e84638da18629
SHA256 486db728c5a8924a0a550d5f3ed465a235e55aa758368a6a8bf76924654a01b5
SHA512 c5a31208c60ac908be5ae261b66c007878e6bd6135eeff93756432a3e1961cddaa8f208afeb1baccbcd73f1530f16addd72ce5e14ad8e746aebf08b5d855cd0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67f7458417e1fd40c99de76dd95796ce
SHA1 007b0863a615479a846af2602c50618fb8782957
SHA256 64f9376cb4a5ab92e986773158f8678052c547ece8c23366e28a5cba0d0612ab
SHA512 5fd6db910406e302641ea3000b4cbb7179b8a5a2774a35011d098964cc84221f558304b1213829a03e95156a6971f4c3e48cc17211b9cdfa5e7eb6fc6e08a9e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f372e8d5005b4b91e756f3f6559e2854
SHA1 94a9cdda14b2c63a42a83955144484608833937b
SHA256 e7ad632139154e8d7787c56e166e49c3f9d4f7f068a201e1607fc0c35cc8eb76
SHA512 1eb2610b39d4857f25f0930b7cc576d8b6349cd103f2b5d02f9cb0ca2be22590c53c4dfff73b585eb2702c58e07414eb598f42739169ac43b210158a275f5f4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28a193010e8abec7a23fa9083395a1a6
SHA1 ab8fdda024ee1979e0a1860bfb8899716087dc4c
SHA256 3dabf2a1326a707ec80590d3216e37b3070c1bba7badf1f476af7b0f7a8e0e1f
SHA512 bba5f51b2ade96b39e7f93e0062a676ce89cfd8ed5ec153113cac85ab2dd4f8131454b59d4455ec87901d459ad16e9e73e6c2b2e38aba61c0d94d950605abd8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86d61dcbc37dc91115b4aac3e0d6bd9c
SHA1 d0c9206fe06b1c19c6dbd82205070d46002f1a1c
SHA256 33a46a810be1b45dff4086d6ab11f84ccc5f404ef51df1951c70c967255c79dd
SHA512 c356ed75e3c15106abc1d53cbbed115a684bea80beaed680e907269adfac3ca3696ef967e13dcf91687ecd35c814fc58e0c90a11f77caf59bbe1aaea0720eb44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4cb57c7f4e88bf20d745c260a9fbea4
SHA1 e3b764b6f551a17d93e99df54986dadcae806d0d
SHA256 52bf4435c7c0001cdb468aec585700468f9089067d5daccfbd86ad628c848998
SHA512 cd72e0d33752830e0ac99502cfbf33e3513c6363182b60385dfc460b9ebe14640c99c59cd922051d86fd9dcf2da387cb313589eb7b5fb3be6475e40465358ab0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2ad893ff11f0218e15f51252fe2e80d
SHA1 491d05fc68bd23a37c78a3d6d4010ae89029754a
SHA256 a0d1e9a8fabe3a6c75040fcc7fbebe13eff535b7042a07c6a0e3ba1fede5cfeb
SHA512 64f511948df106ed12b6ef5437dc0e47cf6714892fa3ff7336210767179cb8837980ce2d3d12f6e94d6f624196caf36b06705a0eab761b6186c70f1d088cdfb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 286355ed19357fd119b29d465bc8b7c8
SHA1 dd811340287f6a2307940ed00ce7f79d65699148
SHA256 69c85a543294dbf55f723bbe5be6c50a6074c8489000537275486df4c79cd36f
SHA512 22cef6cb46d9969c5547dad131b0b96db859e698201418af615f06757da655841519f9a03155b79630d0949f796778a9a38067312304c6bf1750b56a0c062573

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91d1e858f90e3c6349e1a93ba049511f
SHA1 b2b7218214d8b647febfe00d28952cdb40eabd89
SHA256 c43f5c4deaae397968ede05099db78af368ef703ba4e9bcdc6ee292780a1f7fa
SHA512 03e2c05f0bd8c8cde99dee8a1cd25374946ae5e98d70b8a58524fa50f69122f1d1a3485200195c60ff88504ea0a8212a7db32623bf46f0f8380950be4b695610

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9717277ce931842bb657ce164d12864
SHA1 7616d77d340ea0495f9a1811133951b1c165fbd9
SHA256 d82067a89c8753466bbd5a5e6f9cd5ac40fbcd4a2601c65b76fe8969890e1f97
SHA512 2d59aff102a3c2aad419e18b97b6a9e71bd468d7dd8d452b5dda03a5b97c87bbc5b45f43e61656e753db9526c7249e5a16c20604d3374e9957c0671e0c4288cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd6f9722f5d814a6cb6d710225d903bd
SHA1 5489716690e16dd500a009d8525f360480104b1c
SHA256 21701927693dffafe2d6bbd03babd17bd25b1ee2d132480b099d5077c965b209
SHA512 adf4d0de357a09728f2fde28336d2b19aabb5a36ba11adbe585730b4d6f0cefb3cbb68c45eed885a87748647f6bc8856e2a560bb7e2b51b2624d74eb851db21c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 637bac011f412d11430a77c98f5bbdc2
SHA1 d4e5b3bb42e13f96586564111e68b7784ed9ffa0
SHA256 01e0a62d6a346f8b53082e483cc6d8c5516f12bd5fd2dcca77862ab4a5c9b4ba
SHA512 f917dd3d487c2a42285d7c098a0a029fcf48d57321863a116ba17ee8c34a47f6f8cd5c2ddcb17eeb448e280d0eb7447d3b5c8d83d2d5a853a503d6d4641d6a54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75bed9a5fbd20c5fb6a855cc61995a10
SHA1 d6fe4db66aef2d414476258e022ea36642652f50
SHA256 29ab7b6d4faea8deabb5ae0cb18649662b7499d0dc24a6205eaec27565c38554
SHA512 7243b0144ad590d829810a7d7e5fea7bab36c14bd20c732f6fdb1d790789f21b74d037ec0a70515faae0bfda00f18031b3684c5036cd314640426b801576d6f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75f632a1dc0baaadcd70500aa5fd5d42
SHA1 0a44fcbd95ecd9f5dbe4c47a70f5b20a50590907
SHA256 4f1e18faac2a7f625603343a57c9cfb19bc6c4045fc9f4d0730e35426f200d96
SHA512 d789aec44de07b480a58aa7fc07d0d8d105d1e865c1fa1bd17a8e9e3e98413bc75ea7c304ec01841b0e480c1e2136d786b6b7b3427a43a1b3e4b1c65d4c4e099

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 515a9276685fe15562a793bbf192bca7
SHA1 f274e3aef006656b7e6955f01febc7cbd7c72bb6
SHA256 42ba5bb238acd3965ae16d7a9c8a4b1bb6c08ae328aecb34f3c391c02043705d
SHA512 5f3e73ebe969848971b6c12cbae4e2e091f78705ad8a3d50ca5349c80de74fe658e93bc92475d62645ef7a7ad9029e73f88a52935779c75681858422097754ba

C:\Users\Admin\AppData\Local\Temp\~DFAD44EC75A2FB657C.TMP

MD5 2e030fed125320abd904b515477bc45d
SHA1 8b28da85480a0e5b7aecf31f183f7f0d2549b233
SHA256 e0550eda80b70b82a5d983851b03302e9f8b7642707a122c1e4f68a84c401412
SHA512 bb3832536f86d244a157d52d1820e6774a3bd1ca64a793a16657ccc19d3d2f73c9421f7192aa007ba7fd354be740fab1ecab733c03203b73c92db7fa869bb642

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 13:21

Reported

2024-05-10 13:25

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWormLoader 5.2 x64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp

Files

memory/3204-0-0x00007FFFD8E43000-0x00007FFFD8E45000-memory.dmp

memory/3204-1-0x0000000000870000-0x0000000000890000-memory.dmp

memory/3204-2-0x000001B322AC0000-0x000001B322B02000-memory.dmp

memory/3204-3-0x000001B322B40000-0x000001B322B68000-memory.dmp

memory/3204-4-0x000001B322B70000-0x000001B322B76000-memory.dmp

memory/3204-5-0x000001B322D10000-0x000001B322D6E000-memory.dmp

memory/3204-6-0x000001B322D70000-0x000001B322DC6000-memory.dmp

memory/3204-7-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/3204-8-0x000001B322B10000-0x000001B322B16000-memory.dmp

memory/3204-9-0x000001B322B20000-0x000001B322B26000-memory.dmp

memory/3204-10-0x000001B322DD0000-0x000001B322E0C000-memory.dmp

memory/3204-11-0x000001B322CC0000-0x000001B322CDA000-memory.dmp

memory/3204-12-0x000001B323A50000-0x000001B324688000-memory.dmp

memory/3204-13-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

MD5 2f1a50031dcf5c87d92e8b2491fdcea6
SHA1 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA256 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA512 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

memory/3204-20-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/3204-21-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/3204-22-0x000001B324E90000-0x000001B325A7C000-memory.dmp

memory/3204-23-0x000001B323800000-0x000001B3239F4000-memory.dmp

memory/3204-24-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/3204-25-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/3204-26-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/3204-27-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/3204-28-0x00007FFFD8E43000-0x00007FFFD8E45000-memory.dmp

memory/3204-29-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/3204-30-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp