Analysis Overview
SHA256
9ea7e5655b847e770ee629b265bdde6d84756ceef2b6fc2849b67ced1c16b524
Threat Level: Known bad
The file NursultanLoader.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 14:22
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 14:22
Reported
2024-05-31 14:25
Platform
win11-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jgerce.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\Expensive 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\Expensive 3.1.exe" | C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NursultanLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Users\Admin\AppData\Local\Temp\jgerce.exe
"C:\Users\Admin\AppData\Local\Temp\jgerce.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004BC
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.124.142.205:14677 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 205.142.124.3.in-addr.arpa | udp |
| DE | 3.124.142.205:14677 | 0.tcp.eu.ngrok.io | tcp |
| GB | 88.221.134.2:443 | tcp | |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| US | 52.182.143.208:443 | browser.pipe.aria.microsoft.com | tcp |
| DE | 3.124.142.205:14677 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:14677 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/2720-0-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmp
memory/2720-1-0x0000000000B80000-0x0000000000B98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4uidhoz.dzr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4392-10-0x000001C767790000-0x000001C7677B2000-memory.dmp
memory/4392-11-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4392-12-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4392-13-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4392-14-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4392-15-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4392-18-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4093e5ab3812960039eba1a814c2ffb0 |
| SHA1 | b5e4a98a80be72fccd3cc910e93113d2febef298 |
| SHA256 | c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c |
| SHA512 | f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3c0fe86517be16d2b0a671148c0274d2 |
| SHA1 | bd7a487a037395e9ede9e76b4a455fdf386ba8db |
| SHA256 | 5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302 |
| SHA512 | 642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a |
memory/2720-51-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/2720-52-0x000000001C300000-0x000000001C30C000-memory.dmp
memory/2720-53-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
C:\Users\Admin\Desktop\UnlockDisconnect.tif
| MD5 | a682f26f964e0a62e8784f082f11ca66 |
| SHA1 | ac3f70326fff08c3e0cf9b525d381edf1b8819f7 |
| SHA256 | ca96f8ffa68a50effafbc74f48a4e0feece12b02dc3a05cd6ad36452fc0a7402 |
| SHA512 | bf019049a367fac711a44511d4e970dd9e3b75939c7ec0ebf0329cd28255a4a9add42c273fd6d7ebce53753c9067b8c60360800f3e462e24864b4cace573090a |
C:\Users\Admin\Desktop\JoinSet.WTV
| MD5 | 552aa1d84575f6d28d2b2c4b86e7020f |
| SHA1 | 271166c6ab6c751d0a8743ceee9e123a83c7f593 |
| SHA256 | 50ee32a1c7bcadfb25e12d00b9159ead6f254b328e75f7f6914b4338ff3dde60 |
| SHA512 | 5d00fb4af17ec8e982011aa32dcf71a0451decd6e0da2d437f129488f93680b96467ecfe18d1ab9c39542780b9d5d7d54fab190ef2541da31d27af069f09d790 |
C:\Users\Admin\Desktop\SearchRestore.mpg
| MD5 | 6a137698decde4357ffa39bb2290ca5f |
| SHA1 | d38a2b92981326c62332f9ee7974957a2a0834e6 |
| SHA256 | 1ad916593eaff428a21fd56f372902cb746991ed76752fac9c3a31ec757a7820 |
| SHA512 | 1083d50f3a966eb2931946bb34f6e02abca301ebfe3b248659253cd75cfe144b17ffc970c366a7b5fb2c29c81640dd4c5c068a7eb018a9567365a19858397593 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | dbe9e061ccb1838728e19eb472a45cc6 |
| SHA1 | b304395ac69541054753ac075ff3679f7296f895 |
| SHA256 | f3f21aa9b341aa2291ba0d97029cdc57dd322b27bd965691bbbcd049ae40db64 |
| SHA512 | 951f60c43ba95e1aa8d05536031ee2ed64df609d11051fd103deae62cdee07b29745f23db00960ceacad2982847729446adb18d159ec6cbe781222a81a3e0ff8 |
C:\Users\Admin\Desktop\SkipLimit.xlsx
| MD5 | fbfcae44887ceb3bbe99b5586bd6f28a |
| SHA1 | 1bcff6c9c1e6a20c65b7fcd505e4a0377d883a79 |
| SHA256 | 1b77222e5bc4c38d190e5312f9f19a5b6ab759e83b4fde51e8633af9c3366eb2 |
| SHA512 | 6ee0fe3da6c666d7310e4525fa80184a986c027eb6fe2363ad0ad4f22e6638d1394bce1c83e447e765898160cdd41cda0fecef168a45979f2843b50787412500 |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | 114f51c8e133382bcdebc919d33c5d81 |
| SHA1 | 27e3d191919dcb5dce0b878667324c8ecdf5062f |
| SHA256 | 07a36364faf4bb26fb46d46ea9f2553b58484fb4ed109c3d3e36ca2ce12b16b9 |
| SHA512 | 782e4e9f7586b1defabc91675aa4ad26ce9ba3a2caaff5d2487c0d382e8582558a31c51ae20f3f4f07b762c9e594ef9d6e2eb2a6c16aa249c73b0cbd857faa61 |
C:\Users\Admin\Desktop\MoveResize.odp
| MD5 | 9b08cc40cd6309f3d8c2fac43adfcf60 |
| SHA1 | 6ad89868781eb5de0185200cf5de7bf55a06c87b |
| SHA256 | 09dda7314f59215c2ca124bfdd64f044a40d9421d9f4d5f9970f37ba341b5c69 |
| SHA512 | 67bdbc7b2068b714a4cc76321c9b05fa61e02d496eaee43fbc8bf3baca756b9d93a23454e3eeb8f6791a6e861f27b3ecf2e3b35bfa07a8405d351cdc3e0ede1a |
C:\Users\Admin\Desktop\MountShow.vssm
| MD5 | 0ddb0da4283407ca0f3ed2e4f85ce987 |
| SHA1 | f550eae7a0c9375604730ca8d55fed47c7eafc09 |
| SHA256 | 7870ebb9896142d5fd40a79b5bfa0e9bf99f28229d6877d14ff6f8d1187a226a |
| SHA512 | b058c5ae846313ea1a67b6ee7f8f1daddd5abd08beee55af2a40f146e8386d00e9daed09afc7dde61cd796b67871512162fcc5998d30cb3954fec67a864a80c3 |
C:\Users\Admin\Desktop\LockGroup.MOD
| MD5 | 3f832064dcaea42f4042cba22f843e45 |
| SHA1 | 2dacdfc9b3c9ce93392d950971325155bfe95ebd |
| SHA256 | 84656eefac95cc97f75cc2b42ed6e9610b50525a41c371c6d69bd8f0858a2f22 |
| SHA512 | cff3c4212e6b9461e36725eddb3a442327c2d9a5f63539df1b7821cd5d22b0afc8a184465d1c156c99d9f8104b626e6b163f61d0d90097b89f83792bef3319d6 |
C:\Users\Admin\Desktop\InvokeUnpublish.mov
| MD5 | 3d33151fb89d055b642d6aa3fcbad3c0 |
| SHA1 | 9f42d8cd1ea0782c078e54d08d0fa5be12a08ece |
| SHA256 | ba1774c9b1ce31c8dee5ef21d3d1b61e4a8d67c0b1abb23523ff20d2a1fbe20e |
| SHA512 | 7a77d91450058772bfa3b1bc9bcfd15350e8814210be17975740a17347369e3d8061b6ef90eae9849b33262a8f4bea4d4b7dc4b007d89efb0466a5f264efeb8d |
C:\Users\Admin\Desktop\InvokeConnect.m4v
| MD5 | 12bd32bf294c9b018daa88688c167705 |
| SHA1 | e19254020f4194c770073c93a8ca667057cda9e8 |
| SHA256 | 34127e291a06313d93302ff4a1914a62f65d840fcaf6e2deaeb85ab7d4d52873 |
| SHA512 | 32c04e44e792dca0f147dde41fab02a6b7aac7a226b026da4d4031b06e315bd64d7c2154a7449a2ce199f6a0ba42ae7094bbf3603b0f5d9772b292187e60ecc8 |
C:\Users\Admin\Desktop\ImportRedo.aifc
| MD5 | 93719d5b12bd768b4827d7047cf2781a |
| SHA1 | e91704e525cffd7e31539d56d33a87731494c46b |
| SHA256 | 19d9268577d5d5da02c05057dd431853b6cae59fac14127eb75458137a225d5a |
| SHA512 | 80c14988b8d36e0f765c73f1d665f610cd615f9a2299042fc1ea9530d11cf1ebd61f7bb71527ec69ff87c260e5fc252b08fb9e301599645b6a4b4c8b57d7db19 |
C:\Users\Admin\Desktop\HideMerge.vdx
| MD5 | 8e86dd514c3b31b7b19a6d82084f9187 |
| SHA1 | 20a9f9a2f19a784bf2af94c854aaa3df42905f44 |
| SHA256 | 5034aced10aee3b7aa4c26c7617c36a77d19b723a56a6bc278ffffd98363108d |
| SHA512 | f680032181423596d304348ade95b1ec1162bb1e0a9341a7fe3c497c7aeb5d1edc3487bb04060525b077ba5c92eb16285e79471e0c18b4ad2a96803ed2cf3ed6 |
C:\Users\Admin\Desktop\DisableOpen.svg
| MD5 | b20dd80ead2617dc3166cc88e6161706 |
| SHA1 | 1b8188b1fc85466dd7a8ae84d0afb4c110472e6f |
| SHA256 | 0ba87712bd67cd58fb32b6b4e2bcdf28dc5c5c54aa5a78736a3f9e18f562dbc7 |
| SHA512 | 756fed251e2f888b4a6590f87bd719e447a042c7ebe033d5eb36f73d4d7e5a61e7257a2f0a5dafcceec607a796c7953560a549e61f1bdbfaf74b739ff72aad78 |
C:\Users\Admin\Desktop\DenyStop.xps
| MD5 | 4d804bcfdf4139560719581bbbe39e2c |
| SHA1 | ddad6529adc093ac14d3aea829d22274a6b0faf1 |
| SHA256 | 152d762e391993b2f3a04e1764383a30c851e52f7ed1ce691463bc95cce70b53 |
| SHA512 | 275d78a9fba523080cf91eaefd566dc9124755d35be7843dfa4030262bb29238b9529671db5cf7d434afca9dddc03f7576f148214c1fdda6a01b52551cbf4a07 |
C:\Users\Admin\Desktop\CopyUnlock.3gpp
| MD5 | 791e4cf5932440ccd8f6ed54d3eba463 |
| SHA1 | a4e5b95511b647c6f1459650da6866f18b0debeb |
| SHA256 | 9ed9032e9ae9cdc7d28d36e5dce210817e01a915775eea91d9e9d24aaaa85745 |
| SHA512 | 0bfe8246c6e25bf9d666591e816f0885fdf67deea7b50fcfb9d9f6b0213828ddea4e232f15d93cc7fb0e11f035c243b87e58b7fea4c862d7b2cd02f3702de9a3 |
C:\Users\Admin\Desktop\CheckpointMerge.xltx
| MD5 | 56e2fdf5721a189aec623d4a6b383df1 |
| SHA1 | c18f8cf823531c3d24f7e2651c76624b67b6c0c1 |
| SHA256 | 54b0656f79e476e880e6d53ec28241cbb31e5e58c1467935c9df9b56edb46521 |
| SHA512 | 49ae628eecac25bc1355213d69cfd43712a56519497e52962460fc555363ed93cb7a2f0dc237495a7a7a012f6ebda28e8e574efe7abbf470d1f53920072d42f7 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 2eb702965aeabb66a1ce760bffbe5d75 |
| SHA1 | 356e3395cb57bd0999ad880b75f4b090f7ed5280 |
| SHA256 | c88861cef0572764300091ab10e857f28e603cea679638c8c919145006eae871 |
| SHA512 | 09bc89f5910dc7c324948d880d60d7b87523bae73a628881837afc5492705f56e4c7214c22519a41080b50d7d64e3ced585072fbbfbb7adf968ee20861df41ed |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | d453202d8232b602218441b59b945265 |
| SHA1 | 11c6a47fd44c9ae39fee7ff428cf4ee9b92337a9 |
| SHA256 | 340569335d39de8184e9ea87bd3888d322cfaca127522b407f0279a4441c7147 |
| SHA512 | 701ac99e1406d39ec55dadbc201b99301e949dcb3ef7f26228d96ae3d14c759135056a42c68fe4b527e279aa23517555b037ee19ed56e4246981ff37cc530891 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | 55bc4c4831db98457a0134293f270124 |
| SHA1 | 651f0e86ada21e2f95f919fd0364099d4ca34f4e |
| SHA256 | 894e3cea04571f7cb39d18e72293dc5908363ba183b79d2a0873688decb0256b |
| SHA512 | 91c64fe850c807172ab44aa5b08f0b3073e1d7782f3464e9f24e4818098c609991c7192243eac99f243a6d0209ad6d25e04a2a4bb7bdab585ee5d1ad20d25943 |
C:\Users\Admin\Desktop\OptimizeOut.3g2
| MD5 | 8d3ebf1d29686e0adfd08d93ed4af02b |
| SHA1 | 3a42289c29f27d3b1c11b1a6ecaac8d07584f144 |
| SHA256 | 01b28ee6806f90dce34eb036f29ef4f4ecb1a852448f4fe8146e78f9fc3f881d |
| SHA512 | c97183e1ba546be87c3adc073a2b37068a8da4ae0f00e25733e074400070f8ccb973675e6e8b913f5e111bcdbda9ecd93769078e472b72b5afc0dcf951f62f9f |
C:\Users\Admin\Desktop\StartTrace.asp
| MD5 | 25c70a5149b3812cc8c6410e618a7bb4 |
| SHA1 | 2af7d45bb6385d9d30a3106b7ff11fde4a60bc1f |
| SHA256 | 40f28d36ce508ed27da868cabfc07c55f2abf483401fedca08cac28b9af88d29 |
| SHA512 | 8db6d3eecea9546363bb5345911d484c73687503a103c79131944e5469e91cd0bec9c9af1b9d6f2f60187d39e32b9ce7671f02f57ead6bdb847de097935ce9e4 |
C:\Users\Admin\Desktop\ExitSet.jpe
| MD5 | 510feadb835cafb54e0795fdd18b0de6 |
| SHA1 | 59588f44fc1792a6f1e42e9658a3926d300cbc44 |
| SHA256 | b3eceec3bfd37c2229d88a9dcb0001e77c2ce635333f0f7c2bf73aa1c39a3d18 |
| SHA512 | 63b6d4ee3a6f5d26a30fc34707ae332e9c9304ca84b9da6d3b9cc410d607d95bb5bf484532b7d0d76a85ace96b7ffe24d1776545d957fbe98eacc55dbf70fab0 |
C:\Users\Admin\Desktop\WriteConvertFrom.odp
| MD5 | 6761118eb67813809f8a800a9da0eaf3 |
| SHA1 | cd35f6822d87f1ae74e26d85dce048ffb4e0a793 |
| SHA256 | 7aed0bf6ad87f153cc5a86a779200ce9f3a84846cd7520dae2e1076f28aecffb |
| SHA512 | 7ba7477a501bd61188c202d19ddd21f6785f1858bd76bf968ebe39b8b40c9dea6d2d4cddae65f155cf31b9d3773935e816ed33f862a25afa9f598d46dc03d40a |
C:\Users\Admin\Desktop\WaitResume.potx
| MD5 | 6ac6da25cc6a7ca1e53c424cc281eab9 |
| SHA1 | 0f08885680e06573f5c49b03056cb24cb698a49a |
| SHA256 | ce7e531c3a7eaadac54796b29e0eb6adb1b1e3f08db658a4402906b9cfa9d856 |
| SHA512 | d50f9cb259e1ae112bfd12c0a3b08e60701bf1ee253cac59c0155922358bead98241797ab442c547e63fc707f01b90df90e2fa09c944bd48b1c2f328b4a87251 |
C:\Users\Admin\Desktop\StopExpand.mov
| MD5 | 315b8b874f790819d3ab1b62c8a19197 |
| SHA1 | be1f684e121205bc9292b5e27d31f8387efa318c |
| SHA256 | cbc052cebba7e901b43f90aec1ed64bfc5aafd1d1cfcf659775191de29e04051 |
| SHA512 | 0da6a10dbb2082ca97a0dc5857c9b099ed56b6c851ef3550af5ae58cca0d33a257ea5145028ef952bac5efd35c725214920335a74b5b63e70d8dedc5accddb33 |
C:\Users\Admin\Desktop\StartUnpublish.dll
| MD5 | 8767f1eda9ab2ebd58b8bacdfb7dc8af |
| SHA1 | a51a28aaadb2b1e09dc98fe0014b4a39f5297a01 |
| SHA256 | c3dabe87b129e716e4ba2192cef7e88fe2413a1296e2414e2aac87e7d2034a46 |
| SHA512 | de019164741849bac018d7a7bcef4f0da225ae09c78fcceb8c5491295c66f809bffb93c5b7cf86a3c5a0ea7feda994093bfcea56728fc14d896277c2327ce600 |
C:\Users\Admin\Desktop\SetExport.easmx
| MD5 | 0fb67a1b3b1bdd0cd4641dd86513976d |
| SHA1 | 7223e7958711000af3984ddb7faf2a3f6eb618ac |
| SHA256 | caf8efcf5eef9a42944dd3201d5508ef4b2e5e8daef5c7499768ea6d4a9dfb22 |
| SHA512 | 0bafd184edc4ecf1e8e375645a3dbd0227dad8c601efb371656a907b480776e42968fc63d7557452f79d81d5e2b5ae0c49e0da43d29860612caf49e08b01c419 |
C:\Users\Admin\Desktop\SetConvertFrom.jpeg
| MD5 | 3103c84fbe44a273ac817bd3ed22c052 |
| SHA1 | 06eddcac91c428258a5325ab6bbd3d02fa3e5c6c |
| SHA256 | f14c8f5aab3385768fb2205a7ad1642ac030eb7cc7b87812f7e051bc9de17316 |
| SHA512 | d2500f460518e5656fe6199cebc53b965423212144d8f447e65291e94d18919add450aaaca75afdadcc1d3fba06e34288852823a6e31a40b4a74a724c8a06af2 |
C:\Users\Admin\Desktop\RenameWrite.docx
| MD5 | c9e1aa95322d407abb4676c85a619822 |
| SHA1 | aa4071fa0ea1532e9a34acdbe309e42d9fe0ddb9 |
| SHA256 | 4a92e82dfce3f2281b560ca31942cc9f7bb8f557e328b4a1cd3d487ecb56f745 |
| SHA512 | 0bd717cbf8b869c648ab2912c23756c75bf59097ab1db36bc59ec4f88e776fac48a9e595b5da3b92fd4d13ebfc4ec0185c6d388eb0401647066736eb0787744b |
C:\Users\Admin\Desktop\RegisterAssert.eps
| MD5 | 38aa3387e3a61ae47d3be5fabf963ee1 |
| SHA1 | 7dae7b296a2c52dc33bb76eda1004b4bcbe31535 |
| SHA256 | 6a94014cfe9f274aa3ddbacfdf54003e22aa4be699429838b1583443df893f4b |
| SHA512 | 16f60e36147428f3874db33a8756a59f17f0f04ff8d305261a038ff52a700e850a8a82020d4b7c639971745d08d8e67d9b7be4559da3223f948d0358b55d296a |
C:\Users\Admin\Desktop\OpenSend.clr
| MD5 | caee9d2de44ce51e7a2e6fbda232703b |
| SHA1 | 98609a58e577c00be807390edd27f474056e8fd4 |
| SHA256 | 3a5a777d0a97cd3dded54434ac694d98c29514da8d433dfd8e13f18f144610e2 |
| SHA512 | bd684281ef320bfa8999a106b4cc19688b2d940f244462bf638afb804478ed8636dd068ac529e6a5e0c8dc0ba742aac6deba1a48571bd43a60704752f844b6e7 |
C:\Users\Admin\AppData\Local\Temp\jgerce.exe
| MD5 | e7c0320cb474f7f0f34ad25c3e343226 |
| SHA1 | d9780cfbb2bd28f0596cff1dcc9ff10a303e78c1 |
| SHA256 | 3d733b07ec2bbf0c7c5c967d7cb5a6a1ec9a2da1b07d2f9afd95938c661ab0e6 |
| SHA512 | 5552332982d55fe9427b79b749555a8f8463f35a1706c92da16b2f277d07f17df35e4279463e15a5714502770b04086e6e4383f996917ed7ee2fe46eefae11a0 |
memory/2452-106-0x00000000000A0000-0x00000000004B4000-memory.dmp
memory/2452-111-0x000000001B220000-0x000000001B22B000-memory.dmp
memory/2452-110-0x000000001B200000-0x000000001B21E000-memory.dmp
memory/2452-107-0x000000001B3F0000-0x000000001B436000-memory.dmp
memory/2720-112-0x0000000001260000-0x000000000126C000-memory.dmp
memory/2452-109-0x000000001B1F0000-0x000000001B1FD000-memory.dmp
memory/2452-108-0x000000001B440000-0x000000001B449000-memory.dmp