Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Bluestacks...er.exe

windows10-2004-x64

10

Bluestacks...er.exe

windows11-21h2-x64

Analysis

  • max time kernel
    91s
  • max time network
    98s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/06/2024, 22:01 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    BluestacksInstaller.exe

  • Size

    80KB

  • MD5

    7a8057b88626b927138a6ac40016ff6d

  • SHA1

    beda666793500c73af8e4a73bf31d4831bda1a89

  • SHA256

    234d2f0fab4f2399ae1c4387e9dc58a19a3ea863d82c67ab1d90378b29e7748e

  • SHA512

    facc80950e636c0ef6b5bf703e9d19316d616735a7b6100c5a86897f0ee1d67668623eed5fed12a1086b85ceaadf9f8cfaddb0d2d0702b385e7a0ca5a0c5ce0b

  • SSDEEP

    768:YifC8qTvhE50tEIDPiKuukR7L1ptTfFWPt9e26cOMhFaB2hBC:YiTqTvhOYEIbiKuumnBFe9e26cOMX9A

Score
10/10
xwormbootkitevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

19.ip.gl.ply.gg:14513

Mutex

333EKK7TuWsNmMLK

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

aes.plain
1
mAsX0cuw/nkRzl5s4iSxdw==

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe"
    1⤵
    • UAC bypass
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BluestacksInstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2504
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1808
    • C:\Users\Admin\AppData\Local\Temp\iaecxy.exe
      "C:\Users\Admin\AppData\Local\Temp\iaecxy.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat" "
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mbr.exe
          mbr.exe
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          PID:2140
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs"
          4⤵
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:3512
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
          erroricons.exe
          4⤵
          • Executes dropped EXE
          PID:2836
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exe
          INVERS.exe
          4⤵
          • Executes dropped EXE
          PID:3008
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
          crazywarningicons.exe
          4⤵
          • Executes dropped EXE
          PID:2668
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
          crazyinvers.exe
          4⤵
          • Executes dropped EXE
          PID:1104
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exe
          erroriconscursor.exe
          4⤵
          • Executes dropped EXE
          PID:3688
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exe
          toonel.exe
          4⤵
          • Executes dropped EXE
          PID:800
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages2.vbs"
          4⤵
            PID:1788
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages.vbs"
            4⤵
              PID:4632
        • C:\Windows\SYSTEM32\shutdown.exe
          shutdown.exe /f /r /t 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3528
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004CC
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1844
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
        1⤵
          PID:1484
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa3a24855 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:3004

        Network

        • flag-us
          DNS
          19.ip.gl.ply.gg
          BluestacksInstaller.exe
          Remote address:
          8.8.8.8:53
          Request
          19.ip.gl.ply.gg
          IN A
          Response
          19.ip.gl.ply.gg
          IN A
          147.185.221.19
        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          BluestacksInstaller.exe
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          nexusrules.officeapps.live.com
          BluestacksInstaller.exe
          Remote address:
          8.8.8.8:53
          Request
          nexusrules.officeapps.live.com
          IN A
          Response
          nexusrules.officeapps.live.com
          IN CNAME
          prod.nexusrules.live.com.akadns.net
          prod.nexusrules.live.com.akadns.net
          IN A
          52.111.243.31
        • flag-us
          DNS
          self.events.data.microsoft.com
          BluestacksInstaller.exe
          Remote address:
          8.8.8.8:53
          Request
          self.events.data.microsoft.com
          IN A
          Response
          self.events.data.microsoft.com
          IN CNAME
          self-events-data.trafficmanager.net
          self-events-data.trafficmanager.net
          IN CNAME
          onedscolprdeus12.eastus.cloudapp.azure.com
          onedscolprdeus12.eastus.cloudapp.azure.com
          IN A
          20.42.73.27
        • flag-us
          DNS
          19.221.185.147.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          19.221.185.147.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          31.243.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          31.243.111.52.in-addr.arpa
          IN PTR
          Response
        • 147.185.221.19:14513
          19.ip.gl.ply.gg
          BluestacksInstaller.exe
          331.5kB
           22.3MB
           7179
          17044
        • 147.185.221.19:14513
          19.ip.gl.ply.gg
          BluestacksInstaller.exe
          6.1MB
           126.1kB
           4611
          2476
        • 147.185.221.19:14513
          19.ip.gl.ply.gg
          BluestacksInstaller.exe
          10.3MB
           159.5kB
           7776
          3918
        • 8.8.8.8:53
          19.ip.gl.ply.gg
          dns
          BluestacksInstaller.exe
          279 B
           502 B
           4
          4

          DNS Request

          19.ip.gl.ply.gg

          DNS Response

          147.185.221.19

          DNS Request

          8.8.8.8.in-addr.arpa

          DNS Request

          nexusrules.officeapps.live.com

          DNS Response

          52.111.243.31

          DNS Request

          self.events.data.microsoft.com

          DNS Response

          20.42.73.27

        • 8.8.8.8:53
          19.221.185.147.in-addr.arpa
          dns
          145 B
           288 B
           2
          2

          DNS Request

          19.221.185.147.in-addr.arpa

          DNS Request

          31.243.111.52.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Pre-OS Boot

        1
        T1542

        Bootkit

        1
        T1542.003

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        3
        T1112

        Pre-OS Boot

        1
        T1542

        Bootkit

        1
        T1542.003

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          627073ee3ca9676911bee35548eff2b8

          SHA1

          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

          SHA256

          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

          SHA512

          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
          Filesize

          512KB

          MD5

          8015461c323bf9c0f9ddeb665ab99d09

          SHA1

          c76fb3bd5486db25b63c02bf7469f96f5d207601

          SHA256

          d88157e5d52a20638560d89189655559ef44788522ed9301378014b1e97861c4

          SHA512

          973b56f4dc3bacb902df6bff68dbdd1c7b2b7d9dd1447091f7bb54acb85fec3ad280612147c8cf495f2cb57e55a4cfc94fa446f85295739cab2861d6a28ce071

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
          Filesize

          9KB

          MD5

          7050d5ae8acfbe560fa11073fef8185d

          SHA1

          5bc38e77ff06785fe0aec5a345c4ccd15752560e

          SHA256

          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

          SHA512

          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          e3840d9bcedfe7017e49ee5d05bd1c46

          SHA1

          272620fb2605bd196df471d62db4b2d280a363c6

          SHA256

          3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

          SHA512

          76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          0873757e33b6db5e1f880560307d39ed

          SHA1

          5eeb90dd7214ce87c3a7da370d3883b8de1a523f

          SHA256

          ffd4814d02b70970a6be70900bedcc0f1543c3b6707dddab6c808b32839db834

          SHA512

          e21c1a7347e3c78590a9e8c76698af7ac1a70d929c5d1e190b480cdf5e8063cd575d3c9b8a6101cfc4424619100ab421bee5f3723385e79b63381c04281b0b8c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          9030854a24cf37b7b4e3650aac67d427

          SHA1

          27f3e35705bbe6388da04bf97e09da1875a6bc71

          SHA256

          e818d49edbec3553b77c8a400c04fc88b601614946c281fc9c86acf9498010e0

          SHA512

          f402098f60d99d7e7130095c6965bb540454ff9867e72a9c2efaf833967639b802f193f9e73af53829167b43a2d9100e19f9056621f75543fa2aadad1e185dfd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exe
          Filesize

          2.3MB

          MD5

          5134f289dbf4abae370e3f36b637b73e

          SHA1

          c78d3f2d00dc47da0112a74df665c7a84a8e32c3

          SHA256

          e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

          SHA512

          0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
          Filesize

          2.3MB

          MD5

          a44458813e819777013eb3e644d74362

          SHA1

          2dd0616ca78e22464cf0cf68ef7915358a16f9ee

          SHA256

          47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

          SHA512

          1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
          Filesize

          1.2MB

          MD5

          e21bb4749a8b1b6fc26a7bcf57781836

          SHA1

          89cb0bd80d691ca650ad01551be3acefa2256ebd

          SHA256

          0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c

          SHA512

          b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\dobrota.mp3
          Filesize

          6.6MB

          MD5

          fad2e8c2a096f4593a03a771bbe99458

          SHA1

          88af47f279b9ea008901a6a242466f40f44e8a5c

          SHA256

          a40dd9aedae52766593bce06a9a68d47fcf8d430f254ce5e50b0c55587d46213

          SHA512

          7b607d2927bfb5d2ae3da7ad40fc842f6c1cd12cbc8814a043950d65f50d8084aaa8a544fe51312e68bde9434b138c5c8df50568650658ed0600f447a4a32441

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
          Filesize

          316KB

          MD5

          7f31508d95be3fe50e4e9aa646e86a12

          SHA1

          c61b439d6e17d630728f48c09b36af2647940748

          SHA256

          994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

          SHA512

          2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exe
          Filesize

          316KB

          MD5

          135eeb256e92d261066cfd3ffd31fb3e

          SHA1

          5c275ffd2ab1359249bae8c91bebcab19a185e91

          SHA256

          f0fe346146c30129ed6f507906c973f1a54c7d8dd8821c97e9b6edc42545699d

          SHA512

          a3792f92b116851023620d862cac6d2b5542de41390b6b8d223074db94193f0ee6dfcc9d6588ea3e77173f73c7fdfc5f9a1e1044c597636fe275d9ff4b76a12b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mbr.exe
          Filesize

          47KB

          MD5

          8562ed46d745dceb3cc268693ca25c83

          SHA1

          309067f0c9703084654495a47e67f7a40824700d

          SHA256

          ea5d21e6598d52b30e9d055bc406c6227bbadb5c493addb27b32fb16a6dcae8c

          SHA512

          52f23e70f7ea6eab1a50a4008e563d787732f7361dfe10c48f39dae42bce023c90449c9a903733fab13c49b50f8c4fa7d4864ab26c69326aab0149c765fd677b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages.vbs
          Filesize

          37B

          MD5

          35fbf9bf29760b9e120b37900b3c1343

          SHA1

          8a231c37ee13e72f27a38411668fde6fef3ff5bc

          SHA256

          e1cdab59df6508013e8b91c71043c8ecfe81b94a037706147ed19adf992539e6

          SHA512

          d1c12b6690c6b90dda5ad3e226e30adc848b3c324f929dec373ab6c7606fbcab716c49c4446efadf14036583924f8f094491bfe8bef380fd877c00cf9feaacc6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages2.vbs
          Filesize

          37B

          MD5

          63954d8930e517637c254f9da0749e7a

          SHA1

          27f6a13c0e9530166d62b4586c3d2bda5cb5064c

          SHA256

          bffa14678b8c39c2fbfa54b76fbac5f750aebc8dc2954da10a55b7f1f90f351c

          SHA512

          dd5df6b8a64523fedb5aaced7d864013d12e6930015d8fd2267b11cffe76741c3a7907814a832ff7589476a51d16e8ab0fc566f4ac0784f6a599070080c7008d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs
          Filesize

          216B

          MD5

          c36c15e1f99e1c0d093b9b089b1073c5

          SHA1

          47a237639f83d8de0c2034831ff3e12a3bad7408

          SHA256

          3d6123cae8ac645d9c9d33b0dada869a7fdd5117a2bf0f9080e4e30fe5bed736

          SHA512

          4283b45c6483e2ed6e9741f5937bb7851e101fb4710bd687a73a77b5abcb820d2480deaee50c8e87a7f225cee2430836da75d201838e9d989e91f3c0c0c60d1f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat
          Filesize

          220B

          MD5

          99ee6716bf6dd074e52a923e74f9fa70

          SHA1

          42494346592ca59d2d895ec77d37d83ce2dbed1a

          SHA256

          d51fd681ba6346842afe2f9cb7ae117cb667986af0c67e28664124173b183740

          SHA512

          2179380ec9630dbce4f7637f4e6fe8164d61cb41c2d43be98d97a7116aa5d7a181a8bdb4ed3f3d147aaec9dd2152dd9a23e94e3a67c2bd7f12e4b205826b6732

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exe
          Filesize

          317KB

          MD5

          a84257e64cfbd9f6c0a574af416bc0d1

          SHA1

          245649583806d63abb1b2dc1947feccc8ce4a4bc

          SHA256

          fe7ff85b95ec06ce0f3cb49fdfa4d36de1f08669d36d381794aaf597510afad7

          SHA512

          6fc85ee0f8c75a25193fc4883a734704a8190253348c158b9cef4b918cffee5c8997c5248ec2bc793f66978e8cb4c5233d300d112f1d7750bc660698414865c2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xoe3dcmy.bwt.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\iaecxy.exe
          Filesize

          7.8MB

          MD5

          1c33f964fbf5b3642d02e4b20ba6f2ac

          SHA1

          dcec14364a4548ce394906487a37f98bb1d12198

          SHA256

          10a45dc010df96cbd65bfd8a59e906ca5f98dd6f7541cf02bdfc17df8384bb8f

          SHA512

          ea3268a85ff2dfe7c94c6eb670f4aa3a13ec3019cf47bbcfa7e31eaa48dea0c8ee7dd0ebd020785942063e8acee7e2df62cd0c1eadf46a0208ebea29e146462b

          Download Submit

        • memory/800-155-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1104-153-0x0000000000400000-0x0000000000582000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1480-57-0x00007FFEC71B0000-0x00007FFEC7C72000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1480-0-0x00000000001C0000-0x00000000001DA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1480-163-0x00007FFEC71B0000-0x00007FFEC7C72000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1480-56-0x000000001DD40000-0x000000001DDCE000-memory.dmp

          Filesize

          568KB

          Download

        • memory/1480-55-0x000000001AFB0000-0x000000001AFBC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1480-54-0x00007FFEC71B0000-0x00007FFEC7C72000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1480-156-0x000000001A7C0000-0x000000001A7CE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1480-1-0x00007FFEC71B3000-0x00007FFEC71B5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2140-102-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2668-152-0x0000000000400000-0x0000000000541000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2836-150-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/3008-151-0x0000000000400000-0x0000000000582000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3512-134-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3512-133-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3512-132-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3512-131-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3512-135-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3512-136-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3688-154-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/4532-10-0x0000024F97AE0000-0x0000024F97B02000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4532-15-0x00007FFEC71B0000-0x00007FFEC7C72000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4532-18-0x00007FFEC71B0000-0x00007FFEC7C72000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4532-13-0x00007FFEC71B0000-0x00007FFEC7C72000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4532-12-0x00007FFEC71B0000-0x00007FFEC7C72000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4532-11-0x00007FFEC71B0000-0x00007FFEC7C72000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4532-14-0x00007FFEC71B0000-0x00007FFEC7C72000-memory.dmp

          Filesize

          10.8MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.