vjw0rm | 515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe
Size

15.8MB
MD5

f192b4e9cf07850041e19ea07cd984e3
SHA1

061a917e9691648e00a7f91ff82ae1c0e8da248b
SHA256

515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7
SHA512

19b9c0c214534d23e134fb29b6b1091ecb8c83f64df1e28219748a61d96bbef31141bb0e8237a5a96ac8bed6c233da6194c719f2c1470155d0a8ad3c194a2f5a
SSDEEP

393216:bZ81TpBxAxlcciQ2RRkaZECMV8ElgSgq4nZ:bpB2jk3Vvlh6

Score

10^/10

vjw0rm xworm evasion execution persistence rat trojan worm

Malware Config

Extracted

Family

xworm

192.168.1.8:7000

Attributes

Install_directory
%AppData%
install_file
XClienamrt.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\XClientamor.exe	family_xworm
behavioral2/memory/3216-36-0x0000000000190000-0x00000000001D6000-memory.dmp	family_xworm

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4524 powershell.exe
3668 powershell.exe
868 powershell.exe
1872 powershell.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1188 netsh.exe

pid	process
1188	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XClientamor.exe515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exeOutputbinded.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	XClientamor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Outputbinded.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 6 IoCs

Processes:

XClientamor.exeServer.exeWScript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClienamrt.lnk	XClientamor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClienamrt.lnk	XClientamor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66d1b8410b347e24d21ce9ad910a4de7.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66d1b8410b347e24d21ce9ad910a4de7.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myronworm.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myronworm.vbs	wscript.exe

Executes dropped EXE 4 IoCs

Processes:

Outputbinded.exeXClientamor.exeXworm V5.6.exeServer.exe

pid process

3892 Outputbinded.exe
3216 XClientamor.exe
2312 Xworm V5.6.exe
2932 Server.exe

pid	process
3892	Outputbinded.exe
3216	XClientamor.exe
2312	Xworm V5.6.exe
2932	Server.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myronworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\myronworm.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myronworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\myronworm.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myronworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\myronworm.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myronworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\myronworm.vbs\""	wscript.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

Server.exe

description	ioc	process
File created	C:\autorun.inf	Server.exe
File opened for modification	C:\autorun.inf	Server.exe
File created	D:\autorun.inf	Server.exe
File created	F:\autorun.inf	Server.exe
File opened for modification	F:\autorun.inf	Server.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeServer.exe

pid	process
4524	powershell.exe
4524	powershell.exe
3668	powershell.exe
3668	powershell.exe
868	powershell.exe
868	powershell.exe
1872	powershell.exe
1872	powershell.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe
2932	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Server.exe

pid process

2932 Server.exe

pid	process
2932	Server.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

XClientamor.exepowershell.exepowershell.exepowershell.exepowershell.exeServer.exe

description	pid	process
Token: SeDebugPrivilege	3216	XClientamor.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	3216	XClientamor.exe
Token: SeDebugPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe
Token: 33	2932	Server.exe
Token: SeIncBasePriorityPrivilege	2932	Server.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exeOutputbinded.exeWScript.exeXClientamor.exeServer.exe

description	pid	process	target process
PID 4152 wrote to memory of 3892	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Outputbinded.exe
PID 4152 wrote to memory of 3892	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Outputbinded.exe
PID 3892 wrote to memory of 3216	3892	Outputbinded.exe	XClientamor.exe
PID 3892 wrote to memory of 3216	3892	Outputbinded.exe	XClientamor.exe
PID 4152 wrote to memory of 2312	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Xworm V5.6.exe
PID 4152 wrote to memory of 2312	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Xworm V5.6.exe
PID 4152 wrote to memory of 3296	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	WScript.exe
PID 4152 wrote to memory of 3296	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	WScript.exe
PID 4152 wrote to memory of 2932	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Server.exe
PID 4152 wrote to memory of 2932	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Server.exe
PID 4152 wrote to memory of 2932	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Server.exe
PID 4152 wrote to memory of 1940	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	WScript.exe
PID 4152 wrote to memory of 1940	4152	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	WScript.exe
PID 1940 wrote to memory of 2608	1940	WScript.exe	wscript.exe
PID 1940 wrote to memory of 2608	1940	WScript.exe	wscript.exe
PID 3216 wrote to memory of 4524	3216	XClientamor.exe	powershell.exe
PID 3216 wrote to memory of 4524	3216	XClientamor.exe	powershell.exe
PID 3216 wrote to memory of 3668	3216	XClientamor.exe	powershell.exe
PID 3216 wrote to memory of 3668	3216	XClientamor.exe	powershell.exe
PID 3216 wrote to memory of 868	3216	XClientamor.exe	powershell.exe
PID 3216 wrote to memory of 868	3216	XClientamor.exe	powershell.exe
PID 3216 wrote to memory of 1872	3216	XClientamor.exe	powershell.exe
PID 3216 wrote to memory of 1872	3216	XClientamor.exe	powershell.exe
PID 2932 wrote to memory of 1188	2932	Server.exe	netsh.exe
PID 2932 wrote to memory of 1188	2932	Server.exe	netsh.exe
PID 2932 wrote to memory of 1188	2932	Server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe
"C:\Users\Admin\AppData\Local\Temp\515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Roaming\Outputbinded.exe
  "C:\Users\Admin\AppData\Roaming\Outputbinded.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Users\Admin\AppData\Roaming\XClientamor.exe
    "C:\Users\Admin\AppData\Roaming\XClientamor.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClientamor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClientamor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClienamrt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClienamrt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1872
- C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\amr.js"
  2⤵
  PID:3296
- C:\Users\Admin\AppData\Roaming\Server.exe
  "C:\Users\Admin\AppData\Roaming\Server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops autorun.inf file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1188
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\myronworm.vbs"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\myronworm.vbs"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrz10mgt.qsq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Outputbinded.exe

Filesize
686KB

MD5
5d692aa620cbca52d380150edcf51377

SHA1
bfaaf5ea9910324e3d9f3d95c5a8ca4d94924d86

SHA256
65302dc08b26b59a91943d82c7c5b79a017164bd7623576cbefcb9851098bf3c

SHA512
0c3e90f6e169a9876f4095774d6fec1b76bc0e23c00b254610ed58f4238bcd0547c7f8974d171587783659752c415267cb4d2499f1a6ac18ed7760f78103bc67

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
242KB

MD5
2355cb5fc18f1e7a0cffa302d1bfebff

SHA1
3703ec0c5299c2861d05f92b3cf16191b982d38a

SHA256
d4550f31de4c62eb2012f9bb984a00ab0e8d865098322dcd4d5db94b7107b986

SHA512
256700d2605dc4bbdac8b72470b2e24992da10572b564a478553bd7d5bea5e91f488ae46fe5d42320a558d6d9c3b43134c54998c40a4c690e29e5dd73bae3cab

Download Submit
C:\Users\Admin\AppData\Roaming\XClientamor.exe

Filesize
260KB

MD5
9b839a50e55b18129f81629c61f912f7

SHA1
71e1feea8c12bd8b2501bf065d56fef8eae0517c

SHA256
92a21332ad995d61804e80d50abd6571a6faf3932ad574ff23939e84362485ae

SHA512
abcb038106c8c771c39a66f1f79885619a0a031a567d2a84acfb848545c8cd12dc1e64baa14f1151229de2abaf68fc023f6455cb47d6b29ec90832d0f2de9971

Download Submit
C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Roaming\amr.js

Filesize
3KB

MD5
e58364ddc8daeac92739f0b2c7547f9c

SHA1
ae2aa6f9cb8f4627d83c6158571689d596294cfe

SHA256
d03047394e431fbc6d68c74d2ac5348801ff1c4d7d3e12b1e3d873474c3cdf30

SHA512
d3e710f1c70883d5576ecdfec705c8edc671c533ebd353048c02d3bc8d9499a18d62c1cee8532d9c9ce325ca4966e53b40322e428cc0b20070971b974f8a673b

Download Submit
C:\Users\Admin\AppData\Roaming\myronworm.vbs

Filesize
9KB

MD5
120aaed75e85209923d8fd9f5718d3d5

SHA1
ea7d8bdceeb399c221743089cb0484863775e31d

SHA256
30c959f6c7c85698d06513048ca92f5615260fb877bb17be0baa24b164575409

SHA512
deed7f6cc041e2df572ee921f6ee31f332ccfc248e365a9f586ac1fb5a9864e68b7917632544f5fb33b48289d1607017d95cac281d0908671f5469fe84b235a8

Download Submit
memory/2312-53-0x000001A1A4DB0000-0x000001A1A5C98000-memory.dmp

Filesize
14.9MB

Download
memory/3216-36-0x0000000000190000-0x00000000001D6000-memory.dmp

Filesize
280KB

Download
memory/3892-15-0x00007FFA954A0000-0x00007FFA95F61000-memory.dmp

Filesize
10.8MB

Download
memory/3892-37-0x00007FFA954A0000-0x00007FFA95F61000-memory.dmp

Filesize
10.8MB

Download
memory/3892-13-0x0000000000590000-0x0000000000640000-memory.dmp

Filesize
704KB

Download
memory/4152-0-0x00007FFA954A3000-0x00007FFA954A5000-memory.dmp

Filesize
8KB

Download
memory/4152-1-0x0000000000CA0000-0x0000000001C7E000-memory.dmp

Filesize
15.9MB

Download
memory/4524-65-0x00000129E6110000-0x00000129E6132000-memory.dmp

Filesize
136KB

Download