xworm | 9c5df26ea92875cc1fa22046f5b88a881b09d9dca85ac65a10e29ee1dc9b1bf5

Analysis

max time kernel
204s
max time network
213s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-07-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanLauncher.exe
Size

14.6MB
MD5

e0931ba21d8e656b82511a8686e0026f
SHA1

432225926aa4f5841cfd035a51ff7157a5a8809a
SHA256

9c5df26ea92875cc1fa22046f5b88a881b09d9dca85ac65a10e29ee1dc9b1bf5
SHA512

6aa7fc36e38ba34ef039ba4df38f239e416070d76f300f4043015139da5ed827c92d32862b0c75d540c4194a2785c6ac524e554d1580f1a4e93aa4a61b6718c0
SSDEEP

393216:7pRpu51k22qim6QTV6hTZLPHZ3a88WAgSgHD:7pR12j/R4b5iWAgHD

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:57645

20.ip.gl.ply.gg:57645

Attributes

Install_directory
%AppData%
install_file
Tlauncher.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001ac10-15.dat	family_xworm
behavioral1/memory/4772-17-0x0000000000260000-0x0000000000276000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4552	powershell.exe
2260	powershell.exe
4116	powershell.exe
1508	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
3216	Nursultan (2).exe
2452	lc.exe
4772	CFG.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_5 = "_default64.exe"	lc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_8 = "crypt0rsx.exe"	lc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsInstaller = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lc.exe\" -startup"	lc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSEdgeUpdateX = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lc.exe\""	lc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_1 = "AWindowsService.exe"	lc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_3 = "windowsx-c.exe"	lc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Config = "C:\\Users\\Admin\\AppData\\Roaming\\Config"	CFG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_2 = "taskhost.exe"	lc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_4 = "System.exe"	lc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_6 = "native.exe"	lc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_7 = "ux-cryptor.exe"	lc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4876	cmd.exe
4264	cmd.exe
200	cmd.exe
224	cmd.exe
4912	cmd.exe
2728	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1988	taskkill.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2452	lc.exe
3216	Nursultan (2).exe
3216	Nursultan (2).exe
4552	powershell.exe
4552	powershell.exe
4552	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
1508	powershell.exe
1508	powershell.exe
1508	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	CFG.exe
Token: SeDebugPrivilege	2452	lc.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeIncreaseQuotaPrivilege	4552	powershell.exe
Token: SeSecurityPrivilege	4552	powershell.exe
Token: SeTakeOwnershipPrivilege	4552	powershell.exe
Token: SeLoadDriverPrivilege	4552	powershell.exe
Token: SeSystemProfilePrivilege	4552	powershell.exe
Token: SeSystemtimePrivilege	4552	powershell.exe
Token: SeProfSingleProcessPrivilege	4552	powershell.exe
Token: SeIncBasePriorityPrivilege	4552	powershell.exe
Token: SeCreatePagefilePrivilege	4552	powershell.exe
Token: SeBackupPrivilege	4552	powershell.exe
Token: SeRestorePrivilege	4552	powershell.exe
Token: SeShutdownPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeSystemEnvironmentPrivilege	4552	powershell.exe
Token: SeRemoteShutdownPrivilege	4552	powershell.exe
Token: SeUndockPrivilege	4552	powershell.exe
Token: SeManageVolumePrivilege	4552	powershell.exe
Token: 33	4552	powershell.exe
Token: 34	4552	powershell.exe
Token: 35	4552	powershell.exe
Token: 36	4552	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeIncreaseQuotaPrivilege	2260	powershell.exe
Token: SeSecurityPrivilege	2260	powershell.exe
Token: SeTakeOwnershipPrivilege	2260	powershell.exe
Token: SeLoadDriverPrivilege	2260	powershell.exe
Token: SeSystemProfilePrivilege	2260	powershell.exe
Token: SeSystemtimePrivilege	2260	powershell.exe
Token: SeProfSingleProcessPrivilege	2260	powershell.exe
Token: SeIncBasePriorityPrivilege	2260	powershell.exe
Token: SeCreatePagefilePrivilege	2260	powershell.exe
Token: SeBackupPrivilege	2260	powershell.exe
Token: SeRestorePrivilege	2260	powershell.exe
Token: SeShutdownPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeSystemEnvironmentPrivilege	2260	powershell.exe
Token: SeRemoteShutdownPrivilege	2260	powershell.exe
Token: SeUndockPrivilege	2260	powershell.exe
Token: SeManageVolumePrivilege	2260	powershell.exe
Token: 33	2260	powershell.exe
Token: 34	2260	powershell.exe
Token: 35	2260	powershell.exe
Token: 36	2260	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeIncreaseQuotaPrivilege	4116	powershell.exe
Token: SeSecurityPrivilege	4116	powershell.exe
Token: SeTakeOwnershipPrivilege	4116	powershell.exe
Token: SeLoadDriverPrivilege	4116	powershell.exe
Token: SeSystemProfilePrivilege	4116	powershell.exe
Token: SeSystemtimePrivilege	4116	powershell.exe
Token: SeProfSingleProcessPrivilege	4116	powershell.exe
Token: SeIncBasePriorityPrivilege	4116	powershell.exe
Token: SeCreatePagefilePrivilege	4116	powershell.exe
Token: SeBackupPrivilege	4116	powershell.exe
Token: SeRestorePrivilege	4116	powershell.exe
Token: SeShutdownPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeSystemEnvironmentPrivilege	4116	powershell.exe
Token: SeRemoteShutdownPrivilege	4116	powershell.exe
Token: SeUndockPrivilege	4116	powershell.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 204 wrote to memory of 3216	204	NursultanLauncher.exe	72
PID 204 wrote to memory of 3216	204	NursultanLauncher.exe	72
PID 204 wrote to memory of 2452	204	NursultanLauncher.exe	74
PID 204 wrote to memory of 2452	204	NursultanLauncher.exe	74
PID 204 wrote to memory of 4772	204	NursultanLauncher.exe	75
PID 204 wrote to memory of 4772	204	NursultanLauncher.exe	75
PID 2452 wrote to memory of 4876	2452	lc.exe	77
PID 2452 wrote to memory of 4876	2452	lc.exe	77
PID 2452 wrote to memory of 2728	2452	lc.exe	78
PID 2452 wrote to memory of 2728	2452	lc.exe	78
PID 2452 wrote to memory of 4912	2452	lc.exe	79
PID 2452 wrote to memory of 4912	2452	lc.exe	79
PID 2452 wrote to memory of 224	2452	lc.exe	80
PID 2452 wrote to memory of 224	2452	lc.exe	80
PID 2452 wrote to memory of 200	2452	lc.exe	81
PID 2452 wrote to memory of 200	2452	lc.exe	81
PID 2452 wrote to memory of 4264	2452	lc.exe	82
PID 2452 wrote to memory of 4264	2452	lc.exe	82
PID 2452 wrote to memory of 1988	2452	lc.exe	83
PID 2452 wrote to memory of 1988	2452	lc.exe	83
PID 4912 wrote to memory of 2708	4912	cmd.exe	92
PID 4912 wrote to memory of 2708	4912	cmd.exe	92
PID 4264 wrote to memory of 996	4264	cmd.exe	91
PID 4264 wrote to memory of 996	4264	cmd.exe	91
PID 4876 wrote to memory of 2412	4876	cmd.exe	93
PID 4876 wrote to memory of 2412	4876	cmd.exe	93
PID 2728 wrote to memory of 3272	2728	cmd.exe	94
PID 2728 wrote to memory of 3272	2728	cmd.exe	94
PID 224 wrote to memory of 3220	224	cmd.exe	95
PID 224 wrote to memory of 3220	224	cmd.exe	95
PID 200 wrote to memory of 3640	200	cmd.exe	96
PID 200 wrote to memory of 3640	200	cmd.exe	96
PID 4264 wrote to memory of 4864	4264	cmd.exe	97
PID 4264 wrote to memory of 4864	4264	cmd.exe	97
PID 224 wrote to memory of 2408	224	cmd.exe	98
PID 224 wrote to memory of 2408	224	cmd.exe	98
PID 2728 wrote to memory of 4712	2728	cmd.exe	99
PID 2728 wrote to memory of 4712	2728	cmd.exe	99
PID 4912 wrote to memory of 2268	4912	cmd.exe	100
PID 4912 wrote to memory of 2268	4912	cmd.exe	100
PID 200 wrote to memory of 4376	200	cmd.exe	101
PID 200 wrote to memory of 4376	200	cmd.exe	101
PID 4876 wrote to memory of 4312	4876	cmd.exe	102
PID 4876 wrote to memory of 4312	4876	cmd.exe	102
PID 4772 wrote to memory of 4552	4772	CFG.exe	103
PID 4772 wrote to memory of 4552	4772	CFG.exe	103
PID 4772 wrote to memory of 2260	4772	CFG.exe	106
PID 4772 wrote to memory of 2260	4772	CFG.exe	106
PID 4772 wrote to memory of 4116	4772	CFG.exe	108
PID 4772 wrote to memory of 4116	4772	CFG.exe	108
PID 4772 wrote to memory of 1508	4772	CFG.exe	110
PID 4772 wrote to memory of 1508	4772	CFG.exe	110

Views/modifies file attributes 1 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3272	attrib.exe
3640	attrib.exe
3220	attrib.exe
4712	attrib.exe
2708	attrib.exe
996	attrib.exe
2412	attrib.exe
4864	attrib.exe
2408	attrib.exe
2268	attrib.exe
4376	attrib.exe
4312	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NursultanLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanLauncher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:204
- C:\Users\Admin\AppData\Local\Temp\Nursultan (2).exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan (2).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Users\Admin\AppData\Local\Temp\lc.exe
  "C:\Users\Admin\AppData\Local\Temp\lc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c F: & attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r +i /D
      4⤵
      Views/modifies file attributes
      PID:2412
  - - C:\Windows\system32\attrib.exe
      attrib -h +s +r info-0v92.txt
      4⤵
      Views/modifies file attributes
      PID:4312
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r +i /D
      4⤵
      Views/modifies file attributes
      PID:3272
  - - C:\Windows\system32\attrib.exe
      attrib -h +s +r info-0v92.txt
      4⤵
      Views/modifies file attributes
      PID:4712
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r +i /D
      4⤵
      Views/modifies file attributes
      PID:2708
  - - C:\Windows\system32\attrib.exe
      attrib -h +s +r info-0v92.txt
      4⤵
      Views/modifies file attributes
      PID:2268
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r +i /D
      4⤵
      Views/modifies file attributes
      PID:3220
  - - C:\Windows\system32\attrib.exe
      attrib -h +s +r info-0v92.txt
      4⤵
      Views/modifies file attributes
      PID:2408
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:200
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r +i /D
      4⤵
      Views/modifies file attributes
      PID:3640
  - - C:\Windows\system32\attrib.exe
      attrib -h +s +r info-0v92.txt
      4⤵
      Views/modifies file attributes
      PID:4376
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r +i /D
      4⤵
      Views/modifies file attributes
      PID:996
  - - C:\Windows\system32\attrib.exe
      attrib -h +s +r info-0v92.txt
      4⤵
      Views/modifies file attributes
      PID:4864
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /im Explorer.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- C:\Users\Admin\AppData\Local\Temp\CFG.exe
  "C:\Users\Admin\AppData\Local\Temp\CFG.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CFG.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CFG.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Config'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Config'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8cea4e375907aed0741e70d456f4626b

SHA1
a157bdcdb1ec9f013a3f04666e982c853298396b

SHA256
dd7e67e7453b33e13966cfffbd58515bedb8d55df0eef21e8560a4596f3c14a9

SHA512
e279cc2686412513a99ef0de7480eede9f44b5aadb9ea6f36f62cf0c3a7c98f74840bda5439c64fb3c022f092ad1a3f4580448a153f3939bca4bd1ab551a0cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71d3be04e225343a82612be65844a946

SHA1
4591eda05367bbaafb41d56f6ddda319de6db676

SHA256
2d721ce8a79f0be9085868f94afdeb9880ab7ca3859f0a9359ae04731a557ceb

SHA512
4d5961e8bab956dfcfeb1837e634b43e660a15dd0d6b9bc3a6594ad542bfb2e38f4a0cdfe6013c674a0bd090376fe750656ad481c1a4ec8814975b3a419f526c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3a0d143bca1b9841040ba24e54496479

SHA1
a12bc05b7140de4a15a55af6ec2c65eab76fe93d

SHA256
8aa37dbc34256a711ae0937364494aafb99534da74dff08645a8c7b84a747ff2

SHA512
c7629fa20befe2c6cd94e72cb315225c4f01f2ed6de385a00a0263030ae580731e710c672a8495b32b8d2a6523f2bfdd59cf720b32eab49a6bdf25ddc33d569e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$unlocker_id.ux-cryptobytes

Filesize
6B

MD5
19bdd315bdccf38bb486dd9193e41db8

SHA1
1c2f851cc2641b65249124dada5d0e086b75584d

SHA256
9ce2a784b3e293a2ab2a9c27de50164cd8c981f915361417c82e7c42045f8665

SHA512
9e04255cfd805f1ac6d5ef854c47a238b3c3a8c5b7050bdc157518b41c87b682a5caf2ab2b22d07737e4d1773f1eb788afd8921f681fd6c4819a84daf3d5546a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG.exe

Filesize
62KB

MD5
eae0ad49ab06b044c484dcd4d8e963a6

SHA1
a2053c7610fd3bc3032ace1d2197ed998c01a275

SHA256
52ed8f936f62945dd7f8f8eeae013a0fb01bc6a49dd2b4035f102bf516eb3a0e

SHA512
b777e63f5fd9ec444034d2bfe5b06a1aeb21b7780573cefb3db0effdf913370e706f0d48974f1b4df29d40abf962fc9e9e53f4ded1a95133796b6efe2a2e7fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan (2).exe

Filesize
14.4MB

MD5
888b6182409ced36aaea7f22268bceab

SHA1
b62d12c12f46c739e34241bc3590b6888c31d7f4

SHA256
11ccb1d864900ecb4d5c683d8e83dc6c0f55d8c89bcd7357e310598b7846d0de

SHA512
b6398b5a1cf3ae0b698cc7074d2a59d1415689b50f2e7751164fd22e8fd2024ea0d97590366c30c74a0539e6cc83f8fcac0b53e5f68e62d98d242646b4a9c72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlyxz4v0.tyv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lc.exe

Filesize
180KB

MD5
335a5ba1ed82dea0445187640fcb3ef8

SHA1
d248a812bdf2f04142c4db46733265186c074929

SHA256
8b8ebc4b68489c284e563d7109c6c88a104306213b9eaaf0d9d3c41f0ab2fadc

SHA512
2d81d711056d138fe560fd832acdef07e32536a0a6667f6a5ddc993ce1f0bf3f504ab97baa60765b1384ece870d4fe5b911ac3c599e0ba83ff09f4245dd8f6d5

Download Submit
C:\Users\Admin\info-0v92.txt

Filesize
115B

MD5
f60540ec8fe1805438c1f0bd76fe26ae

SHA1
091f9a98e4d9d24d56cbbf9b952575d32ec6fec9

SHA256
29fd438334e8d5c08295fed1824f69554b8294a91fdc8a3f88ddfb4d866d1604

SHA512
6b13ddcd82638db0a330a153f209299081fbc6fc2469fefd973c08655a4b757dfeaa1d7059b73114902fa4ef6ff2816dc0d28f889685f0ecb5e9abcebfce1d6a

Download Submit
memory/204-16-0x0000000000400000-0x00000000012A8000-memory.dmp

Filesize
14.7MB

Download
memory/2452-215-0x00007FFA478C0000-0x00007FFA47A9B000-memory.dmp

Filesize
1.9MB

Download
memory/2452-13-0x00007FFA478C0000-0x00007FFA47A9B000-memory.dmp

Filesize
1.9MB

Download
memory/2452-12-0x0000000000810000-0x0000000000844000-memory.dmp

Filesize
208KB

Download
memory/3216-34-0x00007FFA47AA0000-0x00007FFA47AA2000-memory.dmp

Filesize
8KB

Download
memory/3216-37-0x0000000140000000-0x0000000141C1B000-memory.dmp

Filesize
28.1MB

Download
memory/4552-46-0x000001E4A6420000-0x000001E4A6496000-memory.dmp

Filesize
472KB

Download
memory/4552-43-0x000001E4A6110000-0x000001E4A6132000-memory.dmp

Filesize
136KB

Download
memory/4772-17-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download