Overview

overview

10

Static

static

3

downloader.exe

windows7-x64

10

downloader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2024 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    downloader.exe

  • Size

    70.1MB

  • MD5

    7e65c3e3cf7bc0c2f80216cef3bb542b

  • SHA1

    9a0a990498af53743a4b781b8a33100b4a64121b

  • SHA256

    3526cd1e1dd45bb9d3153891d5fdca9369a8e96541a45947a5e05b5d03b0b078

  • SHA512

    7037c1ae7d260449f5a44f9716589b80455f119af981299654327fed812749e9d6cd82d7225fcc8dd6f9338d7e21099298d9844d5c5020e43d9d7f8c277cce9e

  • SSDEEP

    393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qAsGg4GUo3NP:lWoI7zGC5ahWc3ImN

Score
10/10
xwormagilenetevasionexecutionpersistenceratthemidatrojan

Malware Config

Extracted

Family

xworm

C2

88.0.183.177:1603

88.0.172.65:1603

83.36.190.196:1603

83.38.30.219:1603
Attributes
  • Install_directory

    %Temp%

  • install_file

    SecurityHealthSystray.exe

Extracted

Family

xworm

Version

5.0

C2

88.0.183.177:1603

88.0.172.65:1603

83.36.190.196:1603

83.38.30.219:1603
Mutex

XpRJMNcN9dWrZEo0

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    RuntimeBroker.exe

aes.plain

Signatures

  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 8 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 4 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\downloader.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:384
      • C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
        "C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDriveSetup.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2656
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\OneDriveSetup.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1028
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDriveSetup.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4532
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDriveSetup" /tr "C:\Users\Public\OneDriveSetup.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1424
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Users\Admin\AppData\Local\Temp\notepadd.exe
        "C:\Users\Admin\AppData\Local\Temp\notepadd.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:3424
        • C:\Users\Admin\RuntimeBroker.exe
          "C:\Users\Admin\RuntimeBroker.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:872
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\ProgramData\RuntimeBroker.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1608
        • C:\Users\Admin\SecurityHealthSystray.exe
          "C:\Users\Admin\SecurityHealthSystray.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3228
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2264
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3396
        • C:\Users\Admin\WmiPrvSE.exe
          "C:\Users\Admin\WmiPrvSE.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4368
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1336
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3536
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Public\WmiPrvSE.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2912
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d28a889fd956d5cb3accfbaf1143eb6f

    SHA1

    157ba54b365341f8ff06707d996b3635da8446f7

    SHA256

    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

    SHA512

    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d3e9c29fe44e90aae6ed30ccf799ca8

    SHA1

    c7974ef72264bbdf13a2793ccf1aed11bc565dce

    SHA256

    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

    SHA512

    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    ba169f4dcbbf147fe78ef0061a95e83b

    SHA1

    92a571a6eef49fff666e0f62a3545bcd1cdcda67

    SHA256

    5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

    SHA512

    8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    b51dc9e5ec3c97f72b4ca9488bbb4462

    SHA1

    5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

    SHA256

    976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

    SHA512

    0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    da5c82b0e070047f7377042d08093ff4

    SHA1

    89d05987cd60828cca516c5c40c18935c35e8bd3

    SHA256

    77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

    SHA512

    7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    7d1065573a0dbb09303ef324ab9b41a7

    SHA1

    9d0099e575b74d00fa39e3a7e84933c4ed753fc2

    SHA256

    1a6b86d72340011d4bb464c09cf11806b1b371bb70b3e287d3f569e15bcafd97

    SHA512

    bfcd159a47a36bf4fab290631859bd56aabca5577368bae5705cbc254de36a97122d6864a0aecfd8c6d0adb8ed7b3b52fbd4aa6694b9cfa5a9f211e79b39f7a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    aeceee3981c528bdc5e1c635b65d223d

    SHA1

    de9939ed37edca6772f5cdd29f6a973b36b7d31b

    SHA256

    b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

    SHA512

    df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    9c740b7699e2363ac4ecdf496520ca35

    SHA1

    aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

    SHA256

    be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

    SHA512

    8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    280B

    MD5

    48924114f9044d041f406c20b30032ea

    SHA1

    8c10e44b249ed258ff5a64acb7cd88ca47682e40

    SHA256

    149f22b0cbf68f1b8fdd0b3ecae957d7278bd4eab489496682e5283287fd3975

    SHA512

    bdbce629bd1fee6b01fa45ede6deda4783da8360d01a61f8625bc9c0c3abd70353df789a049b619b49f5609a7a275977e926a308eeb18f2025637e50f1e95279

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
    Filesize

    7.1MB

    MD5

    39c5c9eb7f3f6ebd1cfedb177773a8d1

    SHA1

    a1833695cbe5ab9cfbd5d4d097634246121c2734

    SHA256

    bbdef5a4cb10bc47dc4345b9af2debfd17d1bfafdd18e12ae7024cd3001292e7

    SHA512

    49ca1026e68854df4a04daad5bf37a57b66fc231580eede7dcf2666ffcf1bfce6ada7fc8db38faeec4822c8b08f269426e82b323371356b60ba26eab1448b75c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1af15m2v.4f4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\da610f43-58d7-4a0e-9b4e-969a1a7bd2ca\AgileDotNetRT64.dll
    Filesize

    4.2MB

    MD5

    05b012457488a95a05d0541e0470d392

    SHA1

    74f541d6a8365508c794ef7b4ac7c297457f9ce3

    SHA256

    1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

    SHA512

    6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\notepadd.exe
    Filesize

    7.4MB

    MD5

    c694c8301947af8b5c65e6132581044b

    SHA1

    d1c7cbb77eff86db70df4feae1c2a849fb695b65

    SHA256

    0e18f1cd01243a43de369982b88a586b585f2dc34f0c8a942f54f21069e5c71c

    SHA512

    babe000cade9afcc76cf41b0bd064c0124d5a97ff4e3e52024e25ad39fe8f9f26ac3a4027f4194d19ead2a502df4dbc916f1b2f870a14d4a2ae28a3115804775

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDriveSetup.lnk
    Filesize

    1016B

    MD5

    49762fea5d261894521eccff5dbb1ba6

    SHA1

    6cde7b590048788dfffc7e983dab65d2211ae6a0

    SHA256

    dc56dca21fe2248c0c2d9e592031b64f71191e2a0d3025d14b05977011be11bb

    SHA512

    db851104920da7fafa6dd3069d61c66157acd906fcfd6426ea21ff29e336cf6eb9e9d0efa5e12c74a88428d770f02bd69ccb7cdab4e79e333c8d2a90a8d12630

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk
    Filesize

    702B

    MD5

    f4b9953e254da2047c3d3578eea62411

    SHA1

    6e67faaf9dba46cef9f50f289748ebaa7a670160

    SHA256

    fc96d50415d6acfb649641859adb2a5f27abe57db66eade8618f99078537054e

    SHA512

    3db104246c204f610845347d266d89f85f4e9d9c865e2adb7828f606a98263d3878c1005ad4f5a8b235cebf1fffb65772431299cedc6aa7196aecdb96c57c3f5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk
    Filesize

    1KB

    MD5

    e7a1de3d9931e4ab86de9f54419ea58f

    SHA1

    d69eeeba43a6e8f9d7a96bca9232bd065467d6d0

    SHA256

    fe7ea384193e7e8c25729ce7c30c9a09bba2bb7ef6fc84d0f902adaf3eab223c

    SHA512

    3705dcc414400c4adf9515531648fabe3ab53c346e81e65ad14972c7ea1b093ea848bd3ed809a6e966c3d2b4704e62577be03674752f20d4cd0154793187bfde

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk
    Filesize

    991B

    MD5

    3630a9900b35b20048372cb0f64b2521

    SHA1

    e7d1aa15b7064578778a900f967829569099d127

    SHA256

    bb12ea5506b81aff447f30796928a32323b226563addfb75b4732a9b0d6ce895

    SHA512

    9ef974025b6729a2a32551095b7b09d2db584f2f727208862ebd72a8920d8347518a9b8cfced6990924819cf384039d7aa0f93eacb9dc2473f8c70c010f68ab0

    Download Submit

  • C:\Users\Admin\RuntimeBroker.exe
    Filesize

    36KB

    MD5

    51b33fef6848fd52da62f31ebe64e1a5

    SHA1

    740fc31cd7b69aacc11a2377f52ef725fc1d3d77

    SHA256

    058eb738227f17552cedd86fde447ff319d4b354bef777ff8149a9df30dc6e7f

    SHA512

    c0727a6ee074dff2b5ac36d086ec86660b287e515fe7422cfc947df47328553a99af0812126d2243f4fefd1a784881dc283e8bac65007b77d487756734a4c0d6

    Download Submit

  • C:\Users\Admin\SecurityHealthSystray.exe
    Filesize

    244KB

    MD5

    f16d02b68f259d19e504bedd54d59e39

    SHA1

    d9102d345fceafd22b5b9a69f62e933f79a10a19

    SHA256

    b062135658f9e98a3dd7ae2cde12de8db784fd87cce6bf4c42aa0e9b3a775877

    SHA512

    ab0ea68c5dced9a6b2441f58a5ca6392071f82c700692c7438472be253c51eba2f44a0fdeebd18508af9a6e25ad689219c502cd2b7790a2bb7387a840375b007

    Download Submit

  • C:\Users\Admin\WmiPrvSE.exe
    Filesize

    127KB

    MD5

    b57e530c98da33302694a3da8d773e31

    SHA1

    476a5c20a5ae2e644442057635ea2da77c72a311

    SHA256

    3ff319a9cc09b0b02a5881a55e15d309f47a8d615912434875a9346153bade6b

    SHA512

    80ef2f24e6090d9c6c9bf9f54d6796a0066f2c90abcdda16c994b3864096678d9f0a98ff2a479b36acc174bc2d7b3ac15b58b9eefbbe6d88a92364f19206fc60

    Download Submit

  • memory/668-87-0x0000000000840000-0x0000000000850000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1140-122-0x0000000000B70000-0x0000000000B94000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1940-129-0x0000025A1AE50000-0x0000025A1AE72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3424-25-0x00007FFC846B0000-0x00007FFC85234000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3424-123-0x00007FFC846B0000-0x00007FFC85234000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3424-11-0x0000000000F70000-0x00000000016E6000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3424-31-0x00007FFC8A5B0000-0x00007FFC8A6FE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3424-29-0x00007FFC846B0000-0x00007FFC85234000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3992-329-0x000001B7A4390000-0x000001B7A4391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-331-0x000001B7A4390000-0x000001B7A4391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-327-0x000001B7A4390000-0x000001B7A4391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-328-0x000001B7A4390000-0x000001B7A4391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-320-0x000001B7A4390000-0x000001B7A4391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-322-0x000001B7A4390000-0x000001B7A4391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-321-0x000001B7A4390000-0x000001B7A4391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-326-0x000001B7A4390000-0x000001B7A4391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-332-0x000001B7A4390000-0x000001B7A4391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-330-0x000001B7A4390000-0x000001B7A4391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4804-117-0x00000000009E0000-0x0000000000A22000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4888-27-0x00007FFC86CD0000-0x00007FFC87854000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4888-30-0x00007FFC8A5B0000-0x00007FFC8A6FE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4888-318-0x00007FFC86CD0000-0x00007FFC87854000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4888-319-0x00007FFC8BD03000-0x00007FFC8BD05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4888-18-0x00007FFC86CD0000-0x00007FFC87854000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4888-7-0x0000000000ED0000-0x00000000015F2000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/4888-6-0x00007FFC8BD03000-0x00007FFC8BD05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4888-341-0x00007FFC86CD0000-0x00007FFC87854000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4888-342-0x00007FFC86CD0000-0x00007FFC87854000-memory.dmp

    Filesize

    11.5MB

    Download