Overview

overview

10

Static

static

3

downloader.exe

windows7-x64

10

downloader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    downloader.exe

  • Size

    70.1MB

  • MD5

    de8c4fd7ed1b7623ab3c9a4e55c17211

  • SHA1

    40f68eb4eb8194fa236f13e980d7d0940db0a9fe

  • SHA256

    192933cb274a687f0072e0db4064e4ee9080b95e303fd0ab9347760bc091e3c2

  • SHA512

    85c4bd56d6187c10baf3278de30268379b23131025e9fb6f21cf040d29c7291db6d3d1beefe0c9a7c814d932f34b0a22bf3443184f30dc4e0244eab2230c374b

  • SSDEEP

    393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qEsGg4GUo3Nf:lWoI7zGi5ahWc3Im9

Score
10/10
xwormagilenetevasionexecutionpersistenceratthemidatrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

88.0.183.177:1603

88.0.172.65:1603

83.36.190.196:1603

83.38.30.219:1603
Mutex

XpRJMNcN9dWrZEo0

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    RuntimeBroker.exe

aes.plain

Extracted

Family

xworm

C2

88.0.183.177:1603

88.0.172.65:1603

83.36.190.196:1603

83.38.30.219:1603
Attributes
  • Install_directory

    %Public%

  • install_file

    WmiPrvSE.exe

Signatures

  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 8 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 3 IoCs
  • Obfuscated with Agile.Net obfuscator 4 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Themida packer 24 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\downloader.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3752
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\sdsd_1.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Users\Admin\AppData\Local\Temp\sdsd_1.exe
        "C:\Users\Admin\AppData\Local\Temp\sdsd_1.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4456
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4384
      • C:\Users\Admin\AppData\Local\Temp\notepadd.exe
        "C:\Users\Admin\AppData\Local\Temp\notepadd.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Users\Admin\RuntimeBroker.exe
          "C:\Users\Admin\RuntimeBroker.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:972
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\ProgramData\RuntimeBroker.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3096
        • C:\Users\Admin\SecurityHealthSystray.exe
          "C:\Users\Admin\SecurityHealthSystray.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3412
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2556
        • C:\Users\Admin\WmiPrvSE.exe
          "C:\Users\Admin\WmiPrvSE.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1184
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Public\WmiPrvSE.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4056
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5088
      • C:\Users\Admin\AppData\Local\Temp\notepadd.exe
        "C:\Users\Admin\AppData\Local\Temp\notepadd.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2296
  • C:\Users\Public\WmiPrvSE.exe
    C:\Users\Public\WmiPrvSE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1300
  • C:\ProgramData\RuntimeBroker.exe
    C:\ProgramData\RuntimeBroker.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:720
  • C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
    C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4040
  • C:\ProgramData\RuntimeBroker.exe
    C:\ProgramData\RuntimeBroker.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:720
  • C:\Users\Public\WmiPrvSE.exe
    C:\Users\Public\WmiPrvSE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4976
  • C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
    C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepadd.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    77d622bb1a5b250869a3238b9bc1402b

    SHA1

    d47f4003c2554b9dfc4c16f22460b331886b191b

    SHA256

    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

    SHA512

    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    62623d22bd9e037191765d5083ce16a3

    SHA1

    4a07da6872672f715a4780513d95ed8ddeefd259

    SHA256

    95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

    SHA512

    9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d8cb3e9459807e35f02130fad3f9860d

    SHA1

    5af7f32cb8a30e850892b15e9164030a041f4bd6

    SHA256

    2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

    SHA512

    045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    34f595487e6bfd1d11c7de88ee50356a

    SHA1

    4caad088c15766cc0fa1f42009260e9a02f953bb

    SHA256

    0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

    SHA512

    10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    ba169f4dcbbf147fe78ef0061a95e83b

    SHA1

    92a571a6eef49fff666e0f62a3545bcd1cdcda67

    SHA256

    5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

    SHA512

    8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    62d94562013cad250e309b4091503254

    SHA1

    f658f6e53e980694f5ff5bae10455c21ee059a2e

    SHA256

    1ff2d02730e490230262e82169d667b1db011b405f53b3bb4345ed1ee3efc1d5

    SHA512

    282e6777407b759ba15e7410cefc8652ae362a5e9ae13dfb355a3044154ca018a8de2b98df0e83012ae98279480ee3b517c62d33c8122f078ea5f3732aaa2a97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\02b390f5-8dce-407c-af26-9d9d549adeb7\AgileDotNetRT64.dll
    Filesize

    4.2MB

    MD5

    05b012457488a95a05d0541e0470d392

    SHA1

    74f541d6a8365508c794ef7b4ac7c297457f9ce3

    SHA256

    1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

    SHA512

    6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbzunmws.hqe.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\notepadd.exe
    Filesize

    7.4MB

    MD5

    c694c8301947af8b5c65e6132581044b

    SHA1

    d1c7cbb77eff86db70df4feae1c2a849fb695b65

    SHA256

    0e18f1cd01243a43de369982b88a586b585f2dc34f0c8a942f54f21069e5c71c

    SHA512

    babe000cade9afcc76cf41b0bd064c0124d5a97ff4e3e52024e25ad39fe8f9f26ac3a4027f4194d19ead2a502df4dbc916f1b2f870a14d4a2ae28a3115804775

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sdsd_1.exe
    Filesize

    7.0MB

    MD5

    47d346922b3f771ddf7c8bb6561f7d4e

    SHA1

    9b9f255438265bf69e2aaf009500da72df23d416

    SHA256

    839519c001ba1fdb59d646c9ccc02e6d0db57d1948d6c6efd2b1a40607b9c99b

    SHA512

    4a8a5ad173d5c2b72d70fbd49e12df47fc6bd4e6b35f154ce6ce7f7ea7fc3de0a1422439c152221a1b000870e87299de58bc9cbcf68dbaf637377b4f6266e7d8

    Download Submit

  • C:\Users\Admin\RuntimeBroker.exe
    Filesize

    36KB

    MD5

    51b33fef6848fd52da62f31ebe64e1a5

    SHA1

    740fc31cd7b69aacc11a2377f52ef725fc1d3d77

    SHA256

    058eb738227f17552cedd86fde447ff319d4b354bef777ff8149a9df30dc6e7f

    SHA512

    c0727a6ee074dff2b5ac36d086ec86660b287e515fe7422cfc947df47328553a99af0812126d2243f4fefd1a784881dc283e8bac65007b77d487756734a4c0d6

    Download Submit

  • C:\Users\Admin\SecurityHealthSystray.exe
    Filesize

    244KB

    MD5

    f16d02b68f259d19e504bedd54d59e39

    SHA1

    d9102d345fceafd22b5b9a69f62e933f79a10a19

    SHA256

    b062135658f9e98a3dd7ae2cde12de8db784fd87cce6bf4c42aa0e9b3a775877

    SHA512

    ab0ea68c5dced9a6b2441f58a5ca6392071f82c700692c7438472be253c51eba2f44a0fdeebd18508af9a6e25ad689219c502cd2b7790a2bb7387a840375b007

    Download Submit

  • C:\Users\Admin\WmiPrvSE.exe
    Filesize

    127KB

    MD5

    b57e530c98da33302694a3da8d773e31

    SHA1

    476a5c20a5ae2e644442057635ea2da77c72a311

    SHA256

    3ff319a9cc09b0b02a5881a55e15d309f47a8d615912434875a9346153bade6b

    SHA512

    80ef2f24e6090d9c6c9bf9f54d6796a0066f2c90abcdda16c994b3864096678d9f0a98ff2a479b36acc174bc2d7b3ac15b58b9eefbbe6d88a92364f19206fc60

    Download Submit

  • memory/1960-86-0x0000000000F20000-0x0000000000F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2296-131-0x00007FFF79010000-0x00007FFF79B94000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2296-132-0x00007FFF80350000-0x00007FFF8049E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2296-133-0x00007FFF79010000-0x00007FFF79B94000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2296-130-0x00007FFF79010000-0x00007FFF79B94000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2668-10-0x0000000000D10000-0x0000000001486000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/2668-29-0x00007FFF80350000-0x00007FFF8049E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2668-28-0x00007FFF79010000-0x00007FFF79B94000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2668-120-0x00007FFF79010000-0x00007FFF79B94000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2668-24-0x00007FFF79010000-0x00007FFF79B94000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3256-134-0x000002B554CF0000-0x000002B554D12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3980-121-0x0000000000380000-0x00000000003A4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4236-122-0x0000000000970000-0x00000000009B2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4236-313-0x00000000029D0000-0x00000000029DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4456-285-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-300-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-9-0x00000000007A0000-0x0000000000EA8000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/4456-284-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-26-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-286-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-287-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-294-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-298-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-23-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-304-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-305-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-306-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-30-0x00007FFF80350000-0x00007FFF8049E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4456-314-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-315-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-316-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-317-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4456-318-0x00007FFF7CA70000-0x00007FFF7D5F4000-memory.dmp

    Filesize

    11.5MB

    Download