xworm | 8feede6d1d97285dfa2c2ec23184ebcd801e72d547dc9844f5f12903d85e1e98

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

883KB
MD5

77e867a3f236eb41a2a20e21c38aa579
SHA1

1ef96b0d018842df9f11b4395b30d5c04f3da0b4
SHA256

8feede6d1d97285dfa2c2ec23184ebcd801e72d547dc9844f5f12903d85e1e98
SHA512

b866bcf34f44dbddc92c082179b42523ca0d05e89afa1501447ebf3e7cb9981f1f4c8655c7be8e919d71940f23c598fea6affae636b9aa1685243f9e31a2d5e2
SSDEEP

24576:1bXDm30y7do7o4W9JHe9k3fQ0MSOLZasH96z27:dXerDe9k3fOSOLZatz

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

leading-sexuality.gl.at.ply.gg:61430

locations-ff.gl.at.ply.gg:30820

Attributes

Install_directory
%LocalAppData%
install_file
RobloxClient.exe

Signatures

Detect Xworm Payload 9 IoCs

resource	yara_rule
behavioral1/files/0x00090000000120f9-5.dat	family_xworm
behavioral1/memory/2680-7-0x0000000000D70000-0x0000000000D88000-memory.dmp	family_xworm
behavioral1/memory/1068-57-0x0000000001220000-0x0000000001238000-memory.dmp	family_xworm
behavioral1/files/0x0007000000016be6-61.dat	family_xworm
behavioral1/memory/2436-63-0x0000000001250000-0x000000000126A000-memory.dmp	family_xworm
behavioral1/files/0x0007000000016bf7-70.dat	family_xworm
behavioral1/memory/1536-78-0x00000000009B0000-0x00000000009C8000-memory.dmp	family_xworm
behavioral1/memory/2000-136-0x00000000001D0000-0x00000000001EA000-memory.dmp	family_xworm
behavioral1/memory/900-137-0x00000000000D0000-0x00000000000E8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1672	powershell.exe
1108	powershell.exe
2892	powershell.exe
1400	powershell.exe
2112	powershell.exe
2088	powershell.exe
2940	powershell.exe
2084	powershell.exe
2500	powershell.exe
2808	powershell.exe
2196	powershell.exe
2704	powershell.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RobloxClient.lnk	чгш.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RobloxClient.lnk	чгш.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\driv.lnk	djndhr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\driv.lnk	djndhr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	oibapi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	oibapi.exe

Executes dropped EXE 7 IoCs

pid	Process
2680	чгш.exe
2768	Bootstrapper.exe
1068	RobloxClient.exe
2436	djndhr.exe
1536	oibapi.exe
900	svchost.exe
2000	driv

Loads dropped DLL 6 IoCs

pid	Process
1976	Bootstrapper.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\RobloxClient = "C:\\Users\\Admin\\AppData\\Local\\RobloxClient.exe"	чгш.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\driv = "C:\\Users\\Admin\\AppData\\Roaming\\driv"	djndhr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost.exe"	oibapi.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1748	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2520	schtasks.exe
2960	schtasks.exe
2168	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2436	djndhr.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2704	powershell.exe
2940	powershell.exe
2088	powershell.exe
2084	powershell.exe
2680	чгш.exe
2500	powershell.exe
1672	powershell.exe
2808	powershell.exe
2196	powershell.exe
2436	djndhr.exe
1108	powershell.exe
2892	powershell.exe
1400	powershell.exe
2112	powershell.exe
1536	oibapi.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	чгш.exe
Token: SeDebugPrivilege	2768	Bootstrapper.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2680	чгш.exe
Token: SeDebugPrivilege	1068	RobloxClient.exe
Token: SeDebugPrivilege	2436	djndhr.exe
Token: SeDebugPrivilege	1536	oibapi.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2436	djndhr.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1536	oibapi.exe
Token: SeDebugPrivilege	2000	driv
Token: SeDebugPrivilege	900	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2680	чгш.exe
2436	djndhr.exe
1536	oibapi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2680	1976	Bootstrapper.exe	30
PID 1976 wrote to memory of 2680	1976	Bootstrapper.exe	30
PID 1976 wrote to memory of 2680	1976	Bootstrapper.exe	30
PID 1976 wrote to memory of 2768	1976	Bootstrapper.exe	31
PID 1976 wrote to memory of 2768	1976	Bootstrapper.exe	31
PID 1976 wrote to memory of 2768	1976	Bootstrapper.exe	31
PID 2680 wrote to memory of 2704	2680	чгш.exe	33
PID 2680 wrote to memory of 2704	2680	чгш.exe	33
PID 2680 wrote to memory of 2704	2680	чгш.exe	33
PID 2768 wrote to memory of 2720	2768	Bootstrapper.exe	35
PID 2768 wrote to memory of 2720	2768	Bootstrapper.exe	35
PID 2768 wrote to memory of 2720	2768	Bootstrapper.exe	35
PID 2680 wrote to memory of 2940	2680	чгш.exe	36
PID 2680 wrote to memory of 2940	2680	чгш.exe	36
PID 2680 wrote to memory of 2940	2680	чгш.exe	36
PID 2680 wrote to memory of 2088	2680	чгш.exe	38
PID 2680 wrote to memory of 2088	2680	чгш.exe	38
PID 2680 wrote to memory of 2088	2680	чгш.exe	38
PID 2680 wrote to memory of 2084	2680	чгш.exe	40
PID 2680 wrote to memory of 2084	2680	чгш.exe	40
PID 2680 wrote to memory of 2084	2680	чгш.exe	40
PID 2680 wrote to memory of 2520	2680	чгш.exe	42
PID 2680 wrote to memory of 2520	2680	чгш.exe	42
PID 2680 wrote to memory of 2520	2680	чгш.exe	42
PID 2916 wrote to memory of 1068	2916	taskeng.exe	46
PID 2916 wrote to memory of 1068	2916	taskeng.exe	46
PID 2916 wrote to memory of 1068	2916	taskeng.exe	46
PID 2680 wrote to memory of 2436	2680	чгш.exe	47
PID 2680 wrote to memory of 2436	2680	чгш.exe	47
PID 2680 wrote to memory of 2436	2680	чгш.exe	47
PID 2680 wrote to memory of 684	2680	чгш.exe	48
PID 2680 wrote to memory of 684	2680	чгш.exe	48
PID 2680 wrote to memory of 684	2680	чгш.exe	48
PID 2680 wrote to memory of 1536	2680	чгш.exe	50
PID 2680 wrote to memory of 1536	2680	чгш.exe	50
PID 2680 wrote to memory of 1536	2680	чгш.exe	50
PID 2680 wrote to memory of 1996	2680	чгш.exe	51
PID 2680 wrote to memory of 1996	2680	чгш.exe	51
PID 2680 wrote to memory of 1996	2680	чгш.exe	51
PID 1996 wrote to memory of 1748	1996	cmd.exe	53
PID 1996 wrote to memory of 1748	1996	cmd.exe	53
PID 1996 wrote to memory of 1748	1996	cmd.exe	53
PID 2436 wrote to memory of 2500	2436	djndhr.exe	54
PID 2436 wrote to memory of 2500	2436	djndhr.exe	54
PID 2436 wrote to memory of 2500	2436	djndhr.exe	54
PID 2436 wrote to memory of 1672	2436	djndhr.exe	56
PID 2436 wrote to memory of 1672	2436	djndhr.exe	56
PID 2436 wrote to memory of 1672	2436	djndhr.exe	56
PID 2436 wrote to memory of 2808	2436	djndhr.exe	58
PID 2436 wrote to memory of 2808	2436	djndhr.exe	58
PID 2436 wrote to memory of 2808	2436	djndhr.exe	58
PID 2436 wrote to memory of 2196	2436	djndhr.exe	60
PID 2436 wrote to memory of 2196	2436	djndhr.exe	60
PID 2436 wrote to memory of 2196	2436	djndhr.exe	60
PID 2436 wrote to memory of 2960	2436	djndhr.exe	62
PID 2436 wrote to memory of 2960	2436	djndhr.exe	62
PID 2436 wrote to memory of 2960	2436	djndhr.exe	62
PID 1536 wrote to memory of 1108	1536	oibapi.exe	64
PID 1536 wrote to memory of 1108	1536	oibapi.exe	64
PID 1536 wrote to memory of 1108	1536	oibapi.exe	64
PID 1536 wrote to memory of 2892	1536	oibapi.exe	66
PID 1536 wrote to memory of 2892	1536	oibapi.exe	66
PID 1536 wrote to memory of 2892	1536	oibapi.exe	66
PID 1536 wrote to memory of 1400	1536	oibapi.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\чгш.exe
  "C:\Users\Admin\AppData\Local\чгш.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\чгш.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'чгш.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RobloxClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RobloxClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RobloxClient" /tr "C:\Users\Admin\AppData\Local\RobloxClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\djndhr.exe
    "C:\Users\Admin\AppData\Local\Temp\djndhr.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\djndhr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'djndhr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\driv'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'driv'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2196
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "driv" /tr "C:\Users\Admin\AppData\Roaming\driv"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2960
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "RobloxClient"
    3⤵
    PID:684
- - C:\Users\Admin\AppData\Local\Temp\oibapi.exe
    "C:\Users\Admin\AppData\Local\Temp\oibapi.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\oibapi.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'oibapi.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2112
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2168
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F61.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1748
- C:\Users\Admin\AppData\Local\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2768 -s 1072
    3⤵
    - Loads dropped DLL
    PID:2720

C:\Windows\system32\taskeng.exe
taskeng.exe {E923023B-FE7A-47FB-88F5-A85EAC379796} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\RobloxClient.exe
  C:\Users\Admin\AppData\Local\RobloxClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Users\Public\svchost.exe
  C:\Users\Public\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Users\Admin\AppData\Roaming\driv
  C:\Users\Admin\AppData\Roaming\driv
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\djndhr.exe

Filesize
79KB

MD5
4094bb0ec3ece9871da2a39a7ee6ab1c

SHA1
68f2285319fe716d47568e8a46e0cfedbf8ed6e7

SHA256
841ecd200c021335e5f37f65ab0be89f9e8d739ba55831f1ed8c4f4ecba42b6d

SHA512
fb2da9013e42f4e6a30c985b24eba1a010e3c4f06576f08fe80b3e195c919b25c400108605db6dbd5bdf682c169661fcbcf75b8ba64edb38ee39ef217c762506

Download Submit
C:\Users\Admin\AppData\Local\Temp\oibapi.exe

Filesize
72KB

MD5
1d985f2ec2fa62a01b2f49d597093066

SHA1
daf01275745b56c0163ad2820130a73cd2c5fd18

SHA256
36f9edfea5b0d1586607f1c735bc98aaefbaa80e7ec17c618430eac6f4290683

SHA512
941152ec68c8bf548563c1957ae9434464aa509397ee5a51984b28e02986a539533be13e5c029557a69752fc13d9a5d51d5b721df9c3c3e06e157481c5a2c627

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F61.tmp.bat

Filesize
153B

MD5
9bed60e14ba3932fb79fe212d0a644d9

SHA1
cc8e157a5a17402cb6e6be4d044e2114bae62008

SHA256
4f2e2ca6d4ec13cc5f600dc5b42bd4182299aefc67a74fe6ee513f1316a67070

SHA512
90294170cc3bb04d5e544f055b388b2443aee7538d09abf55d0820ced846443137e011a2dc9b42568eba07ff026b0923883718d9ffa94757cacf69ce741ce50c

Download Submit
C:\Users\Admin\AppData\Local\чгш.exe

Filesize
74KB

MD5
6560fb9e69125fb9b92373a503c5bd64

SHA1
09bffb5a4e83c5496d7df6a25abeca9b51625746

SHA256
ea2d71055ca2e640f63cd26272692550794b63c442647e6d80290b0495557011

SHA512
5d6f75b3e89c1dc95ec46fc921c9635504c8a212e19c352547ee0d406629e9e30e12024165467bde5ee4ce142323ea197c90949e061eaa661af195869d4189f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XJQYZ4Q6JK6HF2NXXSC5.temp

Filesize
7KB

MD5
22699cf1aa5973840619342d147c1f5d

SHA1
736be839d60b840217958cb1c2417ef416ea30ff

SHA256
578aabba1e4fa6160931ad18d66fb878d8165619bd1183bb59691b8f268c9475

SHA512
7901f6d2b44db739d5421e1550fb904ccbe2a83b1e9b297c21a9469e7db109b1f2252454ccc49718c03394b14ace603121788223296f83d9f33c771bf313aec9

Download Submit
\Users\Admin\AppData\Local\Bootstrapper.exe

Filesize
796KB

MD5
4b94b989b0fe7bec6311153b309dfe81

SHA1
bb50a4bb8a66f0105c5b74f32cd114c672010b22

SHA256
7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659

SHA512
fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d

Download Submit
memory/900-137-0x00000000000D0000-0x00000000000E8000-memory.dmp

Filesize
96KB

Download
memory/1068-57-0x0000000001220000-0x0000000001238000-memory.dmp

Filesize
96KB

Download
memory/1536-78-0x00000000009B0000-0x00000000009C8000-memory.dmp

Filesize
96KB

Download
memory/1672-91-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1976-0-0x000007FEF4C83000-0x000007FEF4C84000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x0000000000AB0000-0x0000000000B94000-memory.dmp

Filesize
912KB

Download
memory/2000-136-0x00000000001D0000-0x00000000001EA000-memory.dmp

Filesize
104KB

Download
memory/2436-63-0x0000000001250000-0x000000000126A000-memory.dmp

Filesize
104KB

Download
memory/2680-52-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-51-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-50-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-79-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-15-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-7-0x0000000000D70000-0x0000000000D88000-memory.dmp

Filesize
96KB

Download
memory/2704-21-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2704-20-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2768-14-0x0000000001380000-0x000000000144E000-memory.dmp

Filesize
824KB

Download
memory/2940-32-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2940-33-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download