xworm | 97a22c0ccf016548ea84f9152fb5d58dddb374e9874956fbb9d12ae67aa1e9d2

Analysis

max time kernel
580s
max time network
595s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.2/XWorm V5.2.exe
Size

73KB
MD5

b85f72648cf99409357519725c9bd5fc
SHA1

de3b9162632a96c4a3ac27da6663399a0d393910
SHA256

b06d089bd5be63788ef530ff1f93216625aa66d1d811f9ec3f2892268b656011
SHA512

4569a7a710ea4226dc81b6d158cabae1dd0e5452d5847e5d29d68efa0e2572092c19c9887c5a8498acb78dd2c961bb1d72750e671ff89de0ce2c0b6922292804
SSDEEP

1536:jqst7fwnejh7pHWpUhFYdsTudTb42WKvCBXH3KyuJG6JyORxaE1QHK:jBFZ7pWpHmWTb42NCXRu7yORoEyHK

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

uk1.localto.net:3725

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4492-1-0x0000000000960000-0x0000000000978000-memory.dmp	family_xworm
C:\ProgramData\svchost.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3904	powershell.exe
1776	powershell.exe
2388	powershell.exe
1596	powershell.exe
1716	powershell.exe
2460	powershell.exe
2524	powershell.exe
1772	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XWorm V5.2.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	XWorm V5.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 4 IoCs

Processes:

svchost.exeXWorm V5.2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XWorm V5.2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XWorm V5.2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 10 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
1492	svchost.exe
2500	svchost.exe
4916	svchost.exe
1460	svchost.exe
4584	svchost.exe
920	svchost.exe
3044	svchost.exe
1596	svchost.exe
2292	svchost.exe
1604	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3052 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

936 schtasks.exe
2108 schtasks.exe

flow	ioc
6	ip-api.com

pid	process
3052	timeout.exe

pid	process
936	schtasks.exe
2108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXWorm V5.2.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exe

pid	process
1716	powershell.exe
1716	powershell.exe
2460	powershell.exe
2460	powershell.exe
2524	powershell.exe
2524	powershell.exe
1772	powershell.exe
1772	powershell.exe
4492	XWorm V5.2.exe
3904	powershell.exe
3904	powershell.exe
1776	powershell.exe
1776	powershell.exe
2388	powershell.exe
2388	powershell.exe
1596	powershell.exe
1596	powershell.exe
1492	svchost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

XWorm V5.2.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4492	XWorm V5.2.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	4492	XWorm V5.2.exe
Token: SeDebugPrivilege	1492	svchost.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1492	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	4916	svchost.exe
Token: SeDebugPrivilege	1460	svchost.exe
Token: SeDebugPrivilege	4584	svchost.exe
Token: SeDebugPrivilege	920	svchost.exe
Token: SeDebugPrivilege	3044	svchost.exe
Token: SeDebugPrivilege	1596	svchost.exe
Token: SeDebugPrivilege	2292	svchost.exe
Token: SeDebugPrivilege	1604	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

XWorm V5.2.exesvchost.exe

pid process

4492 XWorm V5.2.exe
1492 svchost.exe

pid	process
4492	XWorm V5.2.exe
1492	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

XWorm V5.2.execmd.exesvchost.exe

description	pid	process	target process
PID 4492 wrote to memory of 1716	4492	XWorm V5.2.exe	powershell.exe
PID 4492 wrote to memory of 1716	4492	XWorm V5.2.exe	powershell.exe
PID 4492 wrote to memory of 2460	4492	XWorm V5.2.exe	powershell.exe
PID 4492 wrote to memory of 2460	4492	XWorm V5.2.exe	powershell.exe
PID 4492 wrote to memory of 2524	4492	XWorm V5.2.exe	powershell.exe
PID 4492 wrote to memory of 2524	4492	XWorm V5.2.exe	powershell.exe
PID 4492 wrote to memory of 1772	4492	XWorm V5.2.exe	powershell.exe
PID 4492 wrote to memory of 1772	4492	XWorm V5.2.exe	powershell.exe
PID 4492 wrote to memory of 936	4492	XWorm V5.2.exe	schtasks.exe
PID 4492 wrote to memory of 936	4492	XWorm V5.2.exe	schtasks.exe
PID 4492 wrote to memory of 2776	4492	XWorm V5.2.exe	schtasks.exe
PID 4492 wrote to memory of 2776	4492	XWorm V5.2.exe	schtasks.exe
PID 4492 wrote to memory of 436	4492	XWorm V5.2.exe	cmd.exe
PID 4492 wrote to memory of 436	4492	XWorm V5.2.exe	cmd.exe
PID 436 wrote to memory of 3052	436	cmd.exe	timeout.exe
PID 436 wrote to memory of 3052	436	cmd.exe	timeout.exe
PID 1492 wrote to memory of 3904	1492	svchost.exe	powershell.exe
PID 1492 wrote to memory of 3904	1492	svchost.exe	powershell.exe
PID 1492 wrote to memory of 1776	1492	svchost.exe	powershell.exe
PID 1492 wrote to memory of 1776	1492	svchost.exe	powershell.exe
PID 1492 wrote to memory of 2388	1492	svchost.exe	powershell.exe
PID 1492 wrote to memory of 2388	1492	svchost.exe	powershell.exe
PID 1492 wrote to memory of 1596	1492	svchost.exe	powershell.exe
PID 1492 wrote to memory of 1596	1492	svchost.exe	powershell.exe
PID 1492 wrote to memory of 2108	1492	svchost.exe	schtasks.exe
PID 1492 wrote to memory of 2108	1492	svchost.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2\XWorm V5.2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm V5.2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:936
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
  2⤵
  PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp29E9.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3052

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2108

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe

Filesize
73KB

MD5
b85f72648cf99409357519725c9bd5fc

SHA1
de3b9162632a96c4a3ac27da6663399a0d393910

SHA256
b06d089bd5be63788ef530ff1f93216625aa66d1d811f9ec3f2892268b656011

SHA512
4569a7a710ea4226dc81b6d158cabae1dd0e5452d5847e5d29d68efa0e2572092c19c9887c5a8498acb78dd2c961bb1d72750e671ff89de0ce2c0b6922292804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa1d071c64c11da056441908be218eb9

SHA1
829685d5759d0c6408cdb49d768319340911259b

SHA256
b441de653f1db11fdcb7756e853676af9c07fc2bdedf51aad9bd48efca291d3a

SHA512
809f7622cc311eb6476454804d323cc3fa993f7ef4cab5edce15d72d8c9cd8d56023f59877fc7346e6d27c90e53d11e96185568aa69a7acc1cff318028d594a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee9f1be5d4d351a5c376b370adcf0eea

SHA1
1779cecfb13c6a2f0f2813ae65d0d91ebdcf5583

SHA256
70600f0f93bca5f0548bfe5503513caadda31cbcd14dc007824b0925a8626e4b

SHA512
fda7345f64a6352e99bb3f5d94e58751a71d45a27147f60da32d12ff0307dbe416f482f1b9950e52ce63cbb5f0e5c1647f72dbb7a05c5419ccd8b7980ea86754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2524e72b0573fa94e9cb8089728a4b47

SHA1
3d5c4dfd6e7632153e687ee866f8ecc70730a0f1

SHA256
fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747

SHA512
99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4f4h4hgy.351.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp29E9.tmp.bat

Filesize
173B

MD5
ed3f8f52e24ce58f7da774797fe15d73

SHA1
8c2b89d111a6c0614891ae80b8b36d944d132792

SHA256
597ff454e8da423c02760585ae08748a0401a9e077e27a59422d0a8566fdb073

SHA512
393300a1639b21bcc7bc717bc4fe53eaf22ae9ec8206c2f2cc50b06ddcd1d4512a312ecc40eca155367dadb9720596deb4241e7b4356b57563336f37569de8a5

Download Submit
memory/1716-4-0x00007FFBE1BF0000-0x00007FFBE26B1000-memory.dmp

Filesize
10.8MB

Download
memory/1716-3-0x00007FFBE1BF0000-0x00007FFBE26B1000-memory.dmp

Filesize
10.8MB

Download
memory/1716-5-0x00007FFBE1BF0000-0x00007FFBE26B1000-memory.dmp

Filesize
10.8MB

Download
memory/1716-18-0x00007FFBE1BF0000-0x00007FFBE26B1000-memory.dmp

Filesize
10.8MB

Download
memory/1716-15-0x000002A01BFD0000-0x000002A01BFF2000-memory.dmp

Filesize
136KB

Download
memory/4492-57-0x00007FFBE1BF3000-0x00007FFBE1BF5000-memory.dmp

Filesize
8KB

Download
memory/4492-58-0x00007FFBE1BF0000-0x00007FFBE26B1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-66-0x00007FFBE1BF0000-0x00007FFBE26B1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-0-0x00007FFBE1BF3000-0x00007FFBE1BF5000-memory.dmp

Filesize
8KB

Download
memory/4492-2-0x00007FFBE1BF0000-0x00007FFBE26B1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-1-0x0000000000960000-0x0000000000978000-memory.dmp

Filesize
96KB

Download