agenttesla | 97b156f53366d0aac2e46c97b8f7bb3efb1a541e0a923aed24c0f8e7d4c4ee25

Analysis

max time kernel
36s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZeroxStealerInstaller.exe
Size

2.9MB
MD5

9b1a7d9403b93f7a390d953c2785a9ed
SHA1

0246222a9290cd73bfda0e402722a82d04507a43
SHA256

97b156f53366d0aac2e46c97b8f7bb3efb1a541e0a923aed24c0f8e7d4c4ee25
SHA512

fdf61c48deee07db3563859a934fd9238c3ed33bd68b180fbf46d121b233359b69d3ec6c370f0ca17bbdb444ec8a784985d54a06704dfe1ea22701124b0fc4b0
SSDEEP

49152:qvo+8aGzQqDRtQH/vpxWIfKgVgVKkbmNoi7r+ogPpkZs/ohvc8q8IzIWvuA8KXAb:qh83dRtMvb/KgVLNNwRkVhBNIzWvKo

Score

10^/10

agenttesla xworm execution keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:28019

chilhoek-28019.portmap.host:28019

lijaligibidu-35558.portmap.host:35558

Attributes

Install_directory
%AppData%
install_file
svhost.exe
telegram
https://api.telegram.org/bot7460505018:AAGtMNP89kfVCbpYBPLkO5O4JcFb8YqssUk

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x00090000000235a7-6.dat	family_xworm
behavioral2/files/0x00070000000235ae-17.dat	family_xworm
behavioral2/memory/2404-24-0x0000000000BA0000-0x0000000000BBA000-memory.dmp	family_xworm
behavioral2/memory/4892-25-0x00000000005A0000-0x00000000005B8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/1464-43-0x000001B129DE0000-0x000001B129FF6000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4524	powershell.exe
4508	powershell.exe
404	powershell.exe
1036	powershell.exe
2668	powershell.exe
3124	powershell.exe
2992	powershell.exe
5020	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ZeroxStealerInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	XClient (2).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WindowsSecurity.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient (2).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	WindowsSecurity.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient (2).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	WindowsSecurity.exe

Executes dropped EXE 3 IoCs

pid	Process
4892	WindowsSecurity.exe
2404	XClient (2).exe
1464	ZeroxStealerInstaller.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ZeroxStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ZeroxStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	ZeroxStealerInstaller.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
2992	powershell.exe
2992	powershell.exe
2992	powershell.exe
4508	powershell.exe
4508	powershell.exe
4524	powershell.exe
4524	powershell.exe
4508	powershell.exe
4524	powershell.exe
404	powershell.exe
404	powershell.exe
1036	powershell.exe
1036	powershell.exe
1036	powershell.exe
404	powershell.exe
2668	powershell.exe
2668	powershell.exe
3124	powershell.exe
3124	powershell.exe
2668	powershell.exe
3124	powershell.exe
4892	WindowsSecurity.exe
2404	XClient (2).exe
4892	WindowsSecurity.exe
2404	XClient (2).exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	XClient (2).exe
Token: SeDebugPrivilege	4892	WindowsSecurity.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	4892	WindowsSecurity.exe
Token: SeDebugPrivilege	2404	XClient (2).exe
Token: SeDebugPrivilege	3060	taskmgr.exe
Token: SeSystemProfilePrivilege	3060	taskmgr.exe
Token: SeCreateGlobalPrivilege	3060	taskmgr.exe
Token: 33	3060	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3060	taskmgr.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4892	WindowsSecurity.exe
2404	XClient (2).exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4892	1448	ZeroxStealerInstaller.exe	90
PID 1448 wrote to memory of 4892	1448	ZeroxStealerInstaller.exe	90
PID 1448 wrote to memory of 2404	1448	ZeroxStealerInstaller.exe	91
PID 1448 wrote to memory of 2404	1448	ZeroxStealerInstaller.exe	91
PID 1448 wrote to memory of 1464	1448	ZeroxStealerInstaller.exe	92
PID 1448 wrote to memory of 1464	1448	ZeroxStealerInstaller.exe	92
PID 4892 wrote to memory of 2992	4892	WindowsSecurity.exe	99
PID 4892 wrote to memory of 2992	4892	WindowsSecurity.exe	99
PID 2404 wrote to memory of 5020	2404	XClient (2).exe	100
PID 2404 wrote to memory of 5020	2404	XClient (2).exe	100
PID 2404 wrote to memory of 4508	2404	XClient (2).exe	103
PID 4892 wrote to memory of 4524	4892	WindowsSecurity.exe	104
PID 2404 wrote to memory of 4508	2404	XClient (2).exe	103
PID 4892 wrote to memory of 4524	4892	WindowsSecurity.exe	104
PID 4892 wrote to memory of 404	4892	WindowsSecurity.exe	107
PID 4892 wrote to memory of 404	4892	WindowsSecurity.exe	107
PID 2404 wrote to memory of 1036	2404	XClient (2).exe	109
PID 2404 wrote to memory of 1036	2404	XClient (2).exe	109
PID 2404 wrote to memory of 2668	2404	XClient (2).exe	111
PID 2404 wrote to memory of 2668	2404	XClient (2).exe	111
PID 4892 wrote to memory of 3124	4892	WindowsSecurity.exe	113
PID 4892 wrote to memory of 3124	4892	WindowsSecurity.exe	113

C:\Users\Admin\AppData\Local\Temp\ZeroxStealerInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ZeroxStealerInstaller.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
  "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Security.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3124
- C:\Users\Admin\AppData\Roaming\XClient (2).exe
  "C:\Users\Admin\AppData\Roaming\XClient (2).exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient (2).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient (2).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- C:\Users\Admin\AppData\Roaming\ZeroxStealerInstaller.exe
  "C:\Users\Admin\AppData\Roaming\ZeroxStealerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=1320 /prefetch:8
1⤵
PID:2068

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ZeroxStealerInstaller.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2824843fb99557504353da77ba877467

SHA1
9ac648f81c2a7fac1ed5ac8f4463bea1cdac8c2b

SHA256
308d8e3ea64d589627e8330e3a1bf8564d83da836d05a999dc44afc6e191f21a

SHA512
abb07bee5e2c85ef3e4be1c5aecc2b0ee285fba6eace431d1263e393c57ff0c05d09aa4bf9276e3109434993011831a3c7145262d24a1163143f724ee4d73586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01lbjxax.zcs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk

Filesize
818B

MD5
15a6098065a7acd83db6c511e7d48707

SHA1
56ecc0ab130ca2a213d3d8274f64fd4cff34cf2b

SHA256
137fa4661eca592b0aafe1aab13ba9e4cd6959fef5619d2dc678f2d24dd2c93f

SHA512
d70a868d176bd1f9d6e62694abee9d5ea261c7eb8017fab8d8db299184827996a46b703d382cdf7079ea894120b30415098f18ef388e8a442fc6e4bff9885309

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk

Filesize
766B

MD5
2e4a7cbdba68c822c4402c283315ea8d

SHA1
478adaca1229278a747162f5eb7ad79a328f89e4

SHA256
9e1e57e33cfbed82b89705f13abae923778d563292cfaa4416936896ad4e0d63

SHA512
0913d3ed8e67430f0f90a226b1973faf09c50db0e8fdf83ec4b6453a82b0bc37a2afb676c9e35c77edb5f46726324c6d0aaed775431e1a7f1f18b56b5f07c084

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
75KB

MD5
cf219a189dae4a022f26dd58cd5367e6

SHA1
76c2e7b756e894afc4e5fd7267fce398d58c518f

SHA256
725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

SHA512
21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f

Download Submit
C:\Users\Admin\AppData\Roaming\XClient (2).exe

Filesize
81KB

MD5
c1b7e4e3a25be04cc93a44017bd58298

SHA1
b40e7d99a41bd49172cd23470ccb4387b3351942

SHA256
9f36f62ffb252f041490ccf9faf344e03a7987a566cc399f0be06e4e5e60fbcb

SHA512
4192250e78e0a3440e2b5d1b7782566a55d96fa8a68877ff8869f617ce3095374289c78ea3d200082fb91efb8fcbce8fea946fcfea08cef05265a2c3512f99cf

Download Submit
C:\Users\Admin\AppData\Roaming\ZeroxStealerInstaller.exe

Filesize
2.7MB

MD5
e4468845f3b426403f3223a1b18cf858

SHA1
9cea44a892f83e660d56a69bc97af2c094b2f087

SHA256
7cebe983265c3a77b2a369b56edd521733e9103f1a42fd09dcaf5abf5dd547bd

SHA512
c4703c2f3f0bb92020b4d920d5ba2e6ba7e505ae736bc7b4d5289ed8b3faff3748061f731e6f6ecf0aa6d78eccbfa187175a07f54bd7e4b97345f8bc91080840

Download Submit
memory/1448-0-0x00007FFCBA6E3000-0x00007FFCBA6E5000-memory.dmp

Filesize
8KB

Download
memory/1448-1-0x00000000004E0000-0x00000000007D0000-memory.dmp

Filesize
2.9MB

Download
memory/1464-40-0x000001B10F290000-0x000001B10F556000-memory.dmp

Filesize
2.8MB

Download
memory/1464-43-0x000001B129DE0000-0x000001B129FF6000-memory.dmp

Filesize
2.1MB

Download
memory/1464-42-0x000001B10F910000-0x000001B10F924000-memory.dmp

Filesize
80KB

Download
memory/1464-41-0x000001B129AA0000-0x000001B129BEE000-memory.dmp

Filesize
1.3MB

Download
memory/2404-146-0x00007FFCBA6E0000-0x00007FFCBB1A1000-memory.dmp

Filesize
10.8MB

Download
memory/2404-24-0x0000000000BA0000-0x0000000000BBA000-memory.dmp

Filesize
104KB

Download
memory/2404-45-0x00007FFCBA6E0000-0x00007FFCBB1A1000-memory.dmp

Filesize
10.8MB

Download
memory/2404-44-0x00007FFCBA6E0000-0x00007FFCBB1A1000-memory.dmp

Filesize
10.8MB

Download
memory/2404-147-0x00007FFCBA6E0000-0x00007FFCBB1A1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-151-0x0000012185E50000-0x0000012185E51000-memory.dmp

Filesize
4KB

Download
memory/3060-158-0x0000012185E50000-0x0000012185E51000-memory.dmp

Filesize
4KB

Download
memory/3060-155-0x0000012185E50000-0x0000012185E51000-memory.dmp

Filesize
4KB

Download
memory/3060-156-0x0000012185E50000-0x0000012185E51000-memory.dmp

Filesize
4KB

Download
memory/3060-157-0x0000012185E50000-0x0000012185E51000-memory.dmp

Filesize
4KB

Download
memory/3060-150-0x0000012185E50000-0x0000012185E51000-memory.dmp

Filesize
4KB

Download
memory/3060-149-0x0000012185E50000-0x0000012185E51000-memory.dmp

Filesize
4KB

Download
memory/3060-161-0x0000012185E50000-0x0000012185E51000-memory.dmp

Filesize
4KB

Download
memory/3060-160-0x0000012185E50000-0x0000012185E51000-memory.dmp

Filesize
4KB

Download
memory/3060-159-0x0000012185E50000-0x0000012185E51000-memory.dmp

Filesize
4KB

Download
memory/4892-115-0x00007FFCBA6E0000-0x00007FFCBB1A1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-148-0x00007FFCBA6E0000-0x00007FFCBB1A1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-34-0x00007FFCBA6E0000-0x00007FFCBB1A1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-25-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/4892-46-0x00007FFCBA6E0000-0x00007FFCBB1A1000-memory.dmp

Filesize
10.8MB

Download
memory/5020-47-0x0000019A05910000-0x0000019A05932000-memory.dmp

Filesize
136KB

Download