xworm | 0ea39ad1a4a162efdfd1aeeb734603c2049fb91bd736907266e0e9d49f6030be

Analysis

max time kernel
125s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6/Xworm.exe
Size

8.1MB
MD5

09a9589689f2e0f5697d413cca4e227b
SHA1

2cb33d48a4b39c9304cbd8395a9a89074f8c14e2
SHA256

d0a2637c7f1fe073e613d607da3ada027123c75194ebdf528734d8b48e808a8d
SHA512

2c2494736c9fcd1a3d3b10e77c1af1ad60595d82897f7d82236f64b51d8bb46d8d723764fded8b3d94c68c43beb9c9e0c4c4a9c1d09603b46d56011f13b8e62f
SSDEEP

196608:wQJFUQqPn9x5pJPU/Vp4uDubMUxOQZyl5pFfeYUkZV:PMF9JPUtp4uDubMc1ZylRf5

Score

10^/10

xworm execution rat trojan

Malware Config

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b8f-19.dat	family_xworm
behavioral2/memory/1600-28-0x00000000007B0000-0x00000000007E6000-memory.dmp	family_xworm
behavioral2/files/0x0007000000023caa-37.dat	family_xworm
behavioral2/memory/1780-45-0x00000000003C0000-0x00000000003EA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1096	powershell.exe
4912	powershell.exe
3588	powershell.exe
5068	powershell.exe
1348	powershell.exe
1548	powershell.exe
3068	powershell.exe
3956	powershell.exe

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x000b000000023b8e-8.dat	net_reactor
behavioral2/files/0x000b000000023b8f-19.dat	net_reactor
behavioral2/memory/1600-28-0x00000000007B0000-0x00000000007E6000-memory.dmp	net_reactor
behavioral2/files/0x0007000000023caa-37.dat	net_reactor
behavioral2/memory/1780-45-0x00000000003C0000-0x00000000003EA000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Xworm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	XwormLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	taskhostw.exe

Executes dropped EXE 8 IoCs

pid	Process
1492	XwormLoader.exe
1600	taskhostw.exe
1780	svchost.exe
4776	Xworm V5.6.exe
1476	svchost.exe
2368	taskhostw.exe
60	svchost.exe
3644	taskhostw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4688	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
732	schtasks.exe
4672	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1600	taskhostw.exe
1780	svchost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1348	powershell.exe
1348	powershell.exe
1548	powershell.exe
1548	powershell.exe
3068	powershell.exe
3068	powershell.exe
3956	powershell.exe
3956	powershell.exe
1096	powershell.exe
1096	powershell.exe
4912	powershell.exe
4912	powershell.exe
1600	taskhostw.exe
3588	powershell.exe
3588	powershell.exe
5068	powershell.exe
5068	powershell.exe
1780	svchost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	taskhostw.exe
Token: SeDebugPrivilege	1492	XwormLoader.exe
Token: SeDebugPrivilege	1780	svchost.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	1476	svchost.exe
Token: SeDebugPrivilege	2368	taskhostw.exe
Token: SeDebugPrivilege	60	svchost.exe
Token: SeDebugPrivilege	3644	taskhostw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1600	taskhostw.exe
1780	svchost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1492	2600	Xworm.exe	83
PID 2600 wrote to memory of 1492	2600	Xworm.exe	83
PID 2600 wrote to memory of 1600	2600	Xworm.exe	84
PID 2600 wrote to memory of 1600	2600	Xworm.exe	84
PID 1492 wrote to memory of 1780	1492	XwormLoader.exe	85
PID 1492 wrote to memory of 1780	1492	XwormLoader.exe	85
PID 1600 wrote to memory of 1348	1600	taskhostw.exe	87
PID 1600 wrote to memory of 1348	1600	taskhostw.exe	87
PID 1492 wrote to memory of 4776	1492	XwormLoader.exe	86
PID 1492 wrote to memory of 4776	1492	XwormLoader.exe	86
PID 1492 wrote to memory of 3960	1492	XwormLoader.exe	89
PID 1492 wrote to memory of 3960	1492	XwormLoader.exe	89
PID 3960 wrote to memory of 4688	3960	cmd.exe	91
PID 3960 wrote to memory of 4688	3960	cmd.exe	91
PID 1600 wrote to memory of 1548	1600	taskhostw.exe	92
PID 1600 wrote to memory of 1548	1600	taskhostw.exe	92
PID 1600 wrote to memory of 3068	1600	taskhostw.exe	94
PID 1600 wrote to memory of 3068	1600	taskhostw.exe	94
PID 1600 wrote to memory of 3956	1600	taskhostw.exe	96
PID 1600 wrote to memory of 3956	1600	taskhostw.exe	96
PID 1780 wrote to memory of 1096	1780	svchost.exe	98
PID 1780 wrote to memory of 1096	1780	svchost.exe	98
PID 1600 wrote to memory of 732	1600	taskhostw.exe	100
PID 1600 wrote to memory of 732	1600	taskhostw.exe	100
PID 1780 wrote to memory of 4912	1780	svchost.exe	102
PID 1780 wrote to memory of 4912	1780	svchost.exe	102
PID 1780 wrote to memory of 3588	1780	svchost.exe	104
PID 1780 wrote to memory of 3588	1780	svchost.exe	104
PID 1780 wrote to memory of 5068	1780	svchost.exe	106
PID 1780 wrote to memory of 5068	1780	svchost.exe	106
PID 1780 wrote to memory of 4672	1780	svchost.exe	110
PID 1780 wrote to memory of 4672	1780	svchost.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5068
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4672
- - C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB2F.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4688
- C:\Users\Admin\AppData\Local\Temp\taskhostw.exe
  "C:\Users\Admin\AppData\Local\Temp\taskhostw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskhostw" /tr "C:\Users\Admin\AppData\Local\taskhostw.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:732

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Users\Admin\AppData\Local\taskhostw.exe
C:\Users\Admin\AppData\Local\taskhostw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Users\Admin\AppData\Local\taskhostw.exe
C:\Users\Admin\AppData\Local\taskhostw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0dcbfef1c28cd8081b1fe48bb10147f0

SHA1
26993d9a89a783dd5e121d1327665a2206fed5db

SHA256
c04593a35db9a9cd977943cc84c600df1889b2bd74322ad09879449e8976e5fd

SHA512
f1b18a99e40871957a0f50ac5c1d9bb55d99d4bbcb23a2ecdbfac6bc8edf25eb68de1f865f8c3777d3f216b73f6408184f6a8cec197d32778d63087cf9275dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2a4825f4f95c5d3d72911c6e7eb902ca

SHA1
4c22133f24e77211313beb0831980029a53e7dde

SHA256
59eecad327a693c8b2e3a5932238cda2141c6a0afbba6a5587933c9f2c1025e0

SHA512
8e09a61c62a4b83f4f323b5b74f89cc26d708fd1fe646317f5f404af8d4d3fcf327f20f5e4a3b310786c0f639df2d17e1a51def08c95fa964928ad6c08c81386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe

Filesize
14.9MB

MD5
db51a102eab752762748a2dec8f7f67a

SHA1
194688ec1511b83063f7b0167ae250764b7591d1

SHA256
93e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2

SHA512
fb2fb6605a17fedb65e636cf3716568e85b8ea423c23e0513eb87f3a3441e2cabc4c3e6346225a9bf7b81e97470f3ab516feea649a7afb5cdf02faff8d7f09a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\XwormLoader.exe

Filesize
7.9MB

MD5
5b757c6d0af650a77ba1bf7edea18b36

SHA1
c2ee4e12ff4b70511dbcab25dbf8b0d45f2d52b3

SHA256
c2a9fefda9159dd2712510c1c9077a1885d0ebc45251285dad95ba7184b98856

SHA512
93ca04887c63c3a0a4a5d42c48d0f4f7cc7fe7f6dad4dd45136ac048639d2edab66a2d2459779b9a2a075fa8981ea40567b34e5ed0535c1deecfe5e838385960

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y5eph53t.psu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
144KB

MD5
4b90399888a12fb85ccc3d0190d5a1d3

SHA1
3326c027bac28b9480b0c7f621481a6cc033db4e

SHA256
cede03d0ef98d200bd5b68f6ca4e0d74e2a62fc430a38083663c3031dbb1c77f

SHA512
899ec2df2f5d70716ad5d0686bfe0a6c66ccbcf7f0485efbdfc0615f90b3526cd3d31069fa66c7c6ae8bba6ce92200836c50da40a3731888b7326b970d93216a

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhostw.exe

Filesize
189KB

MD5
3636da95a3dd07300784e8146b76d1ec

SHA1
cb931a7f078a8af1024bbcdb3e84642b6298e1bc

SHA256
b121e69024dd83d1d69e8bc054cac5c1819b6cd22e307b76149066b29eff75fb

SHA512
20cfe53b164da34679ff3e3c622de9e9eff82ae5ef36da0442e1141b6e198fca3be4de1cc021a7c9359cf8ae3c405ec5ea0846f722560ab8ef16cedbb052ecf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB2F.tmp.bat

Filesize
174B

MD5
e2237b6012bdab3678aa45fd05ddd21b

SHA1
70a20ca6e2b4bd99d1c6a2646f5caa00a5dce4c6

SHA256
d0ea83062a8f8e5cc6c365c91a0bf8fb482bf29e41aaf4c662b5ffbb03e69a17

SHA512
5496b11582a1ca12599ed1288e01b9489a453f52623fef66027f75039613b2f3da51c749998687115e0fdc2bb519cfa1c41a6edff5a43b9320effbb8baf9d4b2

Download Submit
memory/1096-126-0x0000018F2B920000-0x0000018F2BA6E000-memory.dmp

Filesize
1.3MB

Download
memory/1348-68-0x000001AAB42A0000-0x000001AAB42C2000-memory.dmp

Filesize
136KB

Download
memory/1348-76-0x000001AAB43D0000-0x000001AAB451E000-memory.dmp

Filesize
1.3MB

Download
memory/1492-62-0x00007FFE0CA30000-0x00007FFE0D3D1000-memory.dmp

Filesize
9.6MB

Download
memory/1492-27-0x00007FFE0CA30000-0x00007FFE0D3D1000-memory.dmp

Filesize
9.6MB

Download
memory/1492-57-0x000000001E470000-0x000000001E93E000-memory.dmp

Filesize
4.8MB

Download
memory/1492-31-0x00007FFE0CA30000-0x00007FFE0D3D1000-memory.dmp

Filesize
9.6MB

Download
memory/1492-29-0x00007FFE0CA30000-0x00007FFE0D3D1000-memory.dmp

Filesize
9.6MB

Download
memory/1548-89-0x000001BCC82F0000-0x000001BCC843E000-memory.dmp

Filesize
1.3MB

Download
memory/1600-28-0x00000000007B0000-0x00000000007E6000-memory.dmp

Filesize
216KB

Download
memory/1600-32-0x00007FFE0A083000-0x00007FFE0A085000-memory.dmp

Filesize
8KB

Download
memory/1780-45-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2600-30-0x00007FFE0CA30000-0x00007FFE0D3D1000-memory.dmp

Filesize
9.6MB

Download
memory/2600-0-0x00007FFE0CCE5000-0x00007FFE0CCE6000-memory.dmp

Filesize
4KB

Download
memory/2600-3-0x000000001C830000-0x000000001C8D6000-memory.dmp

Filesize
664KB

Download
memory/2600-2-0x00007FFE0CA30000-0x00007FFE0D3D1000-memory.dmp

Filesize
9.6MB

Download
memory/2600-1-0x00007FFE0CA30000-0x00007FFE0D3D1000-memory.dmp

Filesize
9.6MB

Download
memory/3068-101-0x000002441E380000-0x000002441E4CE000-memory.dmp

Filesize
1.3MB

Download
memory/3588-150-0x0000015FA97B0000-0x0000015FA98FE000-memory.dmp

Filesize
1.3MB

Download
memory/3956-113-0x000001DA5C510000-0x000001DA5C65E000-memory.dmp

Filesize
1.3MB

Download
memory/4776-58-0x0000022BCF7B0000-0x0000022BD0698000-memory.dmp

Filesize
14.9MB

Download
memory/4776-163-0x0000022BEB170000-0x0000022BEB364000-memory.dmp

Filesize
2.0MB

Download
memory/4912-138-0x0000015458320000-0x000001545846E000-memory.dmp

Filesize
1.3MB

Download
memory/5068-162-0x000002675C110000-0x000002675C25E000-memory.dmp

Filesize
1.3MB

Download