xred | 17e9b9671209644815f245388c1a676efa400a5425ba632cb4aedab455ba0511

Analysis

max time kernel
52s
max time network
52s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23-12-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UPDATE INTERNAL JAXX SHIT.exe
Size

2.0MB
MD5

c253cfaedd1d9da42f634bbeee60a1f1
SHA1

4f5db9b353831e4fd574599590e18060b5bef046
SHA256

17e9b9671209644815f245388c1a676efa400a5425ba632cb4aedab455ba0511
SHA512

f50ea95286e7d1ec6c8e8f0dc5459d10e695306dd58e190d716513a6df6a11c92a9a58e2de04da13c6419af776b0a710fd6d313d306da73e9acd3bf18afa4782
SSDEEP

49152:uGcPzld1F9Uy0DVo4aZLjGdRxWGYzuxo2Pj2ZGX:uh7n1h0DV6ZLjGdCGYam2PjAG

Score

10^/10

xred xworm backdoor defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

terms-hold.gl.at.ply.gg:22825

Mutex

anL8Q4Rm5NG9cHYr

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

aes.plain

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002aa78-21.dat	family_xworm
behavioral1/files/0x004900000002aa99-53.dat	family_xworm
behavioral1/memory/4308-133-0x00000000007E0000-0x00000000007F0000-memory.dmp	family_xworm
behavioral1/memory/1884-193-0x0000000000400000-0x00000000004CD000-memory.dmp	family_xworm
behavioral1/memory/4940-327-0x0000000000400000-0x00000000004CD000-memory.dmp	family_xworm
behavioral1/memory/4940-333-0x0000000000400000-0x00000000004CD000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2024	powershell.exe
244	powershell.exe
4820	powershell.exe
4596	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	._cache_svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	._cache_svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
4232	UPDATE EXTERNAL JAXX SHIT.exe
1884	svchost.exe
4308	._cache_svchost.exe
4940	Synaptics.exe
2096	._cache_Synaptics.exe
3104	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe"	._cache_svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Cheat Engine	UPDATE EXTERNAL JAXX SHIT.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\0704.wav	UPDATE EXTERNAL JAXX SHIT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UPDATE INTERNAL JAXX SHIT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1992	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2952	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe
4232	UPDATE EXTERNAL JAXX SHIT.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	4308	._cache_svchost.exe
Token: SeDebugPrivilege	2096	._cache_Synaptics.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	4308	._cache_svchost.exe
Token: SeDebugPrivilege	3104	svchost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
4308	._cache_svchost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 1240	4380	UPDATE INTERNAL JAXX SHIT.exe	77
PID 4380 wrote to memory of 1240	4380	UPDATE INTERNAL JAXX SHIT.exe	77
PID 4380 wrote to memory of 1240	4380	UPDATE INTERNAL JAXX SHIT.exe	77
PID 4380 wrote to memory of 4232	4380	UPDATE INTERNAL JAXX SHIT.exe	79
PID 4380 wrote to memory of 4232	4380	UPDATE INTERNAL JAXX SHIT.exe	79
PID 4380 wrote to memory of 1884	4380	UPDATE INTERNAL JAXX SHIT.exe	80
PID 4380 wrote to memory of 1884	4380	UPDATE INTERNAL JAXX SHIT.exe	80
PID 4380 wrote to memory of 1884	4380	UPDATE INTERNAL JAXX SHIT.exe	80
PID 1884 wrote to memory of 4308	1884	svchost.exe	81
PID 1884 wrote to memory of 4308	1884	svchost.exe	81
PID 1884 wrote to memory of 4940	1884	svchost.exe	82
PID 1884 wrote to memory of 4940	1884	svchost.exe	82
PID 1884 wrote to memory of 4940	1884	svchost.exe	82
PID 4940 wrote to memory of 2096	4940	Synaptics.exe	83
PID 4940 wrote to memory of 2096	4940	Synaptics.exe	83
PID 4308 wrote to memory of 4596	4308	._cache_svchost.exe	86
PID 4308 wrote to memory of 4596	4308	._cache_svchost.exe	86
PID 4308 wrote to memory of 2024	4308	._cache_svchost.exe	88
PID 4308 wrote to memory of 2024	4308	._cache_svchost.exe	88
PID 4308 wrote to memory of 244	4308	._cache_svchost.exe	90
PID 4308 wrote to memory of 244	4308	._cache_svchost.exe	90
PID 4308 wrote to memory of 4820	4308	._cache_svchost.exe	92
PID 4308 wrote to memory of 4820	4308	._cache_svchost.exe	92
PID 4308 wrote to memory of 1992	4308	._cache_svchost.exe	94
PID 4308 wrote to memory of 1992	4308	._cache_svchost.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\UPDATE INTERNAL JAXX SHIT.exe
"C:\Users\Admin\AppData\Local\Temp\UPDATE INTERNAL JAXX SHIT.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAeABwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAYgB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbABtACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Users\Admin\UPDATE EXTERNAL JAXX SHIT.exe
  "C:\Users\Admin\UPDATE EXTERNAL JAXX SHIT.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4232
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4820
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1992
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2096

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6344564097353c8e7e68991fffa80d88

SHA1
2ac4d108a30ec3fbd2938b0563eb912415ea7c62

SHA256
d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da

SHA512
e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
69416944dac24129d0969e2ac46f0533

SHA1
d71969659956b32411e0606a9bee640a0b108ef4

SHA256
dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca

SHA512
aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc8e75ac6aa8def4a6a6f379597f3e11

SHA1
78f26e45c2749e997041a113d2652bafbe174d9f

SHA256
fe503ddb7bc0cfb618d503e546fe175ecc9dcfcadbb6d9af93ef60f05ff6b7a1

SHA512
7cb756797d1ef2fbe17bc3b640e664f818b35c509ef52f24a6c4e1862fc0cf26189a8aceea5e7acc2fadbbf8958e8445f6035f9f95b1b51af7535ff25ffc683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe

Filesize
41KB

MD5
3e151bd1c1d4bc34246b025fd1e04fcf

SHA1
a6dd8417c6d302f7ee817a97ca5ffb6c4535c52b

SHA256
f2f1ed3b60b03ee311b9051167fb5cfe708bec16636f288e264b6ea6d3f79dc2

SHA512
2e966ca70e7b4d2c8fbaab08806dc0d1f56521ec625dd0dfcc51ed93e097b3f2caaf55fde3140aa9b0e8542e6b545bc4e7f1f2a8ab803804ef26cbfd005254ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\QRi2pEpu.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsiyfhb3.ss4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\UPDATE EXTERNAL JAXX SHIT.exe

Filesize
1.2MB

MD5
12a7584272d0dbaa2072ed2c240c6d6a

SHA1
2d7d7bfb78b1f7fc2381e3c77e736c60e0429c72

SHA256
38b7495d39c732beba94b2b1d0a33217786f0bbd202e3e5adf0ff658b04d8091

SHA512
33c6e450a6f7ecfdc54977c0a79650fb4a267e1c13987670cba695c13eca16448616afde0e8adfa135e367ed049d09f6457a99770afd37cd5a9097938c859000

Download Submit
C:\Users\Admin\svchost.exe

Filesize
795KB

MD5
f4248e424ff0daa757f03b563879dd24

SHA1
7cf8c92db81a360d7d2e74d299162e4955348aa4

SHA256
3e49de38c38b65519920be9ae308d70958acd0796979cabd53183d64e2ab0124

SHA512
7ed70622ce494e3b8954d6162c9c2e3f332a60882c665675f6c74143f73f40486c0436784ddb9c9ef62b5ced310f74ce20e6ba568bc85bf31fe635b40332f347

Download Submit
memory/1240-267-0x0000000007900000-0x0000000007F7A000-memory.dmp

Filesize
6.5MB

Download
memory/1240-272-0x0000000007510000-0x000000000751E000-memory.dmp

Filesize
56KB

Download
memory/1240-101-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/1240-111-0x0000000005A90000-0x0000000005DE7000-memory.dmp

Filesize
3.3MB

Download
memory/1240-46-0x000000007395E000-0x000000007395F000-memory.dmp

Filesize
4KB

Download
memory/1240-182-0x0000000005F50000-0x0000000005F6E000-memory.dmp

Filesize
120KB

Download
memory/1240-183-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

Filesize
304KB

Download
memory/1240-50-0x0000000002A90000-0x0000000002AC6000-memory.dmp

Filesize
216KB

Download
memory/1240-255-0x0000000007160000-0x0000000007194000-memory.dmp

Filesize
208KB

Download
memory/1240-256-0x00000000709D0000-0x0000000070A1C000-memory.dmp

Filesize
304KB

Download
memory/1240-265-0x0000000006560000-0x000000000657E000-memory.dmp

Filesize
120KB

Download
memory/1240-266-0x00000000071A0000-0x0000000007244000-memory.dmp

Filesize
656KB

Download
memory/1240-100-0x00000000050E0000-0x0000000005102000-memory.dmp

Filesize
136KB

Download
memory/1240-268-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/1240-269-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/1240-270-0x0000000007550000-0x00000000075E6000-memory.dmp

Filesize
600KB

Download
memory/1240-271-0x00000000074D0000-0x00000000074E1000-memory.dmp

Filesize
68KB

Download
memory/1240-102-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/1240-273-0x0000000007520000-0x0000000007535000-memory.dmp

Filesize
84KB

Download
memory/1240-274-0x0000000007610000-0x000000000762A000-memory.dmp

Filesize
104KB

Download
memory/1240-278-0x0000000007600000-0x0000000007608000-memory.dmp

Filesize
32KB

Download
memory/1240-87-0x0000000005310000-0x000000000593A000-memory.dmp

Filesize
6.2MB

Download
memory/1884-49-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1884-193-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2024-301-0x0000028E4EC90000-0x0000028E4ECB2000-memory.dmp

Filesize
136KB

Download
memory/2952-285-0x00007FFE68E90000-0x00007FFE68EA0000-memory.dmp

Filesize
64KB

Download
memory/2952-287-0x00007FFE662F0000-0x00007FFE66300000-memory.dmp

Filesize
64KB

Download
memory/2952-288-0x00007FFE662F0000-0x00007FFE66300000-memory.dmp

Filesize
64KB

Download
memory/2952-282-0x00007FFE68E90000-0x00007FFE68EA0000-memory.dmp

Filesize
64KB

Download
memory/2952-283-0x00007FFE68E90000-0x00007FFE68EA0000-memory.dmp

Filesize
64KB

Download
memory/2952-286-0x00007FFE68E90000-0x00007FFE68EA0000-memory.dmp

Filesize
64KB

Download
memory/2952-284-0x00007FFE68E90000-0x00007FFE68EA0000-memory.dmp

Filesize
64KB

Download
memory/4308-133-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/4940-327-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4940-333-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download