xworm | f9cd798df715647337e56cedf49fcf778ed456d82f4a39114830e6de52568696

Analysis

max time kernel
75s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10-18-19-14.exe
Size

74KB
MD5

2536196d167ace8223ae7453964efc43
SHA1

56299f1745c8ec79d0208b14d10eb744d927b70e
SHA256

f9cd798df715647337e56cedf49fcf778ed456d82f4a39114830e6de52568696
SHA512

625b771cdda5f60569657c6c347dc22deda3cc545f783f212a6a48a6d4c013d65e18b67ec8124e6e58fe84f80d511a4ce29bc657d94911b13e30fbc86da6aa5c
SSDEEP

1536:l09hsM7RYzLo4DsZSICu4My9mGm51dU0tppsOuVggs0Rh69:lCD7RcjDs0ICuesGodXXM3R

Score

10^/10

xworm bootkit defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

trip-thesaurus.gl.at.ply.gg:16715

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cc0-4.dat	family_xworm
behavioral1/memory/1440-12-0x0000000000B70000-0x0000000000B88000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1908	powershell.exe
2900	powershell.exe
4832	powershell.exe
1168	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2024-01-10-18-19-14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2024-01-10-18-19-14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	tivlze.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	tivlze.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	2024-01-10-18-19-14.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	2024-01-10-18-19-14.exe

Executes dropped EXE 9 IoCs

pid	Process
1440	2024-01-10-18-19-14.exe
2056	SecurityHealthSystray
4496	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
4504	tivlze.exe
3024	tivlze.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSystray"	2024-01-10-18-19-14.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	tivlze.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\2024-01-10-18-19-14.exe	2024-01-10-18-19-14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tivlze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tivlze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-01-10-18-19-14.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
392	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1440	2024-01-10-18-19-14.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5104	powershell.exe
5104	powershell.exe
1908	powershell.exe
1908	powershell.exe
2900	powershell.exe
2900	powershell.exe
4832	powershell.exe
4832	powershell.exe
1168	powershell.exe
1168	powershell.exe
1440	2024-01-10-18-19-14.exe
2364	tivlze.exe
2364	tivlze.exe
2364	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
3372	tivlze.exe
3372	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
2364	tivlze.exe
424	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
3348	tivlze.exe
2364	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
3372	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
424	tivlze.exe
424	tivlze.exe
3348	tivlze.exe
3348	tivlze.exe
4504	tivlze.exe
4504	tivlze.exe
3348	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
424	tivlze.exe
3372	tivlze.exe
3372	tivlze.exe
2364	tivlze.exe
2364	tivlze.exe
424	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
3348	tivlze.exe
2364	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
3372	tivlze.exe
4504	tivlze.exe
4504	tivlze.exe
3348	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
424	tivlze.exe
4504	tivlze.exe
4504	tivlze.exe
3372	tivlze.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	2024-01-10-18-19-14.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1440	2024-01-10-18-19-14.exe
Token: SeDebugPrivilege	2056	SecurityHealthSystray
Token: SeShutdownPrivilege	3372	tivlze.exe
Token: SeShutdownPrivilege	2364	tivlze.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1440	2024-01-10-18-19-14.exe
3024	tivlze.exe
3372	tivlze.exe
2364	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
3348	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
3348	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
3348	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
3348	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
2364	tivlze.exe
3348	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
2364	tivlze.exe
3348	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
2364	tivlze.exe
3348	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
2364	tivlze.exe
3348	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
2364	tivlze.exe
3348	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
2364	tivlze.exe
3348	tivlze.exe
3372	tivlze.exe
424	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
2364	tivlze.exe
3372	tivlze.exe
3348	tivlze.exe
424	tivlze.exe
3372	tivlze.exe
2364	tivlze.exe
3348	tivlze.exe
424	tivlze.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 5104	1596	2024-01-10-18-19-14.exe	83
PID 1596 wrote to memory of 5104	1596	2024-01-10-18-19-14.exe	83
PID 1596 wrote to memory of 5104	1596	2024-01-10-18-19-14.exe	83
PID 1596 wrote to memory of 1440	1596	2024-01-10-18-19-14.exe	85
PID 1596 wrote to memory of 1440	1596	2024-01-10-18-19-14.exe	85
PID 1440 wrote to memory of 1908	1440	2024-01-10-18-19-14.exe	87
PID 1440 wrote to memory of 1908	1440	2024-01-10-18-19-14.exe	87
PID 1440 wrote to memory of 2900	1440	2024-01-10-18-19-14.exe	89
PID 1440 wrote to memory of 2900	1440	2024-01-10-18-19-14.exe	89
PID 1440 wrote to memory of 4832	1440	2024-01-10-18-19-14.exe	91
PID 1440 wrote to memory of 4832	1440	2024-01-10-18-19-14.exe	91
PID 1440 wrote to memory of 1168	1440	2024-01-10-18-19-14.exe	93
PID 1440 wrote to memory of 1168	1440	2024-01-10-18-19-14.exe	93
PID 1440 wrote to memory of 392	1440	2024-01-10-18-19-14.exe	100
PID 1440 wrote to memory of 392	1440	2024-01-10-18-19-14.exe	100
PID 1440 wrote to memory of 4496	1440	2024-01-10-18-19-14.exe	115
PID 1440 wrote to memory of 4496	1440	2024-01-10-18-19-14.exe	115
PID 1440 wrote to memory of 4496	1440	2024-01-10-18-19-14.exe	115
PID 4496 wrote to memory of 2364	4496	tivlze.exe	117
PID 4496 wrote to memory of 2364	4496	tivlze.exe	117
PID 4496 wrote to memory of 2364	4496	tivlze.exe	117
PID 4496 wrote to memory of 3372	4496	tivlze.exe	118
PID 4496 wrote to memory of 3372	4496	tivlze.exe	118
PID 4496 wrote to memory of 3372	4496	tivlze.exe	118
PID 4496 wrote to memory of 3348	4496	tivlze.exe	119
PID 4496 wrote to memory of 3348	4496	tivlze.exe	119
PID 4496 wrote to memory of 3348	4496	tivlze.exe	119
PID 4496 wrote to memory of 424	4496	tivlze.exe	120
PID 4496 wrote to memory of 424	4496	tivlze.exe	120
PID 4496 wrote to memory of 424	4496	tivlze.exe	120
PID 4496 wrote to memory of 4504	4496	tivlze.exe	121
PID 4496 wrote to memory of 4504	4496	tivlze.exe	121
PID 4496 wrote to memory of 4504	4496	tivlze.exe	121
PID 4496 wrote to memory of 3024	4496	tivlze.exe	122
PID 4496 wrote to memory of 3024	4496	tivlze.exe	122
PID 4496 wrote to memory of 3024	4496	tivlze.exe	122
PID 3024 wrote to memory of 208	3024	tivlze.exe	125
PID 3024 wrote to memory of 208	3024	tivlze.exe	125
PID 3024 wrote to memory of 208	3024	tivlze.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-01-10-18-19-14.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10-18-19-14.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdgBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAaABqACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\2024-01-10-18-19-14.exe
  "C:\Windows\2024-01-10-18-19-14.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\2024-01-10-18-19-14.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2024-01-10-18-19-14.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:392
- - C:\Users\Admin\AppData\Local\Temp\tivlze.exe
    "C:\Users\Admin\AppData\Local\Temp\tivlze.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\tivlze.exe
      "C:\Users\Admin\AppData\Local\Temp\tivlze.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\tivlze.exe
      "C:\Users\Admin\AppData\Local\Temp\tivlze.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\tivlze.exe
      "C:\Users\Admin\AppData\Local\Temp\tivlze.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\tivlze.exe
      "C:\Users\Admin\AppData\Local\Temp\tivlze.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:424
  - - C:\Users\Admin\AppData\Local\Temp\tivlze.exe
      "C:\Users\Admin\AppData\Local\Temp\tivlze.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\tivlze.exe
      "C:\Users\Admin\AppData\Local\Temp\tivlze.exe" /main
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\System32\notepad.exe" \note.txt
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:208

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3f038ac2e2ceadad0f78317ea7de6881

SHA1
f2ee66d1ab22d5594426a26e9d2628ce29b037a7

SHA256
475591875182108710538a2ea21a89e0ffa1df43f776689288e0fa96da46efb7

SHA512
f751f1f06b79550af211a9bf39d59712bb60f4e2c79a24d850970b1d40e871c2e53ce84ed4f5d974dad53cdbfb95d38a8eff9f871f22ae2d3e772deb731715f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
de8000ee7ccd8dab1c94c845ae63ce29

SHA1
f0c259e7258e6096a5ed721366d1e49f3096cfe6

SHA256
79f624725ac90635a86852d96bf93c440058450ef78fc36e6fd0e7f8f5801cec

SHA512
1543ef006e4d266e8de8a8b0569884b56f4ab48903e368f14051086355e373a4c57ecb6d47efdacda7637a62fdb9ad8527648acc36da98a165974486a8977d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gd5t3ydm.ohf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tivlze.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Windows\2024-01-10-18-19-14.exe

Filesize
68KB

MD5
0c8294e9d43eab4f86105d4c92afbfa0

SHA1
338416be49b72459690d9bc8e5d0da66dae8ffd5

SHA256
55b9e348d510dcaeb9ac6d33eb7d4057cbfe186feb3ce476eb26935db1fd393d

SHA512
f24cd690851ce0a2dff4c009ebc87d8072c6ad76cfaa5ff16fa318af87887fbc623fdfe26b141b4c1c7ab8f911bbae503b7514fb8ef5229f5579b5a5106be491

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1440-134-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download
memory/1440-112-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/1440-113-0x0000000001350000-0x000000000135C000-memory.dmp

Filesize
48KB

Download
memory/1440-49-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/1440-12-0x0000000000B70000-0x0000000000B88000-memory.dmp

Filesize
96KB

Download
memory/1440-11-0x00007FFEC6CD3000-0x00007FFEC6CD5000-memory.dmp

Filesize
8KB

Download
memory/1908-66-0x00000202D1FD0000-0x00000202D1FF2000-memory.dmp

Filesize
136KB

Download
memory/5104-20-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/5104-55-0x0000000007A80000-0x0000000007A8E000-memory.dmp

Filesize
56KB

Download
memory/5104-33-0x00000000074B0000-0x00000000074E2000-memory.dmp

Filesize
200KB

Download
memory/5104-46-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-48-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-47-0x00000000074F0000-0x0000000007593000-memory.dmp

Filesize
652KB

Download
memory/5104-45-0x0000000006AD0000-0x0000000006AEE000-memory.dmp

Filesize
120KB

Download
memory/5104-44-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-50-0x0000000007E60000-0x00000000084DA000-memory.dmp

Filesize
6.5MB

Download
memory/5104-51-0x00000000052A0000-0x00000000052BA000-memory.dmp

Filesize
104KB

Download
memory/5104-52-0x00000000078B0000-0x00000000078BA000-memory.dmp

Filesize
40KB

Download
memory/5104-53-0x0000000007AD0000-0x0000000007B66000-memory.dmp

Filesize
600KB

Download
memory/5104-54-0x0000000007A40000-0x0000000007A51000-memory.dmp

Filesize
68KB

Download
memory/5104-34-0x0000000070E50000-0x0000000070E9C000-memory.dmp

Filesize
304KB

Download
memory/5104-56-0x0000000007A90000-0x0000000007AA4000-memory.dmp

Filesize
80KB

Download
memory/5104-32-0x0000000006510000-0x000000000655C000-memory.dmp

Filesize
304KB

Download
memory/5104-67-0x0000000007B70000-0x0000000007B8A000-memory.dmp

Filesize
104KB

Download
memory/5104-68-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

Filesize
32KB

Download
memory/5104-31-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/5104-75-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-30-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download
memory/5104-19-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/5104-18-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/5104-17-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-16-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/5104-15-0x0000000005680000-0x0000000005CA8000-memory.dmp

Filesize
6.2MB

Download
memory/5104-14-0x0000000002F10000-0x0000000002F46000-memory.dmp

Filesize
216KB

Download
memory/5104-13-0x000000007503E000-0x000000007503F000-memory.dmp

Filesize
4KB

Download