Overview

overview

10

Static

static

10

Perm-spofer.exe

windows7-x64

10

Perm-spofer.exe

windows10-2004-x64

10

Resubmissions

22/01/2025, 15:52 UTC

250122-ta7ekavler 10

22/01/2025, 15:47 UTC

250122-s8lp3stlev 10

Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 15:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Perm-spofer.exe

  • Size

    68KB

  • MD5

    7214f6d7b7997cbfb22a9b3e6375b918

  • SHA1

    a9c53eb43e7b0eb1cfc0bc4714bc3816274310d9

  • SHA256

    c54762e7cfed04c23c765dd85ea5e92fcdc30e34d5ff3b151595e73e50e95c03

  • SHA512

    dc40ea0a445f2fd5a7c0e9a90d391d72267d02bc004af57f494e52e492d02de196c06d7335971868e55b0a8b18bc640b89f2c56837194c79227f5a48c9e8a223

  • SSDEEP

    1536:fVNtqrwwjZ2v5yNL0c+A4qvbWWEHLhASFtx6aMrTeOg54WER:fBzByNnP4qvbWWAASbaKOg54j

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

simply-exotic.gl.at.ply.gg:27183

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Perm-spofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Perm-spofer.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Perm-spofer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3164
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Perm-spofer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4928
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2056
  • C:\Users\Admin\AppData\Local\Temp\User
    C:\Users\Admin\AppData\Local\Temp\User
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Adds Run key to start application
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1104
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3680
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "User"
      2⤵
        PID:1912
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA803.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:1452

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      200.156.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.156.23.2.in-addr.arpa
      IN PTR
      Response
      200.156.23.2.in-addr.arpa
      IN PTR
      a2-23-156-200deploystaticakamaitechnologiescom
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ip-api.com
      User
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      DNS
      3.108.50.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      3.108.50.23.in-addr.arpa
      IN PTR
      Response
      3.108.50.23.in-addr.arpa
      IN PTR
      a23-50-108-3deploystaticakamaitechnologiescom
    • flag-us
      GET
      http://ip-api.com/line/?fields=hosting
      Perm-spofer.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /line/?fields=hosting HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 22 Jan 2025 15:48:17 GMT
      Content-Type: text/plain; charset=utf-8
      Content-Length: 6
      Access-Control-Allow-Origin: *
      X-Ttl: 60
      X-Rl: 44
    • flag-us
      DNS
      1.112.95.208.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      1.112.95.208.in-addr.arpa
      IN PTR
      Response
      1.112.95.208.in-addr.arpa
      IN PTR
      ip-apicom
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      simply-exotic.gl.at.ply.gg
      User
      Remote address:
      8.8.8.8:53
      Request
      simply-exotic.gl.at.ply.gg
      IN A
      Response
      simply-exotic.gl.at.ply.gg
      IN A
      147.185.221.25
    • flag-us
      DNS
      25.221.185.147.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.221.185.147.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.163.202.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.163.202.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      121.118.77.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      121.118.77.104.in-addr.arpa
      IN PTR
      Response
      121.118.77.104.in-addr.arpa
      IN PTR
      a104-77-118-121deploystaticakamaitechnologiescom
    • flag-us
      DNS
      ip-api.com
      User
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/line/?fields=hosting
      User
      Remote address:
      208.95.112.1:80
      Request
      GET /line/?fields=hosting HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 22 Jan 2025 15:49:04 GMT
      Content-Type: text/plain; charset=utf-8
      Content-Length: 6
      Access-Control-Allow-Origin: *
      X-Ttl: 12
      X-Rl: 42
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 208.95.112.1:80
      http://ip-api.com/line/?fields=hosting
      http
      Perm-spofer.exe
      310 B
       267 B
       5
      2

      HTTP Request

      GET http://ip-api.com/line/?fields=hosting

      HTTP Response

      200
    • 147.185.221.25:27183
      simply-exotic.gl.at.ply.gg
      Perm-spofer.exe
      967 B
       13.3kB
       13
      20
    • 147.185.221.25:27183
      simply-exotic.gl.at.ply.gg
      Perm-spofer.exe
      165.3kB
       2.4kB
       127
      40
    • 208.95.112.1:80
      http://ip-api.com/line/?fields=hosting
      http
      User
      310 B
       267 B
       5
      2

      HTTP Request

      GET http://ip-api.com/line/?fields=hosting

      HTTP Response

      200
    • 147.185.221.25:27183
      simply-exotic.gl.at.ply.gg
      User
      1.0kB
       14.9kB
       14
      21
    • 147.185.221.25:27183
      simply-exotic.gl.at.ply.gg
      User
      1.3kB
       266 B
       7
      5
    • 147.185.221.25:27183
      simply-exotic.gl.at.ply.gg
      User
      375.1kB
       7.5kB
       280
      146
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      200.156.23.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      200.156.23.2.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      ip-api.com
      dns
      User
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      3.108.50.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      3.108.50.23.in-addr.arpa

    • 8.8.8.8:53
      1.112.95.208.in-addr.arpa
      dns
      71 B
       95 B
       1
      1

      DNS Request

      1.112.95.208.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      simply-exotic.gl.at.ply.gg
      dns
      User
      72 B
       88 B
       1
      1

      DNS Request

      simply-exotic.gl.at.ply.gg

      DNS Response

      147.185.221.25

    • 8.8.8.8:53
      25.221.185.147.in-addr.arpa
      dns
      73 B
       130 B
       1
      1

      DNS Request

      25.221.185.147.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      200.163.202.172.in-addr.arpa
      dns
      74 B
       160 B
       1
      1

      DNS Request

      200.163.202.172.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      121.118.77.104.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      121.118.77.104.in-addr.arpa

    • 8.8.8.8:53
      ip-api.com
      dns
      User
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      48.229.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      48.229.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      ef647504cf229a16d02de14a16241b90

      SHA1

      81480caca469857eb93c75d494828b81e124fda0

      SHA256

      47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

      SHA512

      a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      eb1ad317bd25b55b2bbdce8a28a74a94

      SHA1

      98a3978be4d10d62e7411946474579ee5bdc5ea6

      SHA256

      9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

      SHA512

      d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      ba169f4dcbbf147fe78ef0061a95e83b

      SHA1

      92a571a6eef49fff666e0f62a3545bcd1cdcda67

      SHA256

      5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

      SHA512

      8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e60eb305a7b2d9907488068b7065abd3

      SHA1

      1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

      SHA256

      ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

      SHA512

      95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d013b69d1a8bc44a599a20aa767332ed

      SHA1

      9949c222e8664c419294d6bd5ca13184b2b2e3c8

      SHA256

      9fcb62333faf9fae34f4e882c6af4065a233063fbdf9a550ac849d650573463c

      SHA512

      3554c4ea46dea441d9ea98e24c55f71e7d75490b38a5ab81a3d7d267e85ceaa6f6a38dc339f2eed6544c2bb744ae16b2de69f6a2c74e56782c8e6a1782d996d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      1400b7208465e875d44190b9b465fcfb

      SHA1

      ffd77f7fe78207e5a862b4f536d902019a155e26

      SHA256

      4fc3a908a25bf9861afb2ec7b3f854fadd986ac281b134cb4e89e46ba6aed0c5

      SHA512

      57596642a72347985ae9dda5a9e8d01a5c6cbeb5fac227d69fa1fbf38ae867ea4f434f9aec8b990ca397295886ce503abad49efed2f6ea7fdd6bf5d803bf1f38

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\User
      Filesize

      68KB

      MD5

      7214f6d7b7997cbfb22a9b3e6375b918

      SHA1

      a9c53eb43e7b0eb1cfc0bc4714bc3816274310d9

      SHA256

      c54762e7cfed04c23c765dd85ea5e92fcdc30e34d5ff3b151595e73e50e95c03

      SHA512

      dc40ea0a445f2fd5a7c0e9a90d391d72267d02bc004af57f494e52e492d02de196c06d7335971868e55b0a8b18bc640b89f2c56837194c79227f5a48c9e8a223

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jf3xa5l3.3iv.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA803.tmp.bat
      Filesize

      152B

      MD5

      161a20384b49edd438e2f56ecfd99c01

      SHA1

      159a393400f346b47fcf406b3601e94942e1af79

      SHA256

      8b0ce6f4ad04480187bfee8f9e523f81001ed8aa5619a356fdf312b224077774

      SHA512

      fda71418fc304c4b03aecdd25e6d5ad279f67d683c112272a90b5d56542430ef24514ceeb582d57a1ab93084114de5c56aff4c4fc7c555daebe5e7e049bcbbd0

      Download Submit

    • memory/1472-2-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1472-0-0x00007FFDF20F3000-0x00007FFDF20F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1472-1-0x0000000000BB0000-0x0000000000BC8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1472-55-0x00007FFDF20F3000-0x00007FFDF20F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1472-56-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1472-57-0x000000001B830000-0x000000001B83C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1472-59-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3032-106-0x000000001C490000-0x000000001C49C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3032-107-0x000000001CBD0000-0x000000001D0F8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3164-15-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3164-5-0x000001CCFEAF0000-0x000001CCFEB12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3164-3-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3164-19-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3164-4-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3164-18-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

      Filesize

      10.8MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.