xworm | bd93f5ec14947b02c0ad9bc3c707c36f00f5c1ae5634cd1c646f366b46b67df8

Analysis

max time kernel
30s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/02/2025, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Selfbot-Nuker-main.exe
Size

17.7MB
MD5

3e4117a34bb9bc2fcf82f8bc87d0982c
SHA1

d2db9067dd2e90f2087b04b21c457aa63893f44d
SHA256

bd93f5ec14947b02c0ad9bc3c707c36f00f5c1ae5634cd1c646f366b46b67df8
SHA512

50701149e5ab6a8bbf4dbd8d3d6b6a67974d8a337395683b32b17cf40bb0db3dd9627503a7cd0b69913b845a738a7d2f33c8d2268bbb36fe62ad6d2ddbc92361
SSDEEP

393216:tuaKWm5FedYT2r13CUqPlnPWVAjIp/G5Z5Usu8xDutyxn7i7eRavID:tuVzjedY6rpCDv3FUT8xDutyxZRavID

Score

10^/10

xworm discovery persistence pyinstaller rat trojan upx

Malware Config

Extracted

Family

xworm

Version

3.0

girl-resulted.gl.at.ply.gg:38526

Mutex

D76sOUoFUfoFRQ3c

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0031000000015d5c-29.dat	family_xworm
behavioral1/memory/1976-40-0x0000000000BA0000-0x0000000000BB2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	server.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	server.exe

Executes dropped EXE 8 IoCs

pid	Process
2400	Built.exe
1976	windows.exe
3044	Built.exe
264	server.exe
864	Hackz Nuker.exe
2028	Hackz Nuker.exe
2328	server.exe
1192	Explorer.EXE

Loads dropped DLL 10 IoCs

pid	Process
2720	Selfbot-Nuker-main.exe
2400	Built.exe
3044	Built.exe
2720	Selfbot-Nuker-main.exe
1652	Process not Found
864	Hackz Nuker.exe
2028	Hackz Nuker.exe
264	server.exe
264	server.exe
1192	Explorer.EXE

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001932a-38.dat	upx
behavioral1/memory/3044-48-0x000007FEF1920000-0x000007FEF1F09000-memory.dmp	upx
behavioral1/memory/264-110-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/264-109-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/264-113-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/3044-1337-0x000007FEF1920000-0x000007FEF1F09000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00050000000193f8-54.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
264	server.exe
2328	server.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	windows.exe
Token: SeDebugPrivilege	2692	explorer.exe
Token: SeDebugPrivilege	2692	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
264	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2400	2720	Selfbot-Nuker-main.exe	30
PID 2720 wrote to memory of 2400	2720	Selfbot-Nuker-main.exe	30
PID 2720 wrote to memory of 2400	2720	Selfbot-Nuker-main.exe	30
PID 2720 wrote to memory of 1976	2720	Selfbot-Nuker-main.exe	31
PID 2720 wrote to memory of 1976	2720	Selfbot-Nuker-main.exe	31
PID 2720 wrote to memory of 1976	2720	Selfbot-Nuker-main.exe	31
PID 2400 wrote to memory of 3044	2400	Built.exe	32
PID 2400 wrote to memory of 3044	2400	Built.exe	32
PID 2400 wrote to memory of 3044	2400	Built.exe	32
PID 2720 wrote to memory of 264	2720	Selfbot-Nuker-main.exe	33
PID 2720 wrote to memory of 264	2720	Selfbot-Nuker-main.exe	33
PID 2720 wrote to memory of 264	2720	Selfbot-Nuker-main.exe	33
PID 2720 wrote to memory of 264	2720	Selfbot-Nuker-main.exe	33
PID 2720 wrote to memory of 864	2720	Selfbot-Nuker-main.exe	34
PID 2720 wrote to memory of 864	2720	Selfbot-Nuker-main.exe	34
PID 2720 wrote to memory of 864	2720	Selfbot-Nuker-main.exe	34
PID 864 wrote to memory of 2028	864	Hackz Nuker.exe	36
PID 864 wrote to memory of 2028	864	Hackz Nuker.exe	36
PID 864 wrote to memory of 2028	864	Hackz Nuker.exe	36
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37
PID 264 wrote to memory of 2640	264	server.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192
- C:\Users\Admin\AppData\Local\Temp\Selfbot-Nuker-main.exe
  "C:\Users\Admin\AppData\Local\Temp\Selfbot-Nuker-main.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3044
- - C:\Users\Admin\AppData\Local\Temp\windows.exe
    "C:\Users\Admin\AppData\Local\Temp\windows.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2692
  - - C:\directory\CyberGate\install\server.exe
      "C:\directory\CyberGate\install\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2328
- - C:\Users\Admin\AppData\Local\Temp\Hackz Nuker.exe
    "C:\Users\Admin\AppData\Local\Temp\Hackz Nuker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\Hackz Nuker.exe
      "C:\Users\Admin\AppData\Local\Temp\Hackz Nuker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
385KB

MD5
1acf57ea74e051d38243c42e21891073

SHA1
bd2a1f0d9a8bb6393672ee9c797d379c33d82710

SHA256
8b5fd4ee97d2ec52689a3ef25f01c64f2f681663c924bdf54233d7f3a859d354

SHA512
23ab1cceba2a251d7807eb340f2f2a83cff2ced49cdb5d772220877757224bbb6e7887de080a694d4bb454138a0ee14a70fef9c1927f0d73add79eee08eadb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9eb299eb7b9e4e14ffbc35a49155f7c6

SHA1
60da335f9f40ab30bcaf80bb23865a81f0bb41aa

SHA256
afb2cbb41a22105dc7490b1fe340fd9dbdab6050faca825cb7ce1da92ac893a4

SHA512
c4a233f04c540398989b93cd4680fccf6e8f5f35f2f4b138f528ec2e3ad6978add4555bcca41e6caa2bca478975b2a43ffa1ce544559ddfb99731896ac642c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e0b8ce71d1210b89ada5e4ae292ec3bd

SHA1
e52568344a0d213ce59cbe9fc5d6eed35a9eb43e

SHA256
23a108b7e92c358841b7e50dd83a1be35bd14142f17b660f22cf9280b90bbaba

SHA512
f6e38f66e8e4bb479b637b021589d44bf7f76fbcf251eb3f38702172cf3d0e4c8d4a45d2a4ee18e2b70d087bdd49bb06fcb0e07886c1c4cfc464f0bb83ca46e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a61ff0d43a5c3dff94fdd97d7614da32

SHA1
336b6d5d516f8e7976dd007df1f538de0c84470b

SHA256
fa6b2deb1a7a4eaaa5ed30f4e576f1ed72660c297027d671e1a2fa939227acd1

SHA512
8939782400f4cb2cf1dcd390c97db0a558578fcbe9c986ed22d7c6488cd2a6fec6067f96336e1e2c68be1bdd53b923e3fcd38a5d9a3fa53a8b7eb3a77c846027

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cf0cd22300514798045e82a56259d5da

SHA1
f38918cfcb4343f984d98491e70b9385be090f35

SHA256
af833405bb42a3c23eb5f189837c9f2ab78f52f1d17af0e65b0ce868ef11e85b

SHA512
08e3c16bf3843e86d0aa77f79b7da8629ad5bf1740c25c487a1dc975dad0cc9815f0c89c2df32f702d7d3e8e7e520e994b0aaf875a791e6c68039ac885208369

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1ef718979cb491e4204d022892da45b9

SHA1
e8c541ff4f8debce03dc39cdc3cb2dc939ec9bac

SHA256
ebc9c10c94f122056ea2f8acec18e95a0aedcf3da62954d9ac04d15c265635a7

SHA512
32ff4210ea8ea96f803c2c835bb69c83fb8805532308c308615effa776ebbd7a3d1cc4959a77f7219971d2f05dd2bd705ae87670bad65141e487dac05b982b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
330a77a802eeab88ea45a558bdac213a

SHA1
41caefeda162b36f8aa08f9666590dcc1fa6679b

SHA256
c4eedd1e6c712df0e73a579de03a1eab20edafe21148b1bd860dcc22b2aff9f3

SHA512
85a9e079dee8d532396983abcc1e106e32e37d4f693d1a7e802c3208605fb3da24bd855b94356078534c207e2e86d2270e2055d912a75f244d3fd3f41ca94240

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6c2ee4b3c5046a8464fee31b3d1f0254

SHA1
ff70d5a181ccf1f5c677b12babf9dd08741e9d2e

SHA256
5e0232c876a1dd0f4ebf0ed8e9eef727ecaa2ca261fc7e74f8eeaa7df8e8f3ba

SHA512
74a13043aeda452f480a72d1168dcec5f016a9b2ac4d6445e5c4ced7b41a3a57af69e6006e09b15b340fb5b34a594768cd65056cf0abf966877dbca76dd6c43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
643a0c279057dae0c1d87e7ad6414e2d

SHA1
9165025c684a10e63bd90bb265ca80ee57bb9481

SHA256
16189f2256f0055c0bb762ef0f46ac262ec54b9d6d45b310c0f30c1e9f1502cd

SHA512
dd102b36d90458682f9ef608c9ecf95a45ed113cf236f9ec7853fd6e54119fd9a54530288a3f4f86fc64c502025771748572adf14834a21de48327fad22f8302

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8a736c0229c3fca607318751d46fe80b

SHA1
ebe1a1f2abcf4948f7a76f825164fa38dc894654

SHA256
1d4cba2eb28dd8edb26ebabfbdd7c0b53bbf3ff50bd93bf428d588ed7296963a

SHA512
97b0259d51aa5e1d31aca29357f59f4dd69f16f999720d73c0c837b5eb99346b37848d172c3cb20d4de3fcd36ba7b89b5fc907f61cd3ab60f1b15c5b1d3147f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
db61fa548a997f685db444eeef53c25b

SHA1
76d759415176aeca3efd72b17a080ecfce6a6a40

SHA256
ce832814d950e5a173c7b176b2921eb4ec79d364f8b26cf8ed111a79195a0a95

SHA512
d2b6129542febafa4c3ff538e02d2158e08e41ea1d1e95865bd89e45d272e6f53c69248282bfdb8bd1e2f8711f37907fd945bf9e295929ded0c1f01bb97b5ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3a3550e4d44704056e4f236581e02df7

SHA1
378862084aa689495b76391bbdc4d46c0d85d4c0

SHA256
54cf87572ee19736bc88ed3db2535867ed0312fa868b3b93847385e4be32530d

SHA512
7899a2c8880197141eaaae4d1f2a1ed5c170f37acc8a7ad78dafef74574649e962ad26981c806d0f67f8e4577b94d01339d752e48684bc328366169680c867c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9dcd3984e1e7e7a1362fc2a27f3c483a

SHA1
fe89fad2eaedf8ec92eb20b6d08d202e959de9df

SHA256
05ca11e6de3123f2cc56d7dee5a7280ae84571e37b10befe7695ab131303a715

SHA512
35ae85dc6952a2329e51a3707d278510ec692595c1dd1e6fccd730ba35fe3069babadc7239d29a275bf00abb2fd269f830c8f1ce6276cd326367415a171dc47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
63b453adaff02b7a9b3ee71ce52bf3a4

SHA1
1470ef1d4463e1810de7d021694d11d73d84cc88

SHA256
59658515d8075bca6f6cc4b950e0687cee71d40d575d71e1079187cf50742715

SHA512
2ee93d2f9f1f7dd4021b6c01a795dbdfebdf852f50d74ffa56906fe40b7a51291f5649880516662295d6e1304a3a3f145de5c5fc48c42fd17a6abeb86e686029

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
929db3ef5719f5b90fc5d2b488909ecd

SHA1
e07cdd434dc0ea3eaf02057655695f0ca6f58329

SHA256
6ffd77211ecf4e9bc038a3c4f8ec24bd72894fee377954cc34200f562dbdaf60

SHA512
5b1829f4e670129045d2b7a4def3c1ff4679838b766d05a45e2d0e7260bb8cf1ea70c6bfc2f79816afbda1e02a88b249cc100ad669a66c92d6b42a9cb932a3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
287650271bf3b91790d728fa19edaa7d

SHA1
952d531bd281957240af04214f750ddaf3001ae1

SHA256
84b155664a0695a0d2c21df84e66ba0922d5685e6cef9f2ecd32f8fa53d8f108

SHA512
0eb40c1fb464d3a4257df8d30508241a23af85f9bad611ecbf55f39db6c6ac0d2c3e7b2a37699294878935ca998b2c7f262f612a96f4e81fb3bb11583fb0238e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5f14bf68c6f22a908a7906ba7f068bb8

SHA1
1f92452b6281fa09a3add1f793731447cd7e59b2

SHA256
b1135bcb719f858301e7ff1bc399aea05ee6156abc93aef903cedb806f1068fe

SHA512
cc81312c7137fb52525fe152f13ff916ffe5177841757e1fb3393d6024e45421035fd0b8e5b85cd03cc356542b275b05744bcf17d60bcfecb2d86c7103c8c446

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
586943f7cce452fa9b10eddda75d95d8

SHA1
923ceb659eb9c311cb2642bfc9d5984bab859212

SHA256
cda4c4d840e64929c69006bbd8b096738726945f0fd823d76fce684ef0916b03

SHA512
0cf75d40c555f9520d380d004211c972fe734b022ccc70f3c4adc85129c2f66868475c990c89f7593a182bf7f1284839817e5d62665f09d062f199941d51b490

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.4MB

MD5
9217741c2a3ee406dfc46451f43d7e24

SHA1
45b80871044183ec9ba9e8d5272beccf866cdc20

SHA256
9505346d4aeb3460451fac39959435b96d2f55a3191c8a56be7a381efcad423c

SHA512
3f5aa5b9ccaf00f76608f6f736a3f88c29d7e68a2843b251aa53c60604e107a15f28d26946a814de70ad8f059bb3df60cb29dec5620b54cd3d7807163cdf28a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\python311.dll

Filesize
1.6MB

MD5
0b66c50e563d74188a1e96d6617261e8

SHA1
cfd778b3794b4938e584078cbfac0747a8916d9e

SHA256
02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2

SHA512
37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8642\python39.dll

Filesize
4.3MB

MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
428KB

MD5
15fc49728a0c0751bb86cd5feb3504b7

SHA1
3c76f53967e67abbe5ea0ab57ef0818a88c7a4c9

SHA256
6f20d88b0fca845de6f031af4f5ddc13e35eee5456987465631dcd0429b6a0cc

SHA512
fe172fd4b3809c666dc630fe07c054a9879d161173cdcb1f815b160af04454e9433d9ad6fa4e0553526a9d0687b7513b35dfc1a2fd20e9ef563e7ef76a4dc267

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe

Filesize
43KB

MD5
e46d5073430a074170fc59c062040193

SHA1
d4e9005e77265365fd057de264da04f3e1245285

SHA256
cbfb39adad10a5c440bc220db9b81cbe3405fa87cb328843e2360e6de93a1447

SHA512
81b6ccd4e2f34c1f90ba70e2bf72b3e1b79972e2723f3e07ad87276511e2644954713a4fe65a9ae5fe8515223db55802dab9cc443963e5b2e07219611ba33583

Download Submit
\Users\Admin\AppData\Local\Temp\Hackz Nuker.exe

Filesize
10.2MB

MD5
9c4946a5517669a8c2c1831abfafcec0

SHA1
e5fd6691b6df0dbc99078afe907a23690667c9c1

SHA256
22a6eb0862594b96fd3b3f9345f40d9e51e0514ca79729e01454e0f4586961ca

SHA512
e4a26051ee6515c4bc8528dde5906c307aac5dcf2312344b3bffbbac0c02a6be9aee8953cd33e4ac0f1d43a58c69e14e7957b162d0c10b424639c5e2dac41010

Download Submit
memory/264-113-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/264-110-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/264-109-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1192-114-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1976-1335-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-40-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/1976-41-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

Filesize
4KB

Download
memory/2720-3-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-1-0x0000000000EC0000-0x000000000207C000-memory.dmp

Filesize
17.7MB

Download
memory/2720-64-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/3044-48-0x000007FEF1920000-0x000007FEF1F09000-memory.dmp

Filesize
5.9MB

Download
memory/3044-1337-0x000007FEF1920000-0x000007FEF1F09000-memory.dmp

Filesize
5.9MB

Download