Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://workupload.c...

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    66s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2025, 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://workupload.com/file/e37BeKxhFSE

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    mgdBroker.exe

  • pastebin_url

    https://pastebin.com/raw/vsmgs6F2

Signatures

  • Detect Xworm Payload 9 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://workupload.com/file/e37BeKxhFSE
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc9086cc40,0x7ffc9086cc4c,0x7ffc9086cc58
      2⤵
        PID:3496
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,4712760810552489726,8997574049851616905,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1900 /prefetch:2
        2⤵
          PID:1604
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,4712760810552489726,8997574049851616905,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2156 /prefetch:3
          2⤵
            PID:2988
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,4712760810552489726,8997574049851616905,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2248 /prefetch:8
            2⤵
              PID:4020
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,4712760810552489726,8997574049851616905,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3132 /prefetch:1
              2⤵
                PID:392
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,4712760810552489726,8997574049851616905,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3332 /prefetch:1
                2⤵
                  PID:4664
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,4712760810552489726,8997574049851616905,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4604 /prefetch:8
                  2⤵
                    PID:2268
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4972,i,4712760810552489726,8997574049851616905,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4628 /prefetch:8
                    2⤵
                      PID:2740
                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                    1⤵
                      PID:2816
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                      1⤵
                        PID:3404
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:2352
                        • C:\Program Files\7-Zip\7zFM.exe
                          "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\RML.rar"
                          1⤵
                          • Suspicious behavior: GetForegroundWindowSpam
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          PID:2268
                        • C:\Users\Admin\Desktop\Extreme Injector v3.exe
                          "C:\Users\Admin\Desktop\Extreme Injector v3.exe"
                          1⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:4976
                          • C:\Users\Admin\AppData\Local\Temp\taskhostk.exe
                            "C:\Users\Admin\AppData\Local\Temp\taskhostk.exe"
                            2⤵
                            • Checks computer location settings
                            • Drops startup file
                            • Executes dropped EXE
                            • Adds Run key to start application
                            PID:1892
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskhostk.exe'
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2860
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostk.exe'
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5160
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\mgdBroker.exe'
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5524
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mgdBroker.exe'
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5852
                          • C:\Users\Admin\AppData\Local\Temp\Taskhostx.exe
                            "C:\Users\Admin\AppData\Local\Temp\Taskhostx.exe"
                            2⤵
                            • Checks computer location settings
                            • Drops startup file
                            • Executes dropped EXE
                            • Adds Run key to start application
                            PID:4224
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Taskhostx.exe'
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              PID:784
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Taskhostx.exe'
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5212
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\mgdBroker.exe'
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5508
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mgdBroker.exe'
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5868
                        • C:\Users\Admin\Desktop\Extreme Injector v3.exe
                          "C:\Users\Admin\Desktop\Extreme Injector v3.exe"
                          1⤵
                          • Executes dropped EXE
                          PID:5332
                        • C:\Users\Admin\Desktop\Extreme Injector v3.exe
                          "C:\Users\Admin\Desktop\Extreme Injector v3.exe"
                          1⤵
                          • Executes dropped EXE
                          PID:5424
                        • C:\Windows\system32\taskmgr.exe
                          "C:\Windows\system32\taskmgr.exe" /4
                          1⤵
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:5232
                        • C:\Users\Admin\Desktop\Extreme Injector v3.exe
                          "C:\Users\Admin\Desktop\Extreme Injector v3.exe"
                          1⤵
                          • Executes dropped EXE
                          PID:5616

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                          Filesize

                          649B

                          MD5

                          8e39666b2dee2531f565f68ed49f5140

                          SHA1

                          8dd837397829b8a94f3f206d7ea9b4a73fd5ffbd

                          SHA256

                          7c0dee0a3ad681fd40d047e3e68b12a2b7d1f4d32d0e0616ab18718133ffa6c0

                          SHA512

                          dc131d6d752cbc333daa03e578a9924062f135ef4f0ee8164952aef2bba7540876be6ae95639b962fd77e58bb20cd1cd297ed38c6951b281a0e75f8960b24c7f

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                          Filesize

                          216B

                          MD5

                          24063a5c2acebd1a3ed2cac2689550e0

                          SHA1

                          8cfeff41659ba9442b86968768884767b7c0c7e7

                          SHA256

                          ad56f1724a0b35ab73fbd87b2d51a79c2580693b078f0dd5410310dfef205183

                          SHA512

                          73a337c5bcfd53c778b6b646ad4d1de47e12f445c49f23d428484eb93237e8a74adac9f8f804699f1a28248ecaffeaa7f4f2ab0592099d40ab826b928e0b5873

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          f13e349df1e8033ecaf93477e319a0e6

                          SHA1

                          078b0cea13a831ed3facaba39859f03ae68543fa

                          SHA256

                          87a5424f49fcf5e34ffa6bb69d086ae6f197c05e545bf761bf0253356bbbbb77

                          SHA512

                          87b3dd0240690fb705446a740c58fd7e9d85fb225e734a80687da5d56fea88dc12f9548da44ddc76e4159b2e6882b34f1645e57731edd39aa23c1ec235cccf32

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          eca65a71d5c4f4e25f331830ed2a8090

                          SHA1

                          799f3f7003622af7a01ae16f1f0344819d41bb84

                          SHA256

                          82db4adeab35ff3c74ee47d4f7a130cd6d9abf08f0405201c7a6cca49d395fba

                          SHA512

                          c24d4f8562289c8bd2268334ea9f2650a0fb750c1203c2c8bae4d6741770a90d3ce6f167be69accd9479c117335cef03015f62b90c3045bc173f7d8d3835ba64

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          e80a0f11bcc7d42a2182bcf5c5c6c4b1

                          SHA1

                          fb1d8744432356ae6a4c9ac5c46650d2aa7c1b65

                          SHA256

                          77f01fc2352db28c2d274260b1e886cf4717b1eefa065043018ae137252e2c64

                          SHA512

                          a5991c40d06b70caaa6f3a35db143afcc2cfc35ddcbcc94c5f5c5f1c3f710430af44d87ee5009e9fdc7a5912f103c1c59f18c22838b23c99f428c0042ebe476d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          d3cfbe7f31f563a3d595ef22a5c3fd42

                          SHA1

                          e8691990f105b4560aeffeffe06b60116810b2fe

                          SHA256

                          4659c75eb5138a23853a657a88e79c4052d7c3b09352b46e9ff75cc0584c944d

                          SHA512

                          b484368a26c0fb205bd4d2d4c5c2c746f6a9072ddadb132ab7cfbccdfead16ed55c7f85b34efa1a137459a1c635156cbc1775015aca7075dac8bfdeba12bb3b4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                          Filesize

                          123KB

                          MD5

                          60f5c4a543d1ca892b3625e41e66d9f9

                          SHA1

                          9a9ec5ab4ad22e96b27c7c33a1e3a09e83debd27

                          SHA256

                          4f26fae87599d2769a5a480466f38dbcd7e4fd050cbc9cb244429dbf57cc725c

                          SHA512

                          9f7d33cd59fbb3e24fd314b432ba7e5816c8d43c42e4ad2bd8c24a4bf44168329e2e2d4c9edca0a965eb73101b16375535476bfa91105d0c1d3097a031211594

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                          Filesize

                          123KB

                          MD5

                          7a18fc8ab6174e81adada4bab6e269d6

                          SHA1

                          006c9a74102b073606128bf166f9b14441823aec

                          SHA256

                          2f02c3c021503cbaf41fa5f456e56896695af58f1bc7e8116bda36241b71d9f7

                          SHA512

                          eacad66e34ac26935c55732e82e5af5a12709e0fc57bf4c532b02b4a6a54d2fb483a56c1df02489d422257a854875861c4ae6b5ffca99da3cee13d69ee9711b5

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          2KB

                          MD5

                          d85ba6ff808d9e5444a4b369f5bc2730

                          SHA1

                          31aa9d96590fff6981b315e0b391b575e4c0804a

                          SHA256

                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                          SHA512

                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          6d42b6da621e8df5674e26b799c8e2aa

                          SHA1

                          ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                          SHA256

                          5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                          SHA512

                          53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          a2c8179aaa149c0b9791b73ce44c04d1

                          SHA1

                          703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

                          SHA256

                          c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

                          SHA512

                          2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          ef647504cf229a16d02de14a16241b90

                          SHA1

                          81480caca469857eb93c75d494828b81e124fda0

                          SHA256

                          47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

                          SHA512

                          a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          22310ad6749d8cc38284aa616efcd100

                          SHA1

                          440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                          SHA256

                          55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                          SHA512

                          2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\Taskhostx.exe
                          Filesize

                          56KB

                          MD5

                          d075deb1cc427151c877a0c292ae6ac2

                          SHA1

                          a6ba5721b318764dd9d8cb8ba5edadaf23b23a3e

                          SHA256

                          73b64c9c294be0a4eb67946597d082b60fcd91f479dc3a5cdf9911e6cd2049e9

                          SHA512

                          cf3444ec5fd903f4860fb2c75c1a552ee7c15fc5769966e033645f21cbe2389444f07c2759d780f9e5fb51be077e262bf0117137c1ef85d2da3622fb84c46aed

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s32i3i2k.zh0.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\taskhostk.exe
                          Filesize

                          62KB

                          MD5

                          b2ea4c16a4a92912b3b34c14f498318a

                          SHA1

                          d3ffab4fa3ac543377e2217a3e9c4c7049b3b3f4

                          SHA256

                          e04f5afe758d98e943d0acf2d0bea0a428a1b108721cb05cb0e9ce210bfa66e1

                          SHA512

                          d7ec5e6d77839867973a7243f8bf687876544a7550383278345954a7324673ce85d575ae8352a41aa4003ffcba03d741db8f307dbcf8374a7134140e39fe0f63

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgdBroker.lnk
                          Filesize

                          788B

                          MD5

                          dd40c3cc9f1a4b1198121e7860643c9f

                          SHA1

                          806c0a9886b9c801d64650573c3aec2c9bc2eb1f

                          SHA256

                          79e9fe55ec83e0b651b69a60703abfaaa1d08f0a0a5476fd6e7a966701c03e5a

                          SHA512

                          9547f41c3141b7fd5fc6c3e44ee2590c8796aad0bf78d3c021bc90ce231759c805b0fad28d47955ede1f821bc5c4d2570cebbc5012d4e2cdcbeeae1d9a88c9af

                          Download Submit

                        • C:\Users\Admin\Desktop\Extreme Injector v3.exe
                          Filesize

                          144KB

                          MD5

                          3790561cf5628275a01a1572360cdb58

                          SHA1

                          952587b5f39f04d825fdce38b19c9c2ee04c9d25

                          SHA256

                          aad19fdaef49c05b86cdacd933a8985c328b413ad2b9a66989b4220cab4a302d

                          SHA512

                          da03b374917eaa84b90d0393169436bce0f367f7b06b9fbb38fbd312c961aff53257fd869a6051b8738550ff573bb43e25b1dabacdb78fa7b1f5989a9a588e87

                          Download Submit

                        • C:\Users\Admin\Downloads\RML.rar.crdownload
                          Filesize

                          281KB

                          MD5

                          5c001ede32c920739faf0b42fc429e16

                          SHA1

                          524b25ceeb4e4ce68685c721dada14f221778fd2

                          SHA256

                          2bbf9a2ebb51e818b72a53f9003a1599c2b82172e76af3a5de363548edb6d37e

                          SHA512

                          ec03bca1f5269469ac2e51062b22cb6b99a7a874233a0dee307c18aef48a58ad20b034d9e98ea3febffadd651ba81fcc83d1fb402727a9acca96573f7ec482b3

                          Download Submit

                        • memory/1892-123-0x0000000000840000-0x0000000000856000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/2860-125-0x0000020B4AAB0000-0x0000020B4AAD2000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/4224-124-0x0000000000730000-0x0000000000744000-memory.dmp

                          Filesize

                          80KB

                          Download

                        • memory/4976-122-0x0000000000400000-0x000000000042B000-memory.dmp

                          Filesize

                          172KB

                          Download

                        • memory/5232-244-0x000001962EE80000-0x000001962EE81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5232-245-0x000001962EE80000-0x000001962EE81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5232-246-0x000001962EE80000-0x000001962EE81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5232-250-0x000001962EE80000-0x000001962EE81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5232-256-0x000001962EE80000-0x000001962EE81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5232-255-0x000001962EE80000-0x000001962EE81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5232-254-0x000001962EE80000-0x000001962EE81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5232-253-0x000001962EE80000-0x000001962EE81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5232-252-0x000001962EE80000-0x000001962EE81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5232-251-0x000001962EE80000-0x000001962EE81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5332-241-0x0000000000400000-0x000000000042B000-memory.dmp

                          Filesize

                          172KB

                          Download

                        • memory/5424-243-0x0000000000400000-0x000000000042B000-memory.dmp

                          Filesize

                          172KB

                          Download

                        • memory/5616-269-0x0000000000400000-0x000000000042B000-memory.dmp

                          Filesize

                          172KB

                          Download