Overview

overview

10

Static

static

3

NIXWARE.exe

windows7-x64

10

NIXWARE.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2025, 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NIXWARE.exe

  • Size

    38.0MB

  • MD5

    e32bf2403b3999a4c6274e7a33e6e950

  • SHA1

    8127410db371bbbddec6e9c5a328abf7af799648

  • SHA256

    737d5090579a24eab54f93d5aac4db006cd480a021866f384a9ba71c864a9d24

  • SHA512

    0c0129ce761a0241315264ca2ee07fef0d7b47e87290342110da94c6f8a19a2c0bd29bdc6e3a3ab19fbc2d2108e5776f278c4911fbc63bb67eaa5d294cb2f40b

  • SSDEEP

    786432:+GCUb18lLdg8ADGOlEaoPvuMMXU2o3SIkDhSdKqlH7R32AsKpDW800m70T+eU:+fTlRgPHIPvuMwUp3SVMpHldxM80n7Q+

Score
10/10
xwormdefense_evasionexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

pretty-jade.gl.at.ply.gg:24793

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Modifies security service 2 TTPs 2 IoCs
    defense_evasion
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Executes dropped EXE 9 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Loads dropped DLL 11 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
      • Sets service image path in registry
      • Loads dropped DLL
      PID:476
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch
        2⤵
          PID:596
          • C:\Windows\system32\wbem\wmiprvse.exe
            C:\Windows\system32\wbem\wmiprvse.exe
            3⤵
            • Drops file in System32 directory
            PID:1716
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            3⤵
              PID:328
            • C:\Windows\system32\wbem\wmiprvse.exe
              C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              3⤵
              • Checks processor information in registry
              PID:2748
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k RPCSS
            2⤵
              PID:676
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
              2⤵
              • Modifies security service
              • Indicator Removal: Clear Windows Event Logs
              PID:740
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
              2⤵
                PID:796
                • C:\Windows\system32\Dwm.exe
                  "C:\Windows\system32\Dwm.exe"
                  3⤵
                    PID:1148
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs
                  2⤵
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:848
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalService
                  2⤵
                    PID:960
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k NetworkService
                    2⤵
                      PID:112
                    • C:\Windows\System32\spoolsv.exe
                      C:\Windows\System32\spoolsv.exe
                      2⤵
                        PID:1004
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                        2⤵
                          PID:1060
                        • C:\Windows\system32\taskhost.exe
                          "taskhost.exe"
                          2⤵
                            PID:1100
                          • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                            "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                            2⤵
                              PID:1532
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                              2⤵
                                PID:2268
                              • C:\Windows\system32\sppsvc.exe
                                C:\Windows\system32\sppsvc.exe
                                2⤵
                                  PID:2240
                                • C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe
                                  C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe
                                  2⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Suspicious use of SetThreadContext
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2300
                                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                    3⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Modifies data under HKEY_USERS
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2560
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                    3⤵
                                      PID:1672
                                      • C:\Windows\system32\wusa.exe
                                        wusa /uninstall /kb:890830 /quiet /norestart
                                        4⤵
                                        • Drops file in Windows directory
                                        PID:3040
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop UsoSvc
                                      3⤵
                                      • Launches sc.exe
                                      PID:832
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                      3⤵
                                      • Launches sc.exe
                                      PID:1436
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop wuauserv
                                      3⤵
                                      • Launches sc.exe
                                      PID:1664
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop bits
                                      3⤵
                                      • Launches sc.exe
                                      PID:1868
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop dosvc
                                      3⤵
                                      • Launches sc.exe
                                      PID:1660
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2004
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1496
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2192
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2476
                                    • C:\Windows\system32\dialer.exe
                                      C:\Windows\system32\dialer.exe
                                      3⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1680
                                    • C:\Windows\system32\dialer.exe
                                      C:\Windows\system32\dialer.exe
                                      3⤵
                                        PID:1756
                                      • C:\Windows\system32\dialer.exe
                                        dialer.exe
                                        3⤵
                                        • Modifies data under HKEY_USERS
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1500
                                  • C:\Windows\system32\lsass.exe
                                    C:\Windows\system32\lsass.exe
                                    1⤵
                                      PID:492
                                    • C:\Windows\system32\lsm.exe
                                      C:\Windows\system32\lsm.exe
                                      1⤵
                                        PID:500
                                      • C:\Windows\Explorer.EXE
                                        C:\Windows\Explorer.EXE
                                        1⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:1180
                                        • C:\Users\Admin\AppData\Local\Temp\NIXWARE.exe
                                          "C:\Users\Admin\AppData\Local\Temp\NIXWARE.exe"
                                          2⤵
                                          • Loads dropped DLL
                                          • Suspicious use of WriteProcessMemory
                                          PID:2536
                                          • C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
                                            "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious use of WriteProcessMemory
                                            PID:1864
                                            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
                                              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
                                              4⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:772
                                          • C:\Users\Admin\AppData\Local\Temp\123.exe
                                            "C:\Users\Admin\AppData\Local\Temp\123.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious use of WriteProcessMemory
                                            PID:1144
                                            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                              4⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious use of WriteProcessMemory
                                              PID:2152
                                              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                5⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                PID:3060
                                            • C:\Users\Admin\AppData\Local\Temp\systems.exe
                                              "C:\Users\Admin\AppData\Local\Temp\systems.exe"
                                              4⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Suspicious use of SetThreadContext
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:880
                                              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                5⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                PID:2640
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                5⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:2628
                                                • C:\Windows\system32\wusa.exe
                                                  wusa /uninstall /kb:890830 /quiet /norestart
                                                  6⤵
                                                  • Drops file in Windows directory
                                                  PID:1408
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop UsoSvc
                                                5⤵
                                                • Launches sc.exe
                                                PID:2660
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                5⤵
                                                • Launches sc.exe
                                                PID:2056
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop wuauserv
                                                5⤵
                                                • Launches sc.exe
                                                PID:2032
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop bits
                                                5⤵
                                                • Launches sc.exe
                                                PID:1788
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop dosvc
                                                5⤵
                                                • Launches sc.exe
                                                PID:1628
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                5⤵
                                                • Power Settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2816
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                5⤵
                                                • Power Settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2300
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                5⤵
                                                • Power Settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1580
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                5⤵
                                                • Power Settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2956
                                              • C:\Windows\system32\dialer.exe
                                                C:\Windows\system32\dialer.exe
                                                5⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:2968
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe delete "VLKIAJCI"
                                                5⤵
                                                • Launches sc.exe
                                                PID:2656
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe create "VLKIAJCI" binpath= "C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe" start= "auto"
                                                5⤵
                                                • Launches sc.exe
                                                PID:1876
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop eventlog
                                                5⤵
                                                • Launches sc.exe
                                                PID:1788
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe start "VLKIAJCI"
                                                5⤵
                                                • Launches sc.exe
                                                PID:560
                                            • C:\Users\Admin\AppData\Local\Temp\system.exe
                                              "C:\Users\Admin\AppData\Local\Temp\system.exe"
                                              4⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2028
                                      • C:\Windows\system32\conhost.exe
                                        \??\C:\Windows\system32\conhost.exe "-412993636-30850382858833195514269717881947439101-674514772-253590563-1771759102"
                                        1⤵
                                          PID:2652
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "-20946607492070168547-215474213-1596134017950383246236886430-163973342169758052"
                                          1⤵
                                            PID:2836
                                          • C:\Windows\system32\conhost.exe
                                            \??\C:\Windows\system32\conhost.exe "-14029152021788925745698220027-1018762486-736192077472543241-6644970202083643994"
                                            1⤵
                                              PID:2936
                                            • C:\Windows\system32\conhost.exe
                                              \??\C:\Windows\system32\conhost.exe "506257352-2089281336-1709948427-650406719870764890-1924814541-1470922605-610723782"
                                              1⤵
                                                PID:2584
                                              • C:\Windows\system32\conhost.exe
                                                \??\C:\Windows\system32\conhost.exe "-490345110-1323946176-96303441715971833281356721434-1024095405-2124474942-125654007"
                                                1⤵
                                                  PID:1892
                                                • C:\Windows\system32\conhost.exe
                                                  \??\C:\Windows\system32\conhost.exe "-18407268471986977822-167986848512398431781449971174-1223044101148979534-440455463"
                                                  1⤵
                                                    PID:2952
                                                  • C:\Windows\system32\conhost.exe
                                                    \??\C:\Windows\system32\conhost.exe "-12568325377742569980369629-1238703791-28307130-19350976-279305872-722548225"
                                                    1⤵
                                                      PID:864
                                                    • C:\Windows\system32\conhost.exe
                                                      \??\C:\Windows\system32\conhost.exe "1502954413-1686518242-750837048196823040-1582156022-207250267848760480-1778044645"
                                                      1⤵
                                                        PID:1040
                                                      • C:\Windows\system32\conhost.exe
                                                        \??\C:\Windows\system32\conhost.exe "20715378431476546892-7819614442127193957-256264813-2065504830-54089225-1379043331"
                                                        1⤵
                                                          PID:1080
                                                        • C:\Windows\system32\conhost.exe
                                                          \??\C:\Windows\system32\conhost.exe "-20488581486430377291309445655-261596121-9209884379279265051386835466-1264714079"
                                                          1⤵
                                                            PID:1736
                                                          • C:\Windows\system32\conhost.exe
                                                            \??\C:\Windows\system32\conhost.exe "-615626594927234562-15217019371581877085921720250961037435-1552318747500598712"
                                                            1⤵
                                                              PID:3000

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Reconnaissance

                                                            Resource Development

                                                            Initial Access

                                                            Execution

                                                            Command and Scripting Interpreter

                                                            1
                                                            T1059

                                                            PowerShell

                                                            1
                                                            T1059.001

                                                            System Services

                                                            2
                                                            T1569

                                                            Service Execution

                                                            2
                                                            T1569.002

                                                            Persistence

                                                            Boot or Logon Autostart Execution

                                                            1
                                                            T1547

                                                            Registry Run Keys / Startup Folder

                                                            1
                                                            T1547.001

                                                            Create or Modify System Process

                                                            3
                                                            T1543

                                                            Windows Service

                                                            3
                                                            T1543.003

                                                            Power Settings

                                                            1
                                                            T1653

                                                            Privilege Escalation

                                                            Boot or Logon Autostart Execution

                                                            1
                                                            T1547

                                                            Registry Run Keys / Startup Folder

                                                            1
                                                            T1547.001

                                                            Create or Modify System Process

                                                            3
                                                            T1543

                                                            Windows Service

                                                            3
                                                            T1543.003

                                                            Defense Evasion

                                                            Impair Defenses

                                                            1
                                                            T1562

                                                            Indicator Removal

                                                            1
                                                            T1070

                                                            Clear Windows Event Logs

                                                            1
                                                            T1070.001

                                                            Modify Registry

                                                            2
                                                            T1112

                                                            Credential Access

                                                            Discovery

                                                            Query Registry

                                                            1
                                                            T1012

                                                            System Information Discovery

                                                            2
                                                            T1082

                                                            Lateral Movement

                                                            Collection

                                                            Command and Control

                                                            Web Service

                                                            1
                                                            T1102

                                                            Exfiltration

                                                            Impact

                                                            Service Stop

                                                            1
                                                            T1489

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\Local\Temp\123.exe
                                                              Filesize

                                                              11.7MB

                                                              MD5

                                                              09d833086c3a6224a6f754b56a67bc9a

                                                              SHA1

                                                              d5d2ee99bea2e70c27407aa814fd3c03e4c07b40

                                                              SHA256

                                                              bfbe9153f14ef53e2e72440e64c6d8637b9e3d7493904e9556e503863aa0463e

                                                              SHA512

                                                              ad7c49b9feb041e44a5e63a214eb42f20517fbe7167d042aa159ea3ce500a3b6c529d6dc28629ec8c8b875076feb1464aa9dc7abb73b7d4a992d35cb6a10e75f

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
                                                              Filesize

                                                              184KB

                                                              MD5

                                                              672d8f840df04da81a68c12354c67602

                                                              SHA1

                                                              f14a9a358bce7225435a4f9327722edf363139cf

                                                              SHA256

                                                              cc8522a81ca478837e76ee0975f820c0211242f859769dad4349afc9892dd6b2

                                                              SHA512

                                                              4ac90decbf88025c7ed0484b030d484b3659541ad4bf2f029d74657bcb4fc4d7f5f66a84ac9bfe8184e21fd412c1ad367c8ebf6a9e19761736bbeaf9722db962

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll
                                                              Filesize

                                                              17.3MB

                                                              MD5

                                                              225782e5d02f400a76b8fabe8a6f5cd1

                                                              SHA1

                                                              e54ef4f664a250808749be2ea9870607c20ace31

                                                              SHA256

                                                              b66713715a7aeaa2f88ba18838aa7c245556eaaeb31c82da3f5aebcb71a7715e

                                                              SHA512

                                                              9e88489361b36970a982329184b7afa9ef403ca86830427c60397e49522e5d38fc652ce4b65e79c54583a50ffee83fb138a02d638e015c9ff53e56164556be76

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI21522\python313.dll
                                                              Filesize

                                                              1.8MB

                                                              MD5

                                                              2a4aad7818d527bbea76e9e81077cc21

                                                              SHA1

                                                              4db3b39874c01bf3ba1ab8659957bbc28aab1ab2

                                                              SHA256

                                                              4712a6bb81b862fc292fcd857cef931ca8e4c142e70eaa4fd7a8d0a96aff5e7e

                                                              SHA512

                                                              d10631b7fc25a8b9cc038514e9db1597cec0580ee34a56ce5cfc5a33e7010b5e1df7f15ec30ebb351356e2b815528fb4161956f26b5bfaf3dce7bc6701b79c68

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                              Filesize

                                                              7.6MB

                                                              MD5

                                                              d1fe3814ca9c1db5bc8f227c1f63fed0

                                                              SHA1

                                                              3f38aed9ec88ad1448f74d86a730f578436f3401

                                                              SHA256

                                                              e58a28751a36e3446c61e53d34ee0b3e14e456f88fe14fc785e7680dca88c20d

                                                              SHA512

                                                              6d9800b20d39c11dc3e201c4602641b5b5cca90b63adc9b088674b4835cf8c247fb89c1fd978c9669f1be604d47731ebfc02e7c11832ec5a9f866af1f801db20

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\system.exe
                                                              Filesize

                                                              73KB

                                                              MD5

                                                              139ebb594a814128bbd5d445becb01b2

                                                              SHA1

                                                              a9d5c1789cd5b0fdc93fcbdfc82e2be0f2045537

                                                              SHA256

                                                              09e681aa73ae14a10d739ac7f112b483b3735d75c0e2bd32fb681ca85f8fc706

                                                              SHA512

                                                              9cd9e48df4445353e04d021c3d165bb8cbb7826e5c5b3c0edc45019467a52f29ca4391e0a816df3fb0ac43e93f3d663d79b0488a2965faf1cfa90097eb0b9c47

                                                              Download Submit

                                                            • \Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
                                                              Filesize

                                                              26.5MB

                                                              MD5

                                                              dcd3344e5bdca9492706ed74cbf8b233

                                                              SHA1

                                                              ed0ad8d0e65d27d34644b75fbd73b7ee8a825bc6

                                                              SHA256

                                                              75243dbdd7668c07417eb463d1b4f24d8ff4781b6d5aa0522afb2509b920cf9c

                                                              SHA512

                                                              9d31001b90e2610a74aa66b7d9a383094b3d904ad105b50c55be3aa46ef8be2f2a45a082e990a905b8673e4bcf320b4f078a53fe1435bd96e08df0bc9e09bca4

                                                              Download Submit

                                                            • \Users\Admin\AppData\Local\Temp\systems.exe
                                                              Filesize

                                                              5.2MB

                                                              MD5

                                                              76428f74791ca340b253eaed9a411d20

                                                              SHA1

                                                              0b891fe4a5aeeb5dfb21f2eca67b1d800036c83f

                                                              SHA256

                                                              e20a6eb3bfa95e86d2b89d3fe24368e361640f28fb511a2d70db3e01cf5442a4

                                                              SHA512

                                                              03f4adef8811b1a579683a8b5f461b3b69c2b49cb0becb63ab48119324b43bb55faf20a5d11878b55bed353c9656948cb30e6133c7da570d71d89b7fc8954ae7

                                                              Download Submit

                                                            • memory/432-745-0x0000000036D50000-0x0000000036D60000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            • memory/432-740-0x0000000000B70000-0x0000000000B94000-memory.dmp

                                                              Filesize

                                                              144KB

                                                              Download

                                                            • memory/432-742-0x0000000000B70000-0x0000000000B94000-memory.dmp

                                                              Filesize

                                                              144KB

                                                              Download

                                                            • memory/432-743-0x0000000000C30000-0x0000000000C5B000-memory.dmp

                                                              Filesize

                                                              172KB

                                                              Download

                                                            • memory/432-744-0x000007FEBE8A0000-0x000007FEBE8B0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            • memory/476-776-0x0000000036D50000-0x0000000036D60000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            • memory/476-750-0x00000000000D0000-0x00000000000FB000-memory.dmp

                                                              Filesize

                                                              172KB

                                                              Download

                                                            • memory/476-775-0x000007FEBE8A0000-0x000007FEBE8B0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            • memory/492-778-0x000007FEBE8A0000-0x000007FEBE8B0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            • memory/492-779-0x0000000036D50000-0x0000000036D60000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            • memory/1144-17-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

                                                              Filesize

                                                              9.9MB

                                                              Download

                                                            • memory/1144-702-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

                                                              Filesize

                                                              9.9MB

                                                              Download

                                                            • memory/1144-25-0x0000000000340000-0x0000000000EEE000-memory.dmp

                                                              Filesize

                                                              11.7MB

                                                              Download

                                                            • memory/2028-701-0x00000000001B0000-0x00000000001C8000-memory.dmp

                                                              Filesize

                                                              96KB

                                                              Download

                                                            • memory/2536-0-0x000007FEF4FC3000-0x000007FEF4FC4000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/2536-2-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

                                                              Filesize

                                                              9.9MB

                                                              Download

                                                            • memory/2536-1-0x00000000002D0000-0x00000000028D8000-memory.dmp

                                                              Filesize

                                                              38.0MB

                                                              Download

                                                            • memory/2536-18-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

                                                              Filesize

                                                              9.9MB

                                                              Download

                                                            • memory/2560-1016-0x0000000000A80000-0x0000000000A88000-memory.dmp

                                                              Filesize

                                                              32KB

                                                              Download

                                                            • memory/2560-1015-0x0000000019E00000-0x000000001A0E2000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                              Download

                                                            • memory/2968-737-0x0000000140000000-0x000000014002B000-memory.dmp

                                                              Filesize

                                                              172KB

                                                              Download

                                                            • memory/2968-732-0x0000000140000000-0x000000014002B000-memory.dmp

                                                              Filesize

                                                              172KB

                                                              Download

                                                            • memory/2968-729-0x0000000140000000-0x000000014002B000-memory.dmp

                                                              Filesize

                                                              172KB

                                                              Download

                                                            • memory/2968-736-0x0000000076BF0000-0x0000000076D0F000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/2968-735-0x0000000076D10000-0x0000000076EB9000-memory.dmp

                                                              Filesize

                                                              1.7MB

                                                              Download

                                                            • memory/2968-734-0x0000000140000000-0x000000014002B000-memory.dmp

                                                              Filesize

                                                              172KB

                                                              Download

                                                            • memory/2968-731-0x0000000140000000-0x000000014002B000-memory.dmp

                                                              Filesize

                                                              172KB

                                                              Download

                                                            • memory/2968-730-0x0000000140000000-0x000000014002B000-memory.dmp

                                                              Filesize

                                                              172KB

                                                              Download

                                                            • memory/3060-689-0x000007FEF13F0000-0x000007FEF1A54000-memory.dmp

                                                              Filesize

                                                              6.4MB

                                                              Download

                                                            • memory/3060-708-0x000007FEF13F0000-0x000007FEF1A54000-memory.dmp

                                                              Filesize

                                                              6.4MB

                                                              Download