Overview

overview

10

Static

static

10

55b3d90596...38.exe

windows7-x64

10

55b3d90596...38.exe

windows10-2004-x64

10

55bc6e4a24...7e.exe

windows7-x64

8

55bc6e4a24...7e.exe

windows10-2004-x64

8

55be056b62...2f.exe

windows7-x64

10

55be056b62...2f.exe

windows10-2004-x64

10

55c90346c1...7d.exe

windows7-x64

7

55c90346c1...7d.exe

windows10-2004-x64

7

55e68f668a...36.exe

windows7-x64

10

55e68f668a...36.exe

windows10-2004-x64

10

5600890872...c9.exe

windows7-x64

1

5600890872...c9.exe

windows10-2004-x64

1

563d48f590...69.exe

windows7-x64

7

563d48f590...69.exe

windows10-2004-x64

7

56583e9f6e...61.exe

windows7-x64

10

56583e9f6e...61.exe

windows10-2004-x64

10

569bb28f26...62.exe

windows7-x64

7

569bb28f26...62.exe

windows10-2004-x64

7

56a0fe7669...54.exe

windows7-x64

10

56a0fe7669...54.exe

windows10-2004-x64

10

56bf03053c...ec.exe

windows7-x64

10

56bf03053c...ec.exe

windows10-2004-x64

10

56f180528b...73.exe

windows7-x64

10

56f180528b...73.exe

windows10-2004-x64

10

5737ca76a6...88.exe

windows7-x64

10

5737ca76a6...88.exe

windows10-2004-x64

10

575bc86968...a1.exe

windows7-x64

7

575bc86968...a1.exe

windows10-2004-x64

7

57d8199712...1f.exe

windows7-x64

10

57d8199712...1f.exe

windows10-2004-x64

57f8be0d4c...5a.exe

windows7-x64

10

57f8be0d4c...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe

  • Size

    622KB

  • MD5

    a1bc8a1b9cfd1ce7f226de09131c4cfc

  • SHA1

    6834f014436774bb6d720fffdd2656eb91193918

  • SHA256

    56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54

  • SHA512

    2c01b40db9a52dd7aaf316e0011d85f7e1484728a6b65139765b7525af665205a2dd1a3fad162fb6b8dc26d69ad4ff92e86908ef072af5440923c7894f1e5ab4

  • SSDEEP

    12288:pu5MOiV13I+DRKglWfsnoeWPSRNfcU5C8RMtBmEFPpu353e+dqMX2:pu5MOiX3I+DkSWkno/PSNkxOMHmEFPgS

Score
10/10
nanocorexmrigxwormdefense_evasiondiscoveryexecutionkeyloggerminerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

elroithegodofnsppd.duckdns.org:43366

elroithegodofnsppd.ddnsfree.com:43366
Mutex

4991469e-2d84-4048-8aed-20a53304961e

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    elroithegodofnsppd.ddnsfree.com

  • backup_dns_server

  • buffer_size

    65538

  • build_time

    2024-12-06T15:16:37.862063536Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    43366

  • default_group

    EROI MY GOD

  • enable_debug_mode

    true

  • gc_threshold

    1.0485772e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485772e+07

  • mutex

    4991469e-2d84-4048-8aed-20a53304961e

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    elroithegodofnsppd.duckdns.org

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8009

Extracted

Family

xworm

Version

5.0

C2

tunhost.duckdns.org:57891

wintun.freemyip.com:57891

87.249.134.68:57891
Attributes
  • install_file

    琀㴀Ā ☀☀ �䔗渀瘀椀爀漀渀洀攀渀琀�眍椀渀搀椀爀�瀝漀眀攀爀猀栀攀氀氀⸀攀砀攀�醀-C schtasks.exe

aes.plain

Signatures

  • Detect Xworm Payload 3 IoCs
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Xmrig family
    xmrig
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 11 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe
    "C:\Users\Admin\AppData\Local\Temp\56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5556
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DXxJPGhu.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DXxJPGhu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9616.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:5696
    • C:\Users\Admin\AppData\Local\Temp\56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe
      "C:\Users\Admin\AppData\Local\Temp\56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5312
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "WAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C21.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:5820
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "WAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9DE7.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3184
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: SetClipboardViewer
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5772
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /delete /f /tn "Microsoft\Windows\Client Server Runtime Process"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4456
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "Microsoft\Windows\Client Server Runtime Process" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD608.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2764
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5580
      • C:\Windows\SysWOW64\reg.exe
        "reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:3700
      • C:\Users\Admin\AppData\Local\system32.exe
        "C:\Users\Admin\AppData\Local\system32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1296
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:552
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1476
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1388
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1128
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe delete "AHMOQNZH"
          4⤵
          • Launches sc.exe
          PID:5532
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe create "AHMOQNZH" binpath= "C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe" start= "auto"
          4⤵
          • Launches sc.exe
          PID:5112
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop eventlog
          4⤵
          • Launches sc.exe
          PID:1744
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe start "AHMOQNZH"
          4⤵
          • Launches sc.exe
          PID:3900
      • C:\Users\Admin\AppData\Local\system32-checker.exe
        "C:\Users\Admin\AppData\Local\system32-checker.exe"
        3⤵
        • Executes dropped EXE
        PID:5080
  • C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe
    C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:3200
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:4064
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:5344
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:4760
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5508

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    System Services

    2
    T1569

    Service Execution

    2
    T1569.002

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Power Settings

    1
    T1653

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    5
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Service Stop

    1
    T1489

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ci4j3tot.maq.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9616.tmp
      Filesize

      1KB

      MD5

      79e2c99c9c7a0ae0d3261245d96d3573

      SHA1

      06269e9dbabdd8e2acea250b2654b3669c8a22c5

      SHA256

      9fb1709a3ce9babccdea2580173d6fbf98d88cddb759678f31b68e398f2bf426

      SHA512

      40a330a08e61a259da88992ef456237ce7182e024ad6af53e63f7600b33daa366c83b2eed07e2fb83d964b0c980cbc5bf9a317f4f92f3a8eb50989c131950f12

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9C21.tmp
      Filesize

      1KB

      MD5

      c0d5a98f8925527303b275c45309b9e9

      SHA1

      186323b4717647925f59f698569922035094b95b

      SHA256

      209e9f3a3fc7030c5f246abc5a644e4308959773e8a8751fb6a4aa4004bf6ba2

      SHA512

      050b95bc1e510ffa3831f1c936887f383072e816b82ad99042fbaaa122b11ab6a1c7bee75a829888e35697dc34cee49481b7294507769b566b4ee59b19172706

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9DE7.tmp
      Filesize

      1KB

      MD5

      3461ac1fc77ae695ae7352b82fd675f6

      SHA1

      20e3be402700f1a8f2d3a6b5044fb0c06f5cbce8

      SHA256

      7bc3d3da76fda38b23fb2c0db8fda613c8cd1bfbbab32793a91c7c1487d75245

      SHA512

      9adbba245769bab387642ce7de86c4e1500a4d995a09999deeb9296451c238b5fdca9860dbab92961f10dc11e99df3345919b1ee42c36bf9d07813e2ccc72027

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD608.tmp
      Filesize

      1KB

      MD5

      55f737e134714dd479fb8d4417a14df5

      SHA1

      4195b4131fb1215140baaaf5a6d8e26f305572af

      SHA256

      f306ee4e70a9dd3281131c476541b78f8cbe387a8a507f3b98a48ef34ecf2835

      SHA512

      446fa2af1cfb7057fd96fbaa26b4dcec67427399c8859c85ed11d5fb7b64f6abca39581faa2f17ca32c5e57759a448266d4be6af39e730d5e596cc41701fd1bf

      Download Submit

    • C:\Users\Admin\AppData\Local\system32-checker.exe
      Filesize

      6KB

      MD5

      7c1867586dfd01366878ae08415c612c

      SHA1

      4526353fbb9b8be77f3c0f46778a740f84882f83

      SHA256

      521f29dd7236b22daba7ea9537ef6be31057a08eec9526805b4685d7970e1372

      SHA512

      ef4ff7128de21fcdec5019322247ae958b46c2ff20b36d65f32fd6921e2f7c7bd018168fb3a7c0c728f071160057c790b3d5b691aad24cd5ebd975e7abc409ba

      Download Submit

    • C:\Users\Admin\AppData\Local\system32.exe
      Filesize

      2.5MB

      MD5

      a5c4e57922031e587bf09fb90453d73e

      SHA1

      4bc3a265800ef4f7df8402292d8218553b2860b6

      SHA256

      3720ffed8da2ba9d4cabbe64331f939f36e750e7dd3d5b9ff4d937325b35543b

      SHA512

      0fd81c9ca1ea8587fa33f2da3f45896b9d22e9f8a014513316274674a4256a4f04654462ed4ed87021e999964c895734aa2814e5a37f23a2010c594ad113a491

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe
      Filesize

      32KB

      MD5

      bb88af07d7f92e77086eb2a090b508fd

      SHA1

      2fcf43147b61ed5c8e1d7d46398eb3749e649e78

      SHA256

      77ce6f10d6034a1d7ab7768278cf8322b719729f612e6afe8cff72cb637cd6ec

      SHA512

      7a41def72de640dbf057c41971b02213e75202a1863b41491e36644da17bcbfb16c41ae6c6af121b5b2f7fee4f0608f867a404f1bbbf8db5dc9444978868f7c3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe
      Filesize

      191KB

      MD5

      ed3b00caa7c83ab730df4a14aeb5d6bf

      SHA1

      453eeebd3cd4a0faf5e7eca63ea6cdb0ed96971a

      SHA256

      456b4cf130884ff7283aa415425ff6e3f6c610211bc7504e41bba9346dacd827

      SHA512

      fb64f0d53215cfcbd18f9de977e2f41323192b9329e67f7c26f53692970a2688f0a6a80f836c073945404e84364620f49790b22499bbf65c904341b90ccba954

      Download Submit

    • memory/1672-87-0x0000000007430000-0x00000000074C6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1672-26-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1672-85-0x00000000071B0000-0x00000000071CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1672-84-0x00000000077F0000-0x0000000007E6A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1672-86-0x0000000007220000-0x000000000722A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1672-88-0x00000000073B0000-0x00000000073C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1672-73-0x0000000075410000-0x000000007545C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1672-19-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1672-96-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1672-92-0x00000000074D0000-0x00000000074D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1672-20-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1816-10-0x0000000006420000-0x000000000649E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1816-1-0x00000000004B0000-0x0000000000550000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1816-5-0x0000000005200000-0x000000000529C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1816-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-9-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1816-2-0x00000000054D0000-0x0000000005A74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1816-48-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1816-8-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-7-0x00000000054A0000-0x00000000054B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1816-6-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1816-3-0x0000000004F20000-0x0000000004FB2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1816-4-0x00000000050C0000-0x00000000050CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4760-128-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4760-125-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4760-126-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4760-127-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4760-130-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4760-124-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/5080-154-0x0000000000F10000-0x0000000000F16000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5312-59-0x0000000004FB0000-0x0000000004FCE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5312-99-0x0000000000490000-0x00000000004A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5312-60-0x0000000005240000-0x000000000524A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5312-103-0x0000000004AE0000-0x0000000004B24000-memory.dmp

      Filesize

      272KB

      Download

    • memory/5312-102-0x0000000004AD0000-0x0000000004ADE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5312-101-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5312-100-0x00000000004A0000-0x00000000004BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5312-43-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/5312-58-0x0000000004D30000-0x0000000004D3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5508-142-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-133-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-149-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-148-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-147-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-145-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-134-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-135-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-136-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-137-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-138-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-143-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-144-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-141-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-140-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5508-139-0x00000000012E0000-0x0000000001300000-memory.dmp

      Filesize

      128KB

      Download

    • memory/5508-132-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/5556-91-0x0000000007670000-0x000000000768A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5556-16-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5556-83-0x0000000007220000-0x00000000072C3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/5556-49-0x0000000006000000-0x000000000601E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5556-17-0x0000000005100000-0x0000000005728000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5556-50-0x0000000006050000-0x000000000609C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5556-18-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5556-62-0x0000000075410000-0x000000007545C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5556-61-0x00000000065E0000-0x0000000006612000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5556-21-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5556-90-0x0000000007570000-0x0000000007584000-memory.dmp

      Filesize

      80KB

      Download

    • memory/5556-95-0x0000000074B60000-0x0000000075310000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5556-72-0x0000000006620000-0x000000000663E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5556-23-0x0000000005880000-0x00000000058A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5556-25-0x0000000005A00000-0x0000000005A66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5556-89-0x0000000007560000-0x000000000756E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5556-24-0x0000000005920000-0x0000000005986000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5556-36-0x0000000005A70000-0x0000000005DC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5556-15-0x0000000002700000-0x0000000002736000-memory.dmp

      Filesize

      216KB

      Download

    • memory/5580-112-0x0000000000970000-0x000000000097E000-memory.dmp

      Filesize

      56KB

      Download