xworm | fa796ccbdb277c07688707b0c3cd6fe44848d77e25cadce285d03c45a6e32f37

Analysis

max time kernel
899s
max time network
900s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizWormUPDATE.exe
Size

37.7MB
MD5

db0969723ce55d07ab0931a320411ce1
SHA1

d89183adedd94cfba95c0cf619d004d94158849d
SHA256

fa796ccbdb277c07688707b0c3cd6fe44848d77e25cadce285d03c45a6e32f37
SHA512

b0c48339444d2f52489a42779045b72c69c722a9fde79932016345160a715a1d5e7482ce02c4b8506a8645ae4507ed6c17864f4d74e8d87e2810ff76bbeff08d
SSDEEP

786432:drSR8JgzXVQBpoXSHl2gHHeQ7pEHe2RwSU7QvYppG9fJU0a1uzXE26Ef/:d2brV0pHHHe6EHe2uXAYpcfa1uV/

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Mutex

OBV89v4uzmGcZD3l

Attributes

Install_directory
%Temp%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/D2tS0Xe2

aes.plain

Signatures

Detect Xworm Payload 9 IoCs

resource	yara_rule
behavioral1/files/0x00050000000186f4-139.dat	family_xworm
behavioral1/memory/2976-142-0x00000000008D0000-0x00000000008DE000-memory.dmp	family_xworm
behavioral1/memory/2540-184-0x0000000000120000-0x000000000012E000-memory.dmp	family_xworm
behavioral1/memory/1668-188-0x0000000000180000-0x000000000018E000-memory.dmp	family_xworm
behavioral1/memory/2456-306-0x00000000001D0000-0x00000000001DE000-memory.dmp	family_xworm
behavioral1/memory/996-443-0x0000000000EC0000-0x0000000000ECE000-memory.dmp	family_xworm
behavioral1/memory/2288-596-0x00000000011A0000-0x00000000011AE000-memory.dmp	family_xworm
behavioral1/memory/904-600-0x0000000000140000-0x000000000014E000-memory.dmp	family_xworm
behavioral1/memory/2820-602-0x0000000001330000-0x000000000133E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2520	powershell.exe
2396	powershell.exe
884	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xwiz.lnk	Xwiz.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xwiz.lnk	Xwiz.exe

Executes dropped EXE 17 IoCs

pid	Process
948	WizWorm.exe
2976	Xwiz.exe
2540	Xwiz.exe
1668	Xwiz.exe
2456	Xwiz.exe
996	Xwiz.exe
324	Xwiz.exe
2152	Xwiz.exe
2240	Xwiz.exe
2980	Xwiz.exe
1364	Xwiz.exe
2288	Xwiz.exe
2712	Xwiz.exe
2808	Xwiz.exe
904	Xwiz.exe
2820	Xwiz.exe
2384	Xwiz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xwiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xwiz.exe"	Xwiz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WizWormUPDATE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WizWorm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	WizWorm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	WizWorm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Xwiz.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Xwiz.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2520	powershell.exe
2396	powershell.exe
884	powershell.exe
948	WizWorm.exe
948	WizWorm.exe
948	WizWorm.exe
948	WizWorm.exe
948	WizWorm.exe
948	WizWorm.exe
948	WizWorm.exe
948	WizWorm.exe
948	WizWorm.exe
948	WizWorm.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
948	WizWorm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	Xwiz.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2976	Xwiz.exe
Token: SeDebugPrivilege	2540	Xwiz.exe
Token: SeDebugPrivilege	1668	Xwiz.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeDebugPrivilege	2456	Xwiz.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
948	WizWorm.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
948	WizWorm.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 3004	1460	WizWormUPDATE.exe	30
PID 1460 wrote to memory of 3004	1460	WizWormUPDATE.exe	30
PID 1460 wrote to memory of 3004	1460	WizWormUPDATE.exe	30
PID 1460 wrote to memory of 3004	1460	WizWormUPDATE.exe	30
PID 3004 wrote to memory of 948	3004	cmd.exe	32
PID 3004 wrote to memory of 948	3004	cmd.exe	32
PID 3004 wrote to memory of 948	3004	cmd.exe	32
PID 3004 wrote to memory of 2976	3004	cmd.exe	33
PID 3004 wrote to memory of 2976	3004	cmd.exe	33
PID 3004 wrote to memory of 2976	3004	cmd.exe	33
PID 2976 wrote to memory of 2520	2976	Xwiz.exe	36
PID 2976 wrote to memory of 2520	2976	Xwiz.exe	36
PID 2976 wrote to memory of 2520	2976	Xwiz.exe	36
PID 2976 wrote to memory of 2396	2976	Xwiz.exe	38
PID 2976 wrote to memory of 2396	2976	Xwiz.exe	38
PID 2976 wrote to memory of 2396	2976	Xwiz.exe	38
PID 2976 wrote to memory of 884	2976	Xwiz.exe	40
PID 2976 wrote to memory of 884	2976	Xwiz.exe	40
PID 2976 wrote to memory of 884	2976	Xwiz.exe	40
PID 2976 wrote to memory of 2304	2976	Xwiz.exe	43
PID 2976 wrote to memory of 2304	2976	Xwiz.exe	43
PID 2976 wrote to memory of 2304	2976	Xwiz.exe	43
PID 2772 wrote to memory of 2540	2772	taskeng.exe	48
PID 2772 wrote to memory of 2540	2772	taskeng.exe	48
PID 2772 wrote to memory of 2540	2772	taskeng.exe	48
PID 2772 wrote to memory of 1668	2772	taskeng.exe	49
PID 2772 wrote to memory of 1668	2772	taskeng.exe	49
PID 2772 wrote to memory of 1668	2772	taskeng.exe	49
PID 3008 wrote to memory of 1488	3008	chrome.exe	51
PID 3008 wrote to memory of 1488	3008	chrome.exe	51
PID 3008 wrote to memory of 1488	3008	chrome.exe	51
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53
PID 3008 wrote to memory of 1592	3008	chrome.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WizWormUPDATE.exe
"C:\Users\Admin\AppData\Local\Temp\WizWormUPDATE.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADCC.tmp\ADCD.tmp\ADCE.bat C:\Users\Admin\AppData\Local\Temp\WizWormUPDATE.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\Music\WizWorm.exe
    WizWorm.exe
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:948
- - C:\Users\Admin\Music\Xwiz.exe
    Xwiz.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\Xwiz.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xwiz.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xwiz.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:884
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Xwiz" /tr "C:\Users\Admin\AppData\Local\Temp\Xwiz.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2304

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:712

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2980

C:\Windows\system32\taskeng.exe
taskeng.exe {570822F5-0CC5-428E-AF5C-188386EE4F92} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  C:\Users\Admin\AppData\Local\Temp\Xwiz.exe
  2⤵
  - Executes dropped EXE
  PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2a19758,0x7fef2a19768,0x7fef2a19778
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:2
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:8
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1408 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:2
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3188 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3452 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2756 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3692 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1892 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2032 --field-trial-handle=1308,i,7598571553149402877,15197866660532432968,131072 /prefetch:1
  2⤵
  PID:808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
e8e2b721a328b7959f79d965bc8b69b0

SHA1
18bbba242c29c6f98132bc11c7b2b17d1b5c4784

SHA256
5b299735aa252b212f44aa9391ecc01356bd28bb42306b9975a37dc69d11d807

SHA512
e2e4df710ee440df9662dca69121296a0cd174ee9198edf7a32280b72edf7e4c20b7634a093d02e7e887320e6be192f6475142d43598d5191c89055b2b259e99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f965b56ac46487b73b947f65ce2df897

SHA1
175f4f1aa5900118b503d152275d731278439f2f

SHA256
3c742b2048255090f5d0c93776a4adfcb4de2de34524652f8be8a5732594fe9f

SHA512
b74cad4be2433fe7eaec1da0b1094a2f2ca4ef081988650eeca789d58f60b28a94933fee9e09bddfe698f28e024a9530e8be1924911b8af8adc9afc2c7921c13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
815baf92d0dda0f0c6c59b710b21abd6

SHA1
23ed3b4e5192058dc0adb728b6a23e7313a11c2a

SHA256
be7d91b859b233da9870dda4ef9bf3e7f24b14af30dc0e025580042302d5d53a

SHA512
847e837df0c1008461774dcfef3d2a0ff4a6c12fb65f1792e9ec153d136cddf0bd579ef0dd74e4e5b4e94d5c5081e455c9efced20676d89200c3f849eaf03e2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6856532449e50ed5e0a92ef92158d2c7

SHA1
6c85e2be1b3ff3c5373de6122812321ea029460d

SHA256
a9fb67822c73cfe20177e862bd47e93b933969ada5ab27d3fd1de191ffc28dfb

SHA512
deb2ceff3259c83aeb4a6b146b29aae1392e335221f283f01decc01ee58fd821d3d8d2e12740e1ecbef7a7f6af825b232d6076559c3048dc948cf428022f2e3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bc9e63729ab07747fa0869e978b4ad80

SHA1
d2ce8ce7dcc77e071e25553517d89aa6d9938fbe

SHA256
573c3ebcfe053267328c28613aa74c0f1d37645fb6bef841700dee30e99c304e

SHA512
0891ce62b7497fe723bce776dff81e5e40b4aad15748fbb13926cf80925a30e6473d5cf31c877ec5ddad4257e5f75c89b31f0da8407aeaa642a0757648ea05cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
0530e2bb07512059aa01f66aa16b0145

SHA1
8968452d9a0fc411f863512244da4b961d7a3ca2

SHA256
956391140301eb8ea69cb726974d80c6d191db9e7c6ed24cabb94e2ed2491a92

SHA512
922705547c26ce0322e35b42a29a7d1851a1e8a780ddf81f30ac1f8d51d4113e2a2d6de7524a7ef7f09b4918682ebcfa66e9a115df92cee3451094ec8e35f22e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6f46e237cc938ceb7ddca031e1961975

SHA1
7d1966dafea5742efb6d7320907d1f19b403bdb6

SHA256
85305d5930e6712ecfb60224bf32ed3abad8ebe4834e6bd71ca98908dda364a0

SHA512
1d801eca20479ac89c80a79fd02490f1d71419bfbf4fe15346d9f6b2a96b575f3a6bcec6c1df44d1a218a072f06834949644f69b1a20c056c1db32e45e65b688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8ab897aa3fb8c89b3379ee0873fa64c1

SHA1
78fdd544f4b607cf0eea567f7ceb32a349cfb1ab

SHA256
69088a396f5ffea59b5674a6be2610d375c946ded7b2fff9ed2699a942888fa4

SHA512
56211ab07dc02ce3d58b1b81e4e2468ff2030c211accd7ab9e7b22c193e442d0183bcedaaa71bf58529483b9c68c5b180ca1c4259734eb9992655e65b47edf2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
31a808a4c9595008eb1c134b0debf4c8

SHA1
1c99dd47deeaddf9ba6a55926b09a82aaa51a731

SHA256
5920f9e0cd97e9ea1faf9ae0b7ac5268135bada914177aed2333d5996e82bfa1

SHA512
55a1cfdf64518463bac52665de4d646a750851a7dc86ace38deb749573b67da2d4c118a502b76f502329c35f5b5399c4b9e904a5e816bbfb952cda05f859d02f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d06d116a416e3228a3412fd64d7e4d94

SHA1
ab161f389d24f81c5bc5c60130919850992c14b5

SHA256
e410a0402632170a483e1664cb79aacc2fac987e8e82d6078f58cd57b77eb7e0

SHA512
42d802611ef25ebe8628d88ae85171dd18f39a34940744460bdce6f87ff7fafc68f31d05e05a4a05a50ed2dcdc69c808b48e8f83593b8ccf3f1ca570ca2cf0f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf79ae2a.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e9010cb2-7336-4cf5-b2cf-33eafc522484.tmp

Filesize
6KB

MD5
df2c6dbbbb8d424f804d43a379252666

SHA1
9a78c9b3a2d32cdb013207607601e482c1e26967

SHA256
2a2c6b89d5d1d11dfa7f2de8fbf1efac0e9918f43a288ff342370b77e0f43c11

SHA512
1634211392db1721b341251a3342e3a1cbdef5a6eaec4844037bbca06d545acc11f74e28736c54c209a7ec3346e94869476dd48a48aadfc4633de4627777cd1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
362KB

MD5
681efa1dc0d17130ba4c1c74ea27decf

SHA1
5a9777d53641d7311f392ea4a96d7c75f25d4ae3

SHA256
28ee4bc707d982604368880a04d9e93dabed8f9f5cebd75d00ee9921844815a6

SHA512
af52cf3ae3decb20b7e410ae4d762ebee47eb53e08f350a477c16823ca933f8eb2806a1c26e5b5f7470b1adbc39ac8f18e1abcd77b13e199abb8600a85c11bbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\eb37d74d-59cb-4ba0-a00b-be6aa63c57d0.tmp

Filesize
362KB

MD5
79580dc344a3f64fc423e985138e139d

SHA1
3199fd7f52668ceb8abec672786d726d755a8f84

SHA256
1f957a718050ff1f8874266ac0bf8fd24e67fdc00ae0a86419fb8f6e1092030a

SHA512
a2696e6e550441d18ff0aed44a0f8f4820cafd08daafb67b005cb0c851002f201b2c0d240ca287c30c0827336faace3e70cc363cd166cb19dd586ee20f8e3d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADCC.tmp\ADCD.tmp\ADCE.bat

Filesize
73B

MD5
6122998e5b787d48387700c05cab30d8

SHA1
9da37aad97c025799c63f7cc4baca6ddf2c8cc6a

SHA256
b183050b15d76b07884d2b1084a2ffa7a32331c95233b4db37a32560d18e8744

SHA512
3244ccb495fb4704e3ed4456a6b2ac2875af5cbeaffdf5c347cb8312d7d90109b5e46c4144956f05b0ef7b9bbe3946d678b8bfbe463cb46affe1df42e63a6717

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8c8630d82a6f823ba7851b3446ccc4b5

SHA1
9052b7e32e18b3a1248ca9f307ed7f7d5f39bb3f

SHA256
5e56539bcff3407432127dc0a4aa0f4b4facae59889c621e8aaba1b5c5a18d87

SHA512
235090f90559a66e980f6ce045ffde7fb35bacdd7bbdc74509082a7dc8ea4a2bcfe469d6dcf314b357ce241b5139de4f0352d1da78b3ab89c792ef8e9c0ff99d

Download Submit
C:\Users\Admin\Music\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Music\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Music\Intro.wav

Filesize
591KB

MD5
d0b4077dc5623a51a8dd9fa37cafbf62

SHA1
9793779439a4e0bf5be28d1ff5e688dfb087c263

SHA256
7ef5b1508c6187f45cb9803436238658f82ecbfe43ae3fffe5b0d22a86f79600

SHA512
a94020fc4782a13b72f7729888f5ebc6e4d806a2b705bdeeae5305815d5fe177db57dd17b40c5cbeae0d8491f4f6a5e63e23485014ed8384358877b87b4cda71

Download Submit
C:\Users\Admin\Music\MetroFramework.Fonts.dll

Filesize
656KB

MD5
65ef4b23060128743cef937a43b82aa3

SHA1
cc72536b84384ec8479b9734b947dce885ef5d31

SHA256
c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26

SHA512
d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7

Download Submit
C:\Users\Admin\Music\MetroFramework.dll

Filesize
345KB

MD5
34ea7f7d66563f724318e322ff08f4db

SHA1
d0aa8038a92eb43def2fffbbf4114b02636117c5

SHA256
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

SHA512
dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

Download Submit
C:\Users\Admin\Music\WizWorm.exe

Filesize
14.3MB

MD5
ee37a918d746512afa8e35109f6d8b85

SHA1
f98359a420af803fb7ba9941ea719dad39bea2a7

SHA256
02f104af2be304ea240158bfb8200ed782884a3eeadcaee50e706849651ee08f

SHA512
db80db4bf2094d33824078e876b23a3374929663cfe83eed507f2029910a2ae5d32b8f38aaca3b54a15c1148ae8e2b7ed706bdadfdf4a6dfc7f8a94f97ab1160

Download Submit
C:\Users\Admin\Music\Xwiz.exe

Filesize
34KB

MD5
f3972bfd9c59100b922a87a1170899c5

SHA1
5d45d8019085655fcbc9eeaeccca849985c8b009

SHA256
5b2ad8f8e061006844ed174ebb6b02988f80ccb99df887d0bc5ba4af963de95d

SHA512
cfc687548206d05453ded8286a2ad8dec001866362ce16872b0bb8109a0db9d1322c960005713f288cc054e24defd949be1f5870c63200c6a2ea0425724fa50a

Download Submit
memory/884-168-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/904-600-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/948-144-0x000000001C2B0000-0x000000001D4A2000-memory.dmp

Filesize
17.9MB

Download
memory/948-146-0x0000000000440000-0x000000000049C000-memory.dmp

Filesize
368KB

Download
memory/948-143-0x0000000000CB0000-0x0000000001B04000-memory.dmp

Filesize
14.3MB

Download
memory/948-152-0x000000001DAB0000-0x000000001DCA4000-memory.dmp

Filesize
2.0MB

Download
memory/948-170-0x000000001DEB0000-0x000000001DF5A000-memory.dmp

Filesize
680KB

Download
memory/996-443-0x0000000000EC0000-0x0000000000ECE000-memory.dmp

Filesize
56KB

Download
memory/1668-188-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2288-596-0x00000000011A0000-0x00000000011AE000-memory.dmp

Filesize
56KB

Download
memory/2396-161-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2396-160-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2456-306-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/2520-154-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2520-153-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2540-184-0x0000000000120000-0x000000000012E000-memory.dmp

Filesize
56KB

Download
memory/2820-602-0x0000000001330000-0x000000000133E000-memory.dmp

Filesize
56KB

Download
memory/2976-142-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download