lucastealer | f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077

Analysis

max time kernel
163s
max time network
175s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
Size

54.3MB
MD5

ccf8ac85bd8c852fe818875ad7cdccd4
SHA1

1938cfb720e3a0fe2af2aaf28755d9d2749f65af
SHA256

f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077
SHA512

ef9253507d90b1731f05811ba4ed263ecccbc1e8abdcaf1ee7b2f9a5ce5cf66dedb3c5ca99a47b9516aa8ae7bf7c07c0a7b98f7eec33e33bb7b1eda7abf7911f
SSDEEP

1572864:YXog+tP2EY414hjFiHaAXH7JxA+GBO+shlvjgg9sf:8t+tP12E3Ud43h1cg9

Score

10^/10

lucastealer xworm persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.1

216.230.73.215:6789

Mutex

JhB3xwmTJqR9i5Pu

Attributes

Install_directory
%ProgramData%
install_file
SyncHost.exe
telegram
https://api.telegram.org/bot6051093382:AAFB_OlEEXCr5NVu4fhuf3m_RPUHXO-LxuA/sendMessage?chat_id=1876538826

aes.plain

Signatures

Detect Xworm Payload 10 IoCs

resource	yara_rule
behavioral1/files/0x0035000000015c60-60.dat	family_xworm
behavioral1/files/0x0035000000015c60-61.dat	family_xworm
behavioral1/memory/2624-62-0x0000000000CE0000-0x0000000000CF2000-memory.dmp	family_xworm
behavioral1/memory/2624-65-0x000000001A7E0000-0x000000001A860000-memory.dmp	family_xworm
behavioral1/files/0x0009000000015db4-101.dat	family_xworm
behavioral1/files/0x000b000000015db4-110.dat	family_xworm
behavioral1/files/0x000b000000015db4-111.dat	family_xworm
behavioral1/memory/2424-112-0x0000000001040000-0x0000000001052000-memory.dmp	family_xworm
behavioral1/files/0x000b000000015db4-116.dat	family_xworm
behavioral1/memory/1868-117-0x0000000001130000-0x0000000001142000-memory.dmp	family_xworm

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015ca0-41.dat	family_lucastealer
behavioral1/files/0x0009000000015ca0-39.dat	family_lucastealer

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncHost.lnk	SyncHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncHost.lnk	SyncHost.exe

Executes dropped EXE 5 IoCs

pid	Process
2572	MaxCare_v23.02.09.exe
1920	ProximityUxHost.exe
2624	SyncHost.exe
2424	SyncHost.exe
1868	SyncHost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProximityUxHost = "C:\\Windows\\ProximityUxHost.exe"	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SyncHost = "C:\\Windows\\SyncHost.exe"	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SyncHost = "C:\\ProgramData\\SyncHost.exe"	SyncHost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ProximityUxHost.exe	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
File opened for modification	C:\Windows\ProximityUxHost.exe	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
File created	C:\Windows\SyncHost.exe	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
File opened for modification	C:\Windows\SyncHost.exe	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2820	schtasks.exe
1628	schtasks.exe
936	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main	MaxCare_v23.02.09.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2624	SyncHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2784	powershell.exe
2748	powershell.exe
2036	powershell.exe
536	powershell.exe
1132	powershell.exe
2624	SyncHost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2624	SyncHost.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2624	SyncHost.exe
Token: SeDebugPrivilege	2424	SyncHost.exe
Token: SeDebugPrivilege	1868	SyncHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2572	MaxCare_v23.02.09.exe
2572	MaxCare_v23.02.09.exe
2624	SyncHost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2572	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	30
PID 3056 wrote to memory of 2572	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	30
PID 3056 wrote to memory of 2572	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	30
PID 3056 wrote to memory of 2572	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	30
PID 3056 wrote to memory of 2784	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	31
PID 3056 wrote to memory of 2784	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	31
PID 3056 wrote to memory of 2784	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	31
PID 3056 wrote to memory of 2820	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	35
PID 3056 wrote to memory of 2820	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	35
PID 3056 wrote to memory of 2820	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	35
PID 3056 wrote to memory of 1920	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	36
PID 3056 wrote to memory of 1920	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	36
PID 3056 wrote to memory of 1920	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	36
PID 3056 wrote to memory of 2748	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	37
PID 3056 wrote to memory of 2748	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	37
PID 3056 wrote to memory of 2748	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	37
PID 3056 wrote to memory of 1628	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	39
PID 3056 wrote to memory of 1628	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	39
PID 3056 wrote to memory of 1628	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	39
PID 3056 wrote to memory of 2624	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	41
PID 3056 wrote to memory of 2624	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	41
PID 3056 wrote to memory of 2624	3056	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	41
PID 2624 wrote to memory of 2036	2624	SyncHost.exe	42
PID 2624 wrote to memory of 2036	2624	SyncHost.exe	42
PID 2624 wrote to memory of 2036	2624	SyncHost.exe	42
PID 2624 wrote to memory of 536	2624	SyncHost.exe	44
PID 2624 wrote to memory of 536	2624	SyncHost.exe	44
PID 2624 wrote to memory of 536	2624	SyncHost.exe	44
PID 2624 wrote to memory of 1132	2624	SyncHost.exe	46
PID 2624 wrote to memory of 1132	2624	SyncHost.exe	46
PID 2624 wrote to memory of 1132	2624	SyncHost.exe	46
PID 2624 wrote to memory of 936	2624	SyncHost.exe	48
PID 2624 wrote to memory of 936	2624	SyncHost.exe	48
PID 2624 wrote to memory of 936	2624	SyncHost.exe	48
PID 852 wrote to memory of 2424	852	taskeng.exe	51
PID 852 wrote to memory of 2424	852	taskeng.exe	51
PID 852 wrote to memory of 2424	852	taskeng.exe	51
PID 852 wrote to memory of 1868	852	taskeng.exe	52
PID 852 wrote to memory of 1868	852	taskeng.exe	52
PID 852 wrote to memory of 1868	852	taskeng.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\MaxCare_v23.02.09.exe
  "C:\Users\Admin\AppData\Local\Temp\MaxCare_v23.02.09.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\ProximityUxHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "ProximityUxHost" /SC ONLOGON /TR "C:\Windows\ProximityUxHost.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2820
- C:\Windows\ProximityUxHost.exe
  "C:\Windows\ProximityUxHost.exe"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SyncHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "SyncHost" /SC ONLOGON /TR "C:\Windows\SyncHost.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1628
- C:\Windows\SyncHost.exe
  "C:\Windows\SyncHost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SyncHost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SyncHost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SyncHost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SyncHost" /tr "C:\ProgramData\SyncHost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:936

C:\Windows\system32\taskeng.exe
taskeng.exe {0ADE0B8B-3FB0-41F6-B4CB-BAF05E7B29D0} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\ProgramData\SyncHost.exe
  C:\ProgramData\SyncHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\ProgramData\SyncHost.exe
  C:\ProgramData\SyncHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
C:\ProgramData\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
C:\ProgramData\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
C:\ProgramData\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaxCare_v23.02.09.exe

Filesize
52.4MB

MD5
745d07515f4134e28c7018949c322bf2

SHA1
c0f39869b974bd0bf12b16ac0727742a98789f57

SHA256
a2911abfcda6aaaa1bc4a37cbdedf4562b05c2c4458d41a4897edd5b76fe7e07

SHA512
bd48f398cd0da608a66097b2f530faa7b0a9bd853bd996418b0239bb3b92c5e554f096edd2325ee09ebf5051051b14d126e515375860ad7ba5d056e46f0bb67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaxCare_v23.02.09.exe

Filesize
52.4MB

MD5
745d07515f4134e28c7018949c322bf2

SHA1
c0f39869b974bd0bf12b16ac0727742a98789f57

SHA256
a2911abfcda6aaaa1bc4a37cbdedf4562b05c2c4458d41a4897edd5b76fe7e07

SHA512
bd48f398cd0da608a66097b2f530faa7b0a9bd853bd996418b0239bb3b92c5e554f096edd2325ee09ebf5051051b14d126e515375860ad7ba5d056e46f0bb67a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ecd8af5bbda9b6d1704f4d9471747503

SHA1
21b6e27a1c4ab95e601ea03f5a58d70acbfa9191

SHA256
9825c63822872f657e0ea065d209bc57c7e945c1cf40b685a20f3d6ecd48b2ec

SHA512
41d5312c25180812bf9fc90adfc8ab22722cc0b26d7483aba183885db83d2ddb0540a0edac87975f9ba5378fa8f58b267933567b7220d7e379ad482066a61a12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
be316b663b88153c45657bce1c6aa4cc

SHA1
d1edeeb45c90554c0bf1e4bfa032aa186aa8b693

SHA256
13a5e9fc6bcfe9529e2786db28d7bbfd3c9e0255830da2c3f7ecdf6dc1ff30b3

SHA512
b7d59c593e1c6e937ca939326bd5f3a4493dd19c95d19d30bed283002b820f24c6e1e83022e062a26a38119870e582d8879714310e57a6857376e9eb2d6780c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ecd8af5bbda9b6d1704f4d9471747503

SHA1
21b6e27a1c4ab95e601ea03f5a58d70acbfa9191

SHA256
9825c63822872f657e0ea065d209bc57c7e945c1cf40b685a20f3d6ecd48b2ec

SHA512
41d5312c25180812bf9fc90adfc8ab22722cc0b26d7483aba183885db83d2ddb0540a0edac87975f9ba5378fa8f58b267933567b7220d7e379ad482066a61a12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
646ac558146f451c74f614b620c735ec

SHA1
cacda72466886b28d556b354a8a0937d2a1b1a06

SHA256
1d581230b86db8f6cf69c1e947cb705152861be10eab4184f829df1c5b084044

SHA512
d7826dd58b1e49993cf3d743dc346a226b44a5f1b9f5198643491ad31b135a863f9691022b8632ae89e15be6ea9076b80c19bbdee8103db70a2fe74b26837e81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IBPT2I9K471ZIJF0NLGV.temp

Filesize
7KB

MD5
be316b663b88153c45657bce1c6aa4cc

SHA1
d1edeeb45c90554c0bf1e4bfa032aa186aa8b693

SHA256
13a5e9fc6bcfe9529e2786db28d7bbfd3c9e0255830da2c3f7ecdf6dc1ff30b3

SHA512
b7d59c593e1c6e937ca939326bd5f3a4493dd19c95d19d30bed283002b820f24c6e1e83022e062a26a38119870e582d8879714310e57a6857376e9eb2d6780c3

Download Submit
C:\Windows\ProximityUxHost.exe

Filesize
3.9MB

MD5
4b947e3d4a5da18764a788c51c2e401f

SHA1
d54952e3f8c2de20726225d14b701ff7476c834f

SHA256
73f20b8daa0ce8013f10ec9cbd9bc04e66fe2f85c1f3c9558525fd629f9f7c3a

SHA512
faa2193560cc3515fb52c6c01419c2d933fbacc7c999f8d606d2056e96b09bb7b2024881393c856a48c3d1e1d1106d1fb965a0d3ec3bb6133a6caf61ff5e258e

Download Submit
C:\Windows\ProximityUxHost.exe

Filesize
3.9MB

MD5
4b947e3d4a5da18764a788c51c2e401f

SHA1
d54952e3f8c2de20726225d14b701ff7476c834f

SHA256
73f20b8daa0ce8013f10ec9cbd9bc04e66fe2f85c1f3c9558525fd629f9f7c3a

SHA512
faa2193560cc3515fb52c6c01419c2d933fbacc7c999f8d606d2056e96b09bb7b2024881393c856a48c3d1e1d1106d1fb965a0d3ec3bb6133a6caf61ff5e258e

Download Submit
C:\Windows\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
C:\Windows\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
memory/536-89-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/536-84-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/536-85-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/536-86-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/536-88-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/536-90-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/1132-98-0x000007FEEDF00000-0x000007FEEE89D000-memory.dmp

Filesize
9.6MB

Download
memory/1132-99-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1132-97-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1132-96-0x000007FEEDF00000-0x000007FEEE89D000-memory.dmp

Filesize
9.6MB

Download
memory/1132-100-0x000007FEEDF00000-0x000007FEEE89D000-memory.dmp

Filesize
9.6MB

Download
memory/1868-117-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/1868-118-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1868-119-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2036-78-0x000007FEEDF00000-0x000007FEEE89D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-74-0x000007FEEDF00000-0x000007FEEE89D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-77-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2036-75-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2036-71-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2036-72-0x000007FEEDF00000-0x000007FEEE89D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-73-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2424-114-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-113-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-112-0x0000000001040000-0x0000000001052000-memory.dmp

Filesize
72KB

Download
memory/2624-87-0x000000001A7E0000-0x000000001A860000-memory.dmp

Filesize
512KB

Download
memory/2624-63-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2624-76-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2624-65-0x000000001A7E0000-0x000000001A860000-memory.dmp

Filesize
512KB

Download
memory/2624-62-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

Filesize
72KB

Download
memory/2748-54-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/2748-52-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/2748-55-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-47-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/2748-49-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-53-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-48-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2748-51-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/2748-50-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/2784-34-0x000007FEEE790000-0x000007FEEF12D000-memory.dmp

Filesize
9.6MB

Download
memory/2784-14-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/2784-19-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2784-18-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2784-16-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2784-15-0x000007FEEE790000-0x000007FEEF12D000-memory.dmp

Filesize
9.6MB

Download
memory/2784-21-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2784-20-0x000007FEEE790000-0x000007FEEF12D000-memory.dmp

Filesize
9.6MB

Download
memory/2784-17-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/3056-0-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-64-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-1-0x000000013FDE0000-0x0000000143432000-memory.dmp

Filesize
54.3MB

Download
memory/3056-2-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-3-0x000000001D580000-0x000000001D600000-memory.dmp

Filesize
512KB

Download
memory/3056-33-0x000000001D580000-0x000000001D600000-memory.dmp

Filesize
512KB

Download