xworm | d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vamicheatloader.exe
Size

77KB
MD5

b074da06d9857ac5261d62b2446774a4
SHA1

7137511fab7f416097aafba40cb0b6becf6c9d6e
SHA256

d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58
SHA512

04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367
SSDEEP

1536:+dWwWpRvrlUSvelsuFXvnd4hbAbYUU0XXS06YTUgOrEKvN:I2TSSmnZvGAbD5iST/Or9N

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

rooms-belkin.gl.at.ply.gg:48066

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2188-1-0x0000000001120000-0x000000000113A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
behavioral1/memory/2576-36-0x0000000001320000-0x000000000133A000-memory.dmp	family_xworm
behavioral1/memory/2324-39-0x0000000000130000-0x000000000014A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2680 powershell.exe
2720 powershell.exe
2696 powershell.exe
2532 powershell.exe

Drops startup file 2 IoCs

Processes:

vamicheatloader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	vamicheatloader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	vamicheatloader.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2576 svchost.exe
2324 svchost.exe

pid	process
2576	svchost.exe
2324	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vamicheatloader.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	vamicheatloader.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1196 schtasks.exe

flow	ioc
2	ip-api.com

pid	process
1196	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26A89711-153D-11EF-AB95-422D877631E1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exevamicheatloader.exe

pid	process
2680	powershell.exe
2720	powershell.exe
2696	powershell.exe
2532	powershell.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe
2188	vamicheatloader.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

vamicheatloader.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2188	vamicheatloader.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2188	vamicheatloader.exe
Token: SeDebugPrivilege	2576	svchost.exe
Token: SeDebugPrivilege	2324	svchost.exe
Token: 33	2576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2576	AUDIODG.EXE
Token: 33	2576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2576	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2436 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

vamicheatloader.exeiexplore.exeIEXPLORE.EXEAcroRd32.exe

pid process

2188 vamicheatloader.exe
2436 iexplore.exe
2436 iexplore.exe
2816 IEXPLORE.EXE
2816 IEXPLORE.EXE
2692 AcroRd32.exe
2692 AcroRd32.exe

pid	process
2436	iexplore.exe

pid	process
2188	vamicheatloader.exe
2436	iexplore.exe
2436	iexplore.exe
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2692	AcroRd32.exe
2692	AcroRd32.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

vamicheatloader.exetaskeng.exeiexplore.exe

description	pid	process	target process
PID 2188 wrote to memory of 2680	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2680	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2680	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2720	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2720	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2720	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2696	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2696	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2696	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2532	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2532	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 2532	2188	vamicheatloader.exe	powershell.exe
PID 2188 wrote to memory of 1196	2188	vamicheatloader.exe	schtasks.exe
PID 2188 wrote to memory of 1196	2188	vamicheatloader.exe	schtasks.exe
PID 2188 wrote to memory of 1196	2188	vamicheatloader.exe	schtasks.exe
PID 2224 wrote to memory of 2576	2224	taskeng.exe	svchost.exe
PID 2224 wrote to memory of 2576	2224	taskeng.exe	svchost.exe
PID 2224 wrote to memory of 2576	2224	taskeng.exe	svchost.exe
PID 2224 wrote to memory of 2324	2224	taskeng.exe	svchost.exe
PID 2224 wrote to memory of 2324	2224	taskeng.exe	svchost.exe
PID 2224 wrote to memory of 2324	2224	taskeng.exe	svchost.exe
PID 2436 wrote to memory of 2816	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2816	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2816	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2816	2436	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe
"C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vamicheatloader.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\taskeng.exe
taskeng.exe {71F1D75E-A203-4508-8204-34D363347F09} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SendUnlock.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2436 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2816

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
edacfd2e1b6fa83d22d58e4d06eeb01b

SHA1
a867b3f2958b575f9b00d7e5babaeea16ca25669

SHA256
5b739c9fcf6df1c3a62a715e7b134ab7a6e33493a542a1482e53ea5addb63811

SHA512
0b843132c5c783d99cbbed7df452083d213ca502496a56a6f936299d9702ba6b6d79fad0ad084cdd08255e6f3cb161a9c6fe5924097547c92ee7a9ae2fd2dbf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
52fd8d3ec9b05f4177a6844027ebe658

SHA1
b4db39f6a80457110d020ae5d90075c4b977de19

SHA256
6e4abca2ffc64b77966f23ec51be0fca2efdda2d74502a5130bead2db3314cfb

SHA512
0a6bc984bbea9cb7738e4922759b1f1ba152347b267308a4dbd88a3112c269f6dcf2b3284d7066006187e143432cb67946b52f7f9968c18281aa54a85709db16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5bf69d838259336b51f40426995528b6

SHA1
64e876042f415f5982f8d0b7e41c852c08d8b2d4

SHA256
3b5048c5ebb6583fd9980e4767c7117ecb0b18483e8c0f67830af917e7cd32df

SHA512
5620991e4b13d042e23d775b448fabaa16b6670737ab27d90e03683ec43c189c380461aa6dc785c195a08bdde4a13453d0c6b43b8c49835ce1235378849ef0ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ec81d114b1682938d9643dc9abfc0e8f

SHA1
7570f19f18e7018cc50b71e14ee37bfcae208e45

SHA256
898bb276276fe802e4e12d7b3caf86cf6cd0c757b32e60d886cc30e30e01ab57

SHA512
87bdf1009d151ee93eb180ec16cf393575871785fd089d64beb833fad5ac1beb72988a6da3a4a2299cff8b1e7e2338fd6a1b7d932ca11ac056bf59fe31af9ee8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
864e535ffd10b364f46be52347e31596

SHA1
811b0df2de4a5de8cd5993a809a71a0050b79bed

SHA256
885e612fb7f4e376a5b43f2fa3004effafb7194e1467d2733e1330ddf83478da

SHA512
85872e593eaae552359e30d3d708463cd147f511e7289e12ab831288f9301f21e9be0ebc8ac41f8c5b65758c9fe0fc6cdfda801f12dcafeeb8b37c63371a8d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
720624c789d80905b185ba51c1e98b03

SHA1
f22652a328a7cb9554888640e22d5fa909af6947

SHA256
488f47e968a7e0cbc2f39bb9feb3a654391b1381bbd3b80be1008d98e82c75ce

SHA512
03a0fdad531000a7ea24b3227471844353ad1a0ef6cc3b433b97593fc41c29222647c6ce6804d67a98c91ae1844c870c9c9bee9790b01c618e836ea8db905fd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
833e30c9d0d7ae1145353acc6f12b6c9

SHA1
3d96ed031d08afb03f01aed7e26180b295b16caa

SHA256
2f81b84ec2c75ff62be1ed58e298f8eb48df23e6a366650e7c47b4cd74b071e1

SHA512
057d457a1241d81a92dc2f73d4172707e3498223ab3de8844737c75045e7fc95a8423c3274bed78b3c31e0b8e3bfb5c1e6b680ceebc089f55c1312d591d9cb55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c6fa6744e1277bc799b87f0f302b2f56

SHA1
f2c8dec0305226339170a2e424eaf0c1bb4bd565

SHA256
b8baad021e7cedcf41cd45cf49e6421c4be368a1ebc0bf9045104fa94bee5849

SHA512
1758471b58a5f01246d5e8d2f172fd140c177ba4f3dfdb1b441bf0489ebd254d516e937dbd78f3ca50e8cacaa3569cd5323b15d9265d80a67003227217931fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab35F2.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3652.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
e1e06afacaaee044f0d15ca6193b7b7f

SHA1
6f8ab6047fd6a49ae3a27f308e8814a841759b9f

SHA256
f7e3c938068fdedb5ede0db35f7251c7dfe559e3375ccd4487c133f9b4928c42

SHA512
6ece49289b8c954864cbdab9f1c7a07011769b39d35a46723ef67abde34dbd50dbca574276abe6dc6b1b5deab4d55d5b905416428310bdbd844240ea139842be

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
77KB

MD5
b074da06d9857ac5261d62b2446774a4

SHA1
7137511fab7f416097aafba40cb0b6becf6c9d6e

SHA256
d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58

SHA512
04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2188-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2188-32-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-31-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2188-485-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-1-0x0000000001120000-0x000000000113A000-memory.dmp

Filesize
104KB

Download
memory/2324-39-0x0000000000130000-0x000000000014A000-memory.dmp

Filesize
104KB

Download
memory/2576-36-0x0000000001320000-0x000000000133A000-memory.dmp

Filesize
104KB

Download
memory/2680-8-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2680-7-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2720-15-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2720-14-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download