xworm | 267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788

Analysis

max time kernel
148s
max time network
139s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft Network Realtime inspection.exe
Size

79KB
MD5

5c888eddae30076bd7aaa2e5d5fea097
SHA1

6a5b5c290d24bcd984a7083f934dbf35f56ec888
SHA256

267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
SHA512

4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1
SSDEEP

1536:y8p4oJOu7J3c+Fj4zo+ib+8qn36NOuCYh0uxqau:y5oJLJM5zJib+sOeh0uVu

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

listing-trackbacks.gl.at.ply.gg:15337

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2236-1-0x00000000000B0000-0x00000000000CA000-memory.dmp	family_xworm
behavioral1/files/0x000900000001211e-34.dat	family_xworm
behavioral1/memory/2416-36-0x0000000001320000-0x000000000133A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
2516	powershell.exe
1596	powershell.exe
2604	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk	Microsoft Network Realtime inspection.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk	Microsoft Network Realtime inspection.exe

Executes dropped EXE 1 IoCs

pid	Process
2416	TLauncher

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher"	Microsoft Network Realtime inspection.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2604	powershell.exe
2836	powershell.exe
2516	powershell.exe
1596	powershell.exe
2236	Microsoft Network Realtime inspection.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	Microsoft Network Realtime inspection.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2236	Microsoft Network Realtime inspection.exe
Token: SeDebugPrivilege	2416	TLauncher

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2236	Microsoft Network Realtime inspection.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2604	2236	Microsoft Network Realtime inspection.exe	29
PID 2236 wrote to memory of 2604	2236	Microsoft Network Realtime inspection.exe	29
PID 2236 wrote to memory of 2604	2236	Microsoft Network Realtime inspection.exe	29
PID 2236 wrote to memory of 2836	2236	Microsoft Network Realtime inspection.exe	31
PID 2236 wrote to memory of 2836	2236	Microsoft Network Realtime inspection.exe	31
PID 2236 wrote to memory of 2836	2236	Microsoft Network Realtime inspection.exe	31
PID 2236 wrote to memory of 2516	2236	Microsoft Network Realtime inspection.exe	33
PID 2236 wrote to memory of 2516	2236	Microsoft Network Realtime inspection.exe	33
PID 2236 wrote to memory of 2516	2236	Microsoft Network Realtime inspection.exe	33
PID 2236 wrote to memory of 1596	2236	Microsoft Network Realtime inspection.exe	35
PID 2236 wrote to memory of 1596	2236	Microsoft Network Realtime inspection.exe	35
PID 2236 wrote to memory of 1596	2236	Microsoft Network Realtime inspection.exe	35
PID 2236 wrote to memory of 2764	2236	Microsoft Network Realtime inspection.exe	37
PID 2236 wrote to memory of 2764	2236	Microsoft Network Realtime inspection.exe	37
PID 2236 wrote to memory of 2764	2236	Microsoft Network Realtime inspection.exe	37
PID 2364 wrote to memory of 2416	2364	taskeng.exe	40
PID 2364 wrote to memory of 2416	2364	taskeng.exe	40
PID 2364 wrote to memory of 2416	2364	taskeng.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"
  2⤵
  - Creates scheduled task(s)
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\rpkxlx.exe
  "C:\Users\Admin\AppData\Local\Temp\rpkxlx.exe"
  2⤵
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\ijokdc.exe
  "C:\Users\Admin\AppData\Local\Temp\ijokdc.exe"
  2⤵
  PID:2576
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\qdisfo.mp3"
  2⤵
  PID:1772

C:\Windows\system32\taskeng.exe
taskeng.exe {D8B93800-DBF0-4058-9F19-1C74F688C7A1} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Roaming\TLauncher
  C:\Users\Admin\AppData\Roaming\TLauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Users\Admin\AppData\Roaming\TLauncher
  C:\Users\Admin\AppData\Roaming\TLauncher
  2⤵
  PID:2556

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
284B

MD5
4c02000ab1e3f8c78194d1f5665367e6

SHA1
a8ec63d13ea4b4102b60c03f2bb15ad15318e0f0

SHA256
9d349a51bf8cb0ea9224ecae376b787b8a2234b11db966752a37176096b5070f

SHA512
757cd2c054db00698bc89ec0a8da382f0bc8bde49f09330ec5bca5518446d1e67985f3643d2c3b9864800d5b7d392dcdc9adb2ed60d64895520018df1c2bcadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
371B

MD5
44ffce4de78f958dc86da8b33c3c0154

SHA1
c0c34935c62c90e3b7dc36e46f320ed94bc292ae

SHA256
a8cf1bfbcdc8381cdd6d3bdeeebadd5acfc11d14ccc74ee0f6c55e6eab42e34d

SHA512
95fab0fcca6ffce08d6d9f9d25bf9e2e911196ec6a0786262a392e38d8be6b68f47959d56d14c42c05dff0b8945090157f916732aaf30ea624e0f4c8133aea14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
429B

MD5
8b9f2a56e8098cd05c57ca2de8a46669

SHA1
4220a5c4cafa6f49018c0c35a036db12c7e2c165

SHA256
561c9339657ed504096e362735e198b8b48b597affddecf18e648adfca2bd340

SHA512
f96bd2a8807e63c63cc955d1d973d625327e56b89b01cde9a85d4857a598f5c65f0aeca5eb12cda5037f6eff718e4ba87e30b7e6fc299aaa29e4d3f8eb7d2446

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
530B

MD5
9c26ebeecb1317892e6c96e3e097de63

SHA1
cbefc48daec1afd14dbde6c04b500a1cdf625e75

SHA256
0414761907c76ac7e6005336eb02cf97748da9352b24a550b1234dbe27beee72

SHA512
00fa76e9685ea2bd5e68a1c2f69eccbbc288594d486412b5178a8e9f5f89ea2bb3698ddc325510d808f51293db934c87558f97f23939f166f94419579020dc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
545B

MD5
3e5d0bed33de7bfdba1911bd31d668c2

SHA1
f5ede27d4b9288aca52c3cfa273a729851339844

SHA256
18e3c6496bdd649b2fa2d0dcfa253d2e1f2efb8132c50b59b95abe2318142843

SHA512
5030301acb8670e834c2a6ee1330cf6285aa4872d3b7530cfd239af6d1cf8dd54dee36a877c89faf7630130a1690db8c8bbb85341690d7bccce69335c75a8043

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
574B

MD5
7d954d8709dbadf82126c39b2d763924

SHA1
887005d53e69e925fe84b16bb63551f1754aa308

SHA256
c938f1bd31f0e274ad16c1873d029a5a38acaa3a06bf315a731d6056743150d7

SHA512
62efaf1006253b84a332d6e8abbabd44b9b6e8a4d674de131a783579e28b785bb09c45b647c37f3438d9c9d1606459b9a425538105b34df99a2c81d6e05d9d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
632B

MD5
aee4bbfbd717f6d6ad6b409e07d9c392

SHA1
b5fd2f7149ed9515bdab249130b794e0ca73a4b4

SHA256
90826b6575e0407448887dcc40134e58ed01c2262afc2b089ad4d1b1b3c8551f

SHA512
ef82b7143c7cda2e929c20e9700fd6bfa525a1a75479058bc391adec320b2f7d81b47b21e54fc39323117aa4fceabc5c4969afc3fb0c17bb08e4887a17fda904

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
748B

MD5
beafb90192c5d2cd3bc33cde067793db

SHA1
d52dacad66cd793d624a1c9005567295fd11dda9

SHA256
4213d502569090b5b3fa014f5ed6a88fabc563a24c6be0e7f5bc74bfd7b210c1

SHA512
0989aecde78fdc251a57144d7b141bc4497dcf5021b72b84b78afab454a7cf4ae204184a53d75c5df440fff4873e951afc18afd16a7b09c42938b4334bebe1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
777B

MD5
4a9887e3a7bb66e29f5a42d502631d72

SHA1
f24d913ab88ce12d90e915c3dce983f586feda91

SHA256
0fd5c1251c9850d87e2734dd14e96c4c30332dfcd4e609df3912445e2235d0f1

SHA512
c591cd9d2487fd439b1f15a8c1cb8f1cc1be13a92b4a6379e666ecc1711286f15be4f2fea0857aa0144093d5cb19d237c334a3f1771a0be086c28ce15b9e6645

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
951B

MD5
fa7e4cce2baffd2f4e53b6f8885e4595

SHA1
e19372d769196e520dd876f59b99bd45862654b8

SHA256
b6c67d50c7425686ae6630a841a57d7199abea3e55365f9078144f9e7819ee1c

SHA512
98e316ccad6db9ac66110aeaf40162fc4d8806f36e253fc378181ded7ecf17e53ac5cedfd163f4e714ad1c464ab6b2128242965e9bc09e03b225515bb0ec8aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
868a5ead297bb709d8434ac7001904e0

SHA1
ee47608db1b1f25920bd84820518cf99669c8447

SHA256
9c02936b7b6f20455f4065f1059170e1412ed50ff3b460f6348ee0849337313e

SHA512
188ca7250396a2906d509fbb5ce84597561a83a563d86041c89e89ab5f7fd6799c512b9a351c258bfa1fed2d8e423aeacc079c0f29d22d93961f22bf879baef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
485473aa0288b56ee6d5446d4ef991f7

SHA1
01b541b5d441fb2454bbbf8487154a98e5c0ce7b

SHA256
07c12d7bd35b81f64f10b679db73769898d784c97cf4aecf439416ca6373536e

SHA512
65e7819d2ddbab3bcb89df0c4c98a05ed37c5e0ac40729aece88298be93b158f07911e0d57f9302aa4be9306c95df25f0be21410c7f4b865058fec836ed1938e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
ea01c103a8759addfeaaa050b6f4f925

SHA1
f00e26d60888516567892077bbc573b3ad06142c

SHA256
c0178e4feef7d1e2dcd061960162a99fdd2935c434b8364522ef61cb9f9fff6b

SHA512
05df1cc37cd81af2eda98cfcf5c028ef5f6608ceb133b444a717901e8173eb92c83deef59a473d0bf4d5ec1b3165f0a238203187338501cb37f329293177f973

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
4dfa844f639bedd69de6371f91f7ee9c

SHA1
e14039a520f8d565afba207fc2d56958a3cba28c

SHA256
9cac7671814be816d535acd6df13c4d1425bff72df807dfc1466057e94ab837d

SHA512
9168db1cd7f57311dd75be320b788930df9afd3d669da1399164c4e00bee5d1375a7bcf3a607e244a43ea7a0a0a762bb45520d6d460c6e43e70c190468f83e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
9b906868d2794c5b73b4afa8542f3e47

SHA1
43e3585a48d1c5141cd1a1d610e1c8e86fcc021d

SHA256
981ed787982b0609fc168b655eea86f2cf2145153140190568780f1e81f75427

SHA512
2ac9ce343a7ec694b63d0833c5483feaae112ccf85401f16970e90e6c13310a48bf19d4ba2bcb5782b17d0fd606497642bd8de93155a4d073b2bdca235c6c53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
88005ce2b42f37e4f5a4f1fdbfa14897

SHA1
95137eee65eea5f3bcb8a3e5a06fa3f1675242fc

SHA256
06adbeff0869f9f7609407b5d85f2a959598cf63a168bb9b9ba2dc8cedeac1c7

SHA512
4ea461abdca031e351a9512d774534ab429697afbdef034fc846969b3b9970d66550ebec0a9a2667c88dacafeee39d626b288864cf1345a56b7fff9fd4205f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
72d7f4dd57bfe1124c0d5114e05ff38e

SHA1
5f51d90e1b8ce57e419b05bf681b75390013b9ad

SHA256
7fb0779c55a84cf7198984e25d157cc4779085ff517d9a8aeb533dd4d2a57093

SHA512
9f5494ed8a4632f7ea5eec8770baa12e1406621541f72519b57e0a49cc37afdeea39c197c7fa819693abdac9597a1b28c48666339cab07aad9177eb56db8082a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
9d726c94f0f2437737d6f42f3d61b10d

SHA1
1c6665d4e2c7c3397211fc785c674f0333bfabed

SHA256
26aadc0370cefc9aad2244d7c72725b4cd6140e789d4fd8acf21a840f8e5b464

SHA512
0a43ec21ffdbf765739015052aef64196854a53b977e16a38dc214d0193699cbed886c59d21c9099b0466b55d7afb9b5fa234c4b0b1f497475d92e46b9e545f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
3a5ec592d89933c7e1031c2f73006cc5

SHA1
e58b9414e2f852212f9f2a757d4b8cfd78f710f8

SHA256
1e97c97fa02e24a30e0390d9a0d5b03d5794f5fd7a5bd084b1969a0adf90555f

SHA512
9c11823175e009977391961d0976c94111a1b173fd291f84be84213e5278a6df2b4068aaad39b0c718274def97b7b39d048549f701e1bbf555a8e54879735abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
00be3cd4e5c216437a0a03213c3e1965

SHA1
83d786b461baa108dc0255ffea5c2c062364ec18

SHA256
6a436bd220fa9468d66b1262f4ab5cbe65e56ca6601b64e36b9d96f890cccc48

SHA512
7c09a09df89708420123fd40e52373fe255d4a6690e3059062261d073729c1688ec66d4065aab736845c1ad6a4f7c43f04debb37bfd4d48834a69d43969dca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
fd226dc2d6146554489b11e88bf2cde1

SHA1
35bab90faad2db02ea33c61bc8c27c90529a9fab

SHA256
9e0a2ec88aa43f424937d53e2268495f0ebbc4da26bdd8960bd7741c63cbce10

SHA512
1e5c7c672c9b03f3aefb0e968bb2bb04d702cd0267602a791ac4bfa1cb92adb33702a088a351a99adbc78a5780328194d9d1d9c37da00a30ca616427a693dfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
dbf2ac594815c98c53155c70c741e286

SHA1
4447b494a1dbb2b057b72f427a77db0c18cfd395

SHA256
d7d355a49f4f99883b6ff48f3804e9dac91d9957430817e1f9bc5b1cc5511428

SHA512
d39ed242c06cad241bb96d4fd022cae133a281b43a185e353ab643da8a110fe9606d24764b8f384a8068151b6a570bd36f1f1533956566bc57486fdd19e53aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
5aee82543c9841defa6dccd5ff18e38f

SHA1
600fd5f63aba3c0d89d40c8c93d011b6b0ef63e1

SHA256
a128dff796f38e9e2d7f84bab65662f22922165f80611712ecf3aa4e11572a04

SHA512
23a562f72f1fc0e02d03a94040913e62b7f2a92bfd95d821a3a8b85242fbf0780c959d28265c5a00cd035452b7ac289687ab07c485368ded34ce4b71cdaa73a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
dc0e7a8e0e9c3c78c0ce4ed0ed840411

SHA1
5f96e145a3fed623984f00e8b57c8feb6c7ce08d

SHA256
2719ca59ba7f924f0880bd7c70ece7ec18b8eac0768372cfd860a7595a0fa43a

SHA512
f0e536ebc8c28172f97e4eeb2ddc3b68bc1b7bc6f18a463e6e9f7194a623adb592bc60735d8519ccca07cbf76b4fe1aaaeeaa3f94b607281c39a364a99fbfa21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
7d2a23aed2053771c79b95de936e4c9d

SHA1
286889b9b1e5e3470b9375f08df0c5d11043105b

SHA256
8d93d1e253d4330157cf1a2e4950278f92aa15a0942741f2e8d781427ce89e33

SHA512
f6b5b91b0100653a5ad6e9652f439b603c73a8d0ba37d2ec1f54364875a96e442060ccce801eed02b5e0a705c4a81481ac7ea398c80d2c2b6ef88c3fc7a5a794

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
07eb14eb01c5b95f5e6a1b30e261a98b

SHA1
0c325aba9d41bec31b594cad6606ac1cb8dd6413

SHA256
5cadd7e6686bc65f201b9e340d42c76a7c638d8a557c1f985cda4b679d2939d0

SHA512
e4649c761761b9c1c484599b063e2fc714f7b2e1a814e14e2278fc6ffc4b52ccce58abb97f1b26612aa6c3c35b3089502688f2c20495da3f35f8e63ca36dee2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
efec7d2306d95b6063f4a85a36264792

SHA1
f6885c6d98b1ccfad9410cb38d6387cdaf7f575e

SHA256
92b37ad5198f4e218dc229fe9590ba5d847201a3604d1c3bad4bf4a14e4c34be

SHA512
10f61c46274afb8eba1352c55dda594ba76d470ccf33db31763c90dd1a7f6f0a881224da182552aad07f6ebfb815ef1c3e18d466e12f0e8db93cbe92f5b24cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
702022f4a0861e867ea1ec7be2ce39ad

SHA1
1aca61681870eebe33ab2718465fb01407659b0e

SHA256
1b5afae6fef3a6803d10e12bd6a63be2594e5223306166d5b2e71cb2e74d851f

SHA512
4a96f2c02daa7f463da27d6e326f754922ae501c3a00a3be363698800453101be35a5cd966fffba26d1d37e694a08799134f5502a1062b5ee96b24038602c8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
3e3c258f9d3237bf647245d518b68831

SHA1
94fdf18ca84901b8e3357aacc19b66fc06e88e8f

SHA256
46f19210ff4d9d72afe8e652afb7e36227084deaefb8f6b0b7379c6bcf0d5ac3

SHA512
3d5d4004f02bd518ac494d8a2543f1cb1f68ec583a07e2919fa3000854d10f5d38b71ddb9af12f968fb1af1f427f353c6aeb5c838e6f8570b39dd59a4513a49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
cdb55faeec0835a0672dd85e56332a56

SHA1
09c6b64c9b6a6954cff8710bebe1016a87e4eb7a

SHA256
001ddf3b84ac14bc24db19756008c0c0fe1fe2afa36ac7d45879eb0cb66ac0f9

SHA512
b7f96bdc8ba8eb2a545449df66951050b9a56bbd220aabd8a1533371c91e95534ace133308740786c0593797868d04d14f800f83a19cec09061176b110daf49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
932eb8c00bb3f5093d2b12b3927175be

SHA1
4aaa2ff6ca4cd579bc0c508a44d555542cc6ba37

SHA256
ca5df8d14c51fc82efeeb9333f63810403cc2f8691c086f701100ae36fa4e6b7

SHA512
4fd621a617ab9b77829bb3902b907cd937e51905f933844d89a59c89779a39c6b542c095d7769b8f616dd29a192f81379c238d11e52d6834456b103a87617fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
92c784f5071799ddd9d248e2a377abe8

SHA1
061e187dd09d7e132d891f6e25d5f04d39ae942b

SHA256
94237b020302211b4429535a0320ef69c4f681360851a80faea9a91c6df1318d

SHA512
462f3dae8489d7b637abc6bd26fdfa5949e0b335e95f7b816142fee2d5ffb0dbdb2c64c3cc204fc24a2638b5a7ef7292a28ad7b136dec9b141f2c834a9155897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
c190b313d49dffa9dc60916163f59f41

SHA1
03414957a9a6bfb3d90798835996e8ff91d77cee

SHA256
143b314796ee6b2c72d369c7da41d7941a6e7e1615de3ff825e8c6452fadc72b

SHA512
37352c66ab863a07703a45754ae60984db10aaf8b89a43e890ffdce0e64e4b7da923a39c77da16680371ee28f676cd6b8816a4ac2c0cdce21aaa5aa25937156e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
c3d1a0f07e497c3044b40fd230bdc14b

SHA1
a41a723c99c83c18814d3fbc485ea5ee38f500e8

SHA256
9506d5686d6e378d4ba4405f391d4f4c4989dd66cdba308d3926bbb7302e7b06

SHA512
ad54717909635d4eebc2baef0198f6375f2bca55b12611525f9f08e1be6423207735c8eec4445670ad63c23db142fafd30cc9afe498f714fccb485aebb04f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
b883289d2ec306fabaefc36d9c2951bf

SHA1
4799f0650ee246f603d04b6b50ae2ccd0b1e6d88

SHA256
bfd66990a76135544b286e0d66bd70f965eac8e1dcf04186b36d1dfe1573058a

SHA512
aa140737e186ffbe827d312f8948a1e067e2f1e8ef025ccf4fa77efcdc2e774574b48d16cf0c6d8c73fd60210cfc61ce64125657ee7d110eeb6b55fe0f8dbdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
240B

MD5
c3a5ce85c40192cd052edfcf022a07e4

SHA1
3198e80609769ad9215fa51be8c9ebb554b1d1f1

SHA256
72985343bfb4b336f1b6ec81c46a49667d21060d9000017fe09f762505b1ba4b

SHA512
2dd4d1dabdddb14ca8a8d44c34caefaebdc5e74b8ced44b8e866b0d87264276330f31d7ff2bbde596d8265f181fbf572ebeab25dbc770ac6cb77d6d5e1e4b432

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
269B

MD5
f49e778317dfbb4579835e471ff2a6fa

SHA1
316c4929327bc075948b049f9ab2142340a6495a

SHA256
8f035a33deb0319b3011f1a145c6b7304e0bcad57bba288f9f71d9bc981a9d0a

SHA512
b0733326d2cf5bca6ac84264e6d24172602f39445f64d924b08b9e6662d7b6fa86233442b943ced265aeeed1873d517765efda51d978692f0b944d69539080b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijokdc.exe

Filesize
28KB

MD5
62cbb85434223022a0b0e369b227a3d9

SHA1
4978b691168f16c678a1ffe53e126ba1d946bce0

SHA256
ea3087204e3ed644308a0a96bbf319590a9b2701ac850bb63f2ba3dc4955f1fd

SHA512
f76d281ce4c4401315f811dba1512757fa59a9c1ca6486c006f7861aed793a1f196fd66b772405374a751f383b5a234234e64de16f2fe9d613694e354b882f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdisfo.mp3

Filesize
648KB

MD5
f7f81920f6c6aa97a91475c1426b9a63

SHA1
84808aebd973bb0538606fb48153ad1b0a42c005

SHA256
388d6009b8ff701269e92c87b53825dc7526b49a1ba94dba5c3a2b346fd52042

SHA512
645bcf905064321fcbf7025b280902a4c6a6d6ecc816df6cf4a917d19fe69d3ec5509c4e428080335b7c5b59862d212aa9d545cc4c906bfe2bd6ec174dde8234

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpkxlx.exe

Filesize
104KB

MD5
f3dff8c02fc6b4ba001517bd2419aa49

SHA1
63b91c81e8052a9dea3414086688762f8892ea0a

SHA256
9c3b6e9259e0e4e8c8dd7a5e8813bab3e8111ff4b4b41049621b7f40d8e9f6fa

SHA512
5325eb276e41b5a6b78fc6048642cc6e4348a78ccee543ecfbf287785b41af467d53fb578a8681a3746cb64ef7b7439f066e0dfa6f2e3a39094d081fd8595aeb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NE8C67NOXKKWV0D3YEQP.temp

Filesize
7KB

MD5
33c3223b24f61e7af8bb6c3dece2bf1d

SHA1
3660ce305e93983d71596f3c8302c411b24d2e19

SHA256
ddbe5404774cb08041070f19f962f529dcd9e49f002f39320d2586d38f51fa74

SHA512
02aa5383332ead20962900d0fdbb34aa42134f6411c2660bf2f6ae744093f21c15756b4018983a865d0b8988eaab291930130b969f0fb635eb1925c5571d375e

Download Submit
C:\Users\Admin\AppData\Roaming\TLauncher

Filesize
79KB

MD5
5c888eddae30076bd7aaa2e5d5fea097

SHA1
6a5b5c290d24bcd984a7083f934dbf35f56ec888

SHA256
267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788

SHA512
4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

Download Submit
memory/2236-32-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2236-31-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x00000000000B0000-0x00000000000CA000-memory.dmp

Filesize
104KB

Download
memory/2236-2-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2236-0-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp

Filesize
4KB

Download
memory/2416-36-0x0000000001320000-0x000000000133A000-memory.dmp

Filesize
104KB

Download
memory/2604-7-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/2604-8-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2604-9-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2836-15-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2836-16-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2848-205-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download