Malware Analysis Report

2024-09-11 14:55

Sample ID 240608-x7trhsfh57
Target Microsoft Network Realtime inspection.exe
SHA256 267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788

Threat Level: Known bad

The file Microsoft Network Realtime inspection.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm family

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-08 19:30

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 19:30

Reported

2024-06-08 19:32

Platform

win7-20240221-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xazwrm.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zdjser.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pccwxk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\toad.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toad.exe" C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher" C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\pccwxk.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csucrw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zdjser.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pccwxk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 2360 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\csucrw.exe
PID 2360 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\csucrw.exe
PID 2360 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\csucrw.exe
PID 2360 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\csucrw.exe
PID 1988 wrote to memory of 1492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1988 wrote to memory of 1492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1988 wrote to memory of 1492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 2360 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\xazwrm.EXE
PID 2360 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\xazwrm.EXE
PID 2360 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\xazwrm.EXE
PID 2360 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\xazwrm.EXE
PID 1988 wrote to memory of 596 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1988 wrote to memory of 596 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1988 wrote to memory of 596 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 2360 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\zdjser.exe
PID 2360 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\zdjser.exe
PID 2360 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\zdjser.exe
PID 2360 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\zdjser.exe
PID 2360 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\pccwxk.exe
PID 2360 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\pccwxk.exe
PID 2360 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\pccwxk.exe
PID 2360 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\pccwxk.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"

C:\Users\Admin\AppData\Local\Temp\csucrw.exe

"C:\Users\Admin\AppData\Local\Temp\csucrw.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {84E4AEB6-BA2D-4323-83E1-8B4CBA5E29E7} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Local\Temp\xazwrm.EXE

"C:\Users\Admin\AppData\Local\Temp\xazwrm.EXE"

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Local\Temp\zdjser.exe

"C:\Users\Admin\AppData\Local\Temp\zdjser.exe"

C:\Users\Admin\AppData\Local\Temp\pccwxk.exe

"C:\Users\Admin\AppData\Local\Temp\pccwxk.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x550

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 listing-trackbacks.gl.at.ply.gg udp
US 147.185.221.20:15337 listing-trackbacks.gl.at.ply.gg tcp

Files

memory/2360-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

memory/2360-1-0x0000000000EA0000-0x0000000000EBA000-memory.dmp

memory/2360-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

memory/2680-7-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/2680-8-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2680-9-0x00000000027E0000-0x00000000027E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1d8483f6e0dae7e8b4e5f39b5c294546
SHA1 068432217005fdb366c933352cb5f8f02729bc86
SHA256 281058ba9868b937b86f095de84a7784cd1eae3dab7cd598faa2703037703e9f
SHA512 b4c5ccb56784bad1f1da2a67c2713301c46a1fe1b228abbca565ed44234e6283abc6629f084b3a35045a89f5318d980009caabb492a3acd07624ce750eb1594d

memory/2756-15-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

memory/2756-16-0x00000000022D0000-0x00000000022D8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2360-31-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

memory/2360-33-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csucrw.exe

MD5 6d10f6618182a146fc3b407f8b0c080e
SHA1 f7f6c854b5a5eb0debcc5060453d0d15d66eeb87
SHA256 170c9351717e67cda6f3cfa73196c32462e63c87a07336821668b38bd0e1cf01
SHA512 14ad694b297090cacf1aeb92badbba68d4ebb1b44da4a9e63137c0aa1ebc3a94236792266783f79b3428e3d611afe46288b9ae818c194fe1deb2fa9ea58febb5

C:\Users\Admin\AppData\Roaming\TLauncher

MD5 5c888eddae30076bd7aaa2e5d5fea097
SHA1 6a5b5c290d24bcd984a7083f934dbf35f56ec888
SHA256 267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
SHA512 4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

memory/1492-46-0x0000000000120000-0x000000000013A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xazwrm.EXE

MD5 0e89a28bcf39b8ffd68b55117aa2c8c0
SHA1 f66ccc5892a386208fb3c105ed4b34e7e817cc51
SHA256 5ed6b1884460c35b8d585fe11bcf8eb156180d7e30bc22182409b251dd02f1c3
SHA512 a249eca07cea3180b8d0928659f2178163f03ef3b839f7482b3a26cf746e847fb1ae9b12e3b67071ab8e87fa58401e3d4395bcb58a7ca467cfbe38afd96b4054

memory/1796-55-0x0000000000400000-0x000000000040C000-memory.dmp

memory/596-57-0x00000000012D0000-0x00000000012EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zdjser.exe

MD5 19796e0d82a76be6dafa5cb7b80e2506
SHA1 ce7d0842683febfbc4e52278a25f75e29ccf6155
SHA256 65d4c633bf347ed4766dbb6e003776a017ccb632d73c6138c3e880a94c114c2d
SHA512 049111891524683fd63036355f02006ca1fd69478aa9597050f1bbeda256b25ce9f28684df80d169d50dcc01a8cbdb17e78b82ea4d49d71b9ee72588bd1e6fbb

C:\Users\Admin\AppData\Local\Temp\pccwxk.exe

MD5 509327ac1ea4c69e4b90489f2902d940
SHA1 a8a1da6767652a3dced9f53ade92f5d179226e24
SHA256 3d40e9cae263cedef7c3ae6b75a0d87deeb62288513355ff4a441d5e346d456d
SHA512 5a90739cf38838546a70f12ba44b0c1da3479d5aef68ec206bc9bb9665bbe86a74e92a36b1553493d3eda21ca2311e0e7c90b90074f5af580b9129134b0d525a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 19:30

Reported

2024-06-08 19:32

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher" C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 4376 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 listing-trackbacks.gl.at.ply.gg udp
US 147.185.221.20:15337 listing-trackbacks.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 168.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4376-0-0x0000000000C50000-0x0000000000C6A000-memory.dmp

memory/4376-1-0x00007FF84DF63000-0x00007FF84DF65000-memory.dmp

memory/4376-2-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp

memory/1972-3-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp

memory/1972-4-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_li2mvtj2.rzg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1972-11-0x000002976F8F0000-0x000002976F912000-memory.dmp

memory/1972-15-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp

memory/1972-18-0x000002976F920000-0x000002976FB3C000-memory.dmp

memory/1972-19-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 120c6c9af4de2accfcff2ed8c3aab1af
SHA1 504f64ae4ac9c4fe308a6a50be24fe464f3dad95
SHA256 461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222
SHA512 041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3e8199b4634731cf0a0c26c1f14f588
SHA1 7f8fae27eb80055a436a6b5457978f32673d9ad4
SHA256 ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a
SHA512 806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

memory/4376-57-0x00007FF84DF63000-0x00007FF84DF65000-memory.dmp

memory/4376-58-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp

C:\Users\Admin\AppData\Roaming\TLauncher

MD5 5c888eddae30076bd7aaa2e5d5fea097
SHA1 6a5b5c290d24bcd984a7083f934dbf35f56ec888
SHA256 267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
SHA512 4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TLauncher.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1