xworm | bff19bf2fe8160235c238b3c6d7a4be3e69289b048f1adec196c8a762fbff1d3

Analysis

max time kernel
150s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26/07/2024, 17:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

shellbug.exe
Size

45KB
MD5

e73ddfdec9b3773f3c711c5ef52da87e
SHA1

269b2852f23b991b81faeb15ca2e14dc2fa4156f
SHA256

bff19bf2fe8160235c238b3c6d7a4be3e69289b048f1adec196c8a762fbff1d3
SHA512

3f737e9ecfac3ac553c9737c101ab2192a09310fe47d8849857f27e3e2baa4594d2fc3cc3f6088cfad9afd671584dabf1d8d26057208942b48cd059ae6c93046
SSDEEP

768:QPLSrMoisb1QUhjKNcNc9ElGRDXDgVdD7abFEPt9ObWQ6BOuhpzj5D:QOyABKaaSlmmdDwFY9Uv6BOuDh

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

picture-competent.gl.at.ply.gg:24783:2543

Mutex

QbaLOLRr0WYsOjrU

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1340-1-0x0000000000CF0000-0x0000000000D02000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5088	powershell.exe
1188	powershell.exe
4884	powershell.exe
4872	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	shellbug.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	shellbug.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe"	shellbug.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
1188	powershell.exe
1188	powershell.exe
1188	powershell.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe
1340	shellbug.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	shellbug.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeIncreaseQuotaPrivilege	5088	powershell.exe
Token: SeSecurityPrivilege	5088	powershell.exe
Token: SeTakeOwnershipPrivilege	5088	powershell.exe
Token: SeLoadDriverPrivilege	5088	powershell.exe
Token: SeSystemProfilePrivilege	5088	powershell.exe
Token: SeSystemtimePrivilege	5088	powershell.exe
Token: SeProfSingleProcessPrivilege	5088	powershell.exe
Token: SeIncBasePriorityPrivilege	5088	powershell.exe
Token: SeCreatePagefilePrivilege	5088	powershell.exe
Token: SeBackupPrivilege	5088	powershell.exe
Token: SeRestorePrivilege	5088	powershell.exe
Token: SeShutdownPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeSystemEnvironmentPrivilege	5088	powershell.exe
Token: SeRemoteShutdownPrivilege	5088	powershell.exe
Token: SeUndockPrivilege	5088	powershell.exe
Token: SeManageVolumePrivilege	5088	powershell.exe
Token: 33	5088	powershell.exe
Token: 34	5088	powershell.exe
Token: 35	5088	powershell.exe
Token: 36	5088	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeIncreaseQuotaPrivilege	1188	powershell.exe
Token: SeSecurityPrivilege	1188	powershell.exe
Token: SeTakeOwnershipPrivilege	1188	powershell.exe
Token: SeLoadDriverPrivilege	1188	powershell.exe
Token: SeSystemProfilePrivilege	1188	powershell.exe
Token: SeSystemtimePrivilege	1188	powershell.exe
Token: SeProfSingleProcessPrivilege	1188	powershell.exe
Token: SeIncBasePriorityPrivilege	1188	powershell.exe
Token: SeCreatePagefilePrivilege	1188	powershell.exe
Token: SeBackupPrivilege	1188	powershell.exe
Token: SeRestorePrivilege	1188	powershell.exe
Token: SeShutdownPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeSystemEnvironmentPrivilege	1188	powershell.exe
Token: SeRemoteShutdownPrivilege	1188	powershell.exe
Token: SeUndockPrivilege	1188	powershell.exe
Token: SeManageVolumePrivilege	1188	powershell.exe
Token: 33	1188	powershell.exe
Token: 34	1188	powershell.exe
Token: 35	1188	powershell.exe
Token: 36	1188	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeIncreaseQuotaPrivilege	4884	powershell.exe
Token: SeSecurityPrivilege	4884	powershell.exe
Token: SeTakeOwnershipPrivilege	4884	powershell.exe
Token: SeLoadDriverPrivilege	4884	powershell.exe
Token: SeSystemProfilePrivilege	4884	powershell.exe
Token: SeSystemtimePrivilege	4884	powershell.exe
Token: SeProfSingleProcessPrivilege	4884	powershell.exe
Token: SeIncBasePriorityPrivilege	4884	powershell.exe
Token: SeCreatePagefilePrivilege	4884	powershell.exe
Token: SeBackupPrivilege	4884	powershell.exe
Token: SeRestorePrivilege	4884	powershell.exe
Token: SeShutdownPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeSystemEnvironmentPrivilege	4884	powershell.exe
Token: SeRemoteShutdownPrivilege	4884	powershell.exe
Token: SeUndockPrivilege	4884	powershell.exe
Token: SeManageVolumePrivilege	4884	powershell.exe
Token: 33	4884	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1340	shellbug.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 5088	1340	shellbug.exe	73
PID 1340 wrote to memory of 5088	1340	shellbug.exe	73
PID 1340 wrote to memory of 1188	1340	shellbug.exe	76
PID 1340 wrote to memory of 1188	1340	shellbug.exe	76
PID 1340 wrote to memory of 4884	1340	shellbug.exe	78
PID 1340 wrote to memory of 4884	1340	shellbug.exe	78
PID 1340 wrote to memory of 4872	1340	shellbug.exe	80
PID 1340 wrote to memory of 4872	1340	shellbug.exe	80
PID 4808 wrote to memory of 2548	4808	svchost.exe	88
PID 4808 wrote to memory of 2548	4808	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\shellbug.exe
"C:\Users\Admin\AppData\Local\Temp\shellbug.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\shellbug.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'shellbug.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1120

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\system32\dashost.exe
  dashost.exe {128bbe41-a6cd-4a7b-9ddd28274b382a0b}
  2⤵
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
48426f5aec48aa4d151d3d1e05f3b277

SHA1
f364c4963bc1cabff74c34ef71a41a4cbf75dd16

SHA256
b35dc004c26bda6a52240592db7035941abc46544cffec31601c4fcc0917441a

SHA512
7db1be3481cb781a03e38f6e82f4557574aa7c5deaf050297582164d9fa0d7146013cb14a79c9d7b9b1e10951ca9f59115918f58b1f51c6eabf2a5df2f8ab036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d632e195cd0b91f2ffa0b2a0bac73715

SHA1
8b166c7ff80b14aad1a153c1a3811cb1d73aca09

SHA256
4608987472a117bc22ed8fe6b44616ac8e231a7074089f66aac43123ca987c09

SHA512
52b204b2255a8e22ab67a61a2e69926955b77758b85090ad054cd11c328b650e6df639e7616f8a7bde385a2c03464e2c333372305dd46c53f45153f9a628bc97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
948c8177f1827fd6978f77fa49ad6461

SHA1
02a7b7c794f2f897ad97ac8d5925ef82abc91c52

SHA256
7414c1a03f35c10d52e487750ff5ee7c60bfa3be0a562da6d3c39e668bd191ea

SHA512
eb357baf840394125d10fdb28639585a35c35c735b683ea016a4332cc87e4c905771002ad81bcd43ee9a06a0d306c87d1681974f2a5dd5e4fd7ef8312170227a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2dtklby.wwt.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\AddSet.ps1xml

Filesize
974KB

MD5
1b3ed18ccce61217055cc9f77ca37263

SHA1
31f197bba93631a265cc9c730501fbe7558f4104

SHA256
88e6034f27eadf8fadbad5e0ba1cf94ace4c354d373b1d3d5aa1f11f8be2a9f5

SHA512
8e7b3ffe1b1dd3974032bab9f0aff423b60f201b7ebcd7a902e6a1973e910b1f088329a1ad2861de34d918df26b47df3ea5156406c1ed38f4fc63c27e30baafe

Download Submit
C:\Users\Admin\Desktop\BlockSend.avi

Filesize
1.1MB

MD5
81d283df31f640b82f1df26549224936

SHA1
d7554908d3c8a96320fdfc813bd48d6df6bf55ef

SHA256
ca7c298c0abf44eeb047adeb3572f15bf706c2f87b29173d8ef81579fc10b20a

SHA512
11b83d8d35e20b8a66fe10728aa03f317c171117963d824be196abf0de3939a8d2e798eb1870c69334e951763e1098bf42cea6d75dfe67953cbaac5010351015

Download Submit
C:\Users\Admin\Desktop\ConvertFromSave.docx

Filesize
753KB

MD5
6d95f9554acbe1d7bd596c926b1fcecd

SHA1
c6ae057a9c63c3d3cb849ccb24051f6b77c589ee

SHA256
2576fe235c940ac17afea8b24baa6381f6639378882ce506512af83db2cfa856

SHA512
dc2d7b5f3e619668f6df31f75cc2f9c14d3e22fb62d85f1d4cd70e7206dca56097db6f6a3607f6def205ec3f721c6077f38175ef1b63cf00891e01d9d018886e

Download Submit
C:\Users\Admin\Desktop\DebugCheckpoint.wmx

Filesize
570KB

MD5
1f0bc1847c5c91164a6d9796c1118d48

SHA1
3b4de084c87e43ee2253aee82d6aa637a368bfac

SHA256
f2988aaaf05698524257c757102b3e72c9f7d86145cc51ccb8d46cc086008c15

SHA512
d8de3f2eab334cc67f860ab9306bf179ad5c339c09a24a2397a6e665fcf0a0b886d65f302393f8b70b13155200c523121afd207ba892653095b8037f49f22c70

Download Submit
C:\Users\Admin\Desktop\DenyResume.gif

Filesize
643KB

MD5
b4144fae401e40e19507b89c0e5867ba

SHA1
41c37ae23acb4d157ae9397a85b0a1f808b27a4f

SHA256
cec5c14b26183a007d0c62f308563730bc916e611c99fe1258ba477b2440564f

SHA512
2a91cca5785a38c423d72041a152c6b9a82dcc536322a02ffff086026ed7301780a1d750d752eb2f45abc7a63774571e28224c6a15ae8a201c6f4eb8839967a0

Download Submit
C:\Users\Admin\Desktop\EditClear.m1v

Filesize
1011KB

MD5
31dba70e665f5b2a1c771b83f85aa56e

SHA1
76dce801bcf3dee4550ad4661cdc004ddb1a82c3

SHA256
21c3d5e6d167216f0ccfec8d27559a084a99007487cea9821a27df2c070a721c

SHA512
e87b3fc7ea15296424ba24ff64449c03f8922189b9868384d63ae7e9e75cdd25aeee31796db697865d0d989124d4e05dd542a1facad2462b0d7c37a52d6578e3

Download Submit
C:\Users\Admin\Desktop\EnterPing.docx

Filesize
1.2MB

MD5
2447716cb289abc9363b7a81a6936614

SHA1
e2e648a41e966f85652445e62f8a51a161e1f5e2

SHA256
099952645d93c07d0adeab5b622709a73caca4c1f7c7a22f31c22ba7d98d381f

SHA512
57bbb9dd5b0fbd6a27eab2fbdb77da5d432f166074d6b4034f25eda1dc2cb4101eed128c9b7aad33d3a2e93e241be3b08afe8a75ca08194987bd520696989652

Download Submit
C:\Users\Admin\Desktop\GroupClose.ods

Filesize
790KB

MD5
afceb48aaa3019f6c306d681c0ae8fbf

SHA1
71f4a75cb4acfbe986cf24d67565d805cc45a0c4

SHA256
84b991cc0596a2d0bdb00406426eed84e7222aa3c64c3d0022f56b9a8ad0538d

SHA512
f4027b3b24ec7d9253c60668c89c74d291986a3415f0b661091d0e983f01e876ae92836d9ac7b4470acb08d6078b6df908a5e1972e3d95c67bbed2ee8df04d7e

Download Submit
C:\Users\Admin\Desktop\InitializeUndo.7z

Filesize
827KB

MD5
c816c1f3335afa9e9c13086f3851a360

SHA1
d9e5220b1da9dbafa1403da049406b504400d647

SHA256
05aa392b454e21a31b47b7faaf069c4cca7422ce8a7cec2b84383a9bb887ee24

SHA512
33fc32b0517b21e84785fc30e8c711313a541fe3a308c5944c9cedb88b27736d45a3d0819cdf30f44658fb471300500756062460f96e3d86284b44857a7c1739

Download Submit
C:\Users\Admin\Desktop\JoinClear.doc

Filesize
533KB

MD5
0775e35ab6d597570b45f0ba57fed28d

SHA1
a843cf5928138fec23bedea9bb8304626cf612f8

SHA256
7e7c5df2d53ad4dbc3ba3389b552b06832475e17d7bc49c42d7997e5a4c4f7ce

SHA512
96b1e4bbd2c966ffcb52c3b90e4b3c9bba1473994d5bf4322576c6054940bf8afa282f12b10ae20f3329ff3ca75efc920b4398425e70ce4e5a0fc8feb12da689

Download Submit
C:\Users\Admin\Desktop\JoinCompare.dll

Filesize
459KB

MD5
6bfc319f1c3c054e85299bc30f17ba7c

SHA1
978ba1c5b302a7db05cb5f4f89ed4a2cee4bc271

SHA256
566c19fc5d1013da3a94d184a549a1948103c6ad027a49a03f8f86efee88dec8

SHA512
5b7f97e11f30d1ab2097e6073d721c7e6563dd1365672009eb14ae671ceef76955fae89b3c4997ad16d31b24579459dc51753edb84780a185a9bff93e877af62

Download Submit
C:\Users\Admin\Desktop\MergeMount.ppsm

Filesize
1.1MB

MD5
8bf818e0134e374e21837767ac532f9c

SHA1
9bf14416801e082f8a8277cd6ad16750c01bf1d2

SHA256
a35646d740059538431cbd0b29629917bb4cbaa15ef92ca4725eff07a4c29eb1

SHA512
cd855acd9acad69d839a7efbd3385ffb14ca39030e755d455eae131472b363c108aac275427793517c9e5f33a605395d2ba8936ff516fc13f9a6a0124738b789

Download Submit
C:\Users\Admin\Desktop\MoveInvoke.odt

Filesize
422KB

MD5
24f14d673dacb43bdfae674c472ff643

SHA1
26ece67deef87cda2a473c5c4611e6d62738f5d2

SHA256
cfd82d3f33ab0dd46d203e28b26d4535a91aa497f1f4492d61a7ff7871efb7eb

SHA512
0d92f0603b09a3cbee2f947aedb02b7782220c1ba6c0817d5a2c56304c907df328e720dd0fb83b1d89e5da21bc0812a9e7741bc3ba18e1538fa32c454d6bc1d0

Download Submit
C:\Users\Admin\Desktop\OpenRevoke.wvx

Filesize
1.6MB

MD5
0e16e331963ae5ffcf3f966856cd2fde

SHA1
1491a44a9ea07a74fbf3caaf36bb9417da4d0da4

SHA256
0ee5e5fea7e4685078ed1619f766f58c99f20dfbd8e4b9adf38e2075454e17db

SHA512
c9d8cab62a5792e6c7b1f3a9284c53b5d2440db9064755f77ce7c39947754db95a7b47c52c34ed403422f9c574ee853e6ac8b9c5df3395b96f4f87b153d9a587

Download Submit
C:\Users\Admin\Desktop\PopDebug.bin

Filesize
901KB

MD5
dc6c5307bf676920ff9f75056d1b0f03

SHA1
07ff8c97d602a59f802ab2a31ebaa1bcb6e984c7

SHA256
a68f8452fe01e596893b58b2a8f5ce53dce40b46438bc2363d421886bfa4c570

SHA512
00e438f0401f383db90ffa45cbbe8a0b6cd57c05b5a3f6b8ac4c79ec5b1031d7d2e53eff03b1f8636a0df2a3e054769ca0782910d0be58fbcf9f754e246447c4

Download Submit
C:\Users\Admin\Desktop\RenameExpand.shtml

Filesize
606KB

MD5
5566f3182444915b7b4c194609de98b4

SHA1
999370bd594fbe46be908a85cdc781461e5a944a

SHA256
c06a22eac92a157256908ab4a8047fb8fda484c400e0b7b58e4571f3ba363104

SHA512
0d50633298235d068e7449b43ad8c496798a0de1b3c2a2bd68db86f4fea0b372591f5ec4aa1cf068602d86d9539c1589c66230adece8404c3d79eb4076935133

Download Submit
C:\Users\Admin\Desktop\RepairClear.m4v

Filesize
680KB

MD5
32be4cf640414087670a4538a70b5ccf

SHA1
3ba1b8d337d5d2157805111d01be9bff2bb11a58

SHA256
06996c8afb103aed2dd72b24cea0355f8553bfd6778fb63b6574ec2b4a60ae74

SHA512
5a47b54dae111cf82cee548b55eafd41afacd77858c04ecf7d7a25c74fbe2102b1db6da23c8e7afb0d48e6fd7fd371807997ee2024904891c0ab56f82080ea06

Download Submit
C:\Users\Admin\Desktop\ResumeWatch.exe

Filesize
1.1MB

MD5
d17472f61832cec72d0c574c5a168820

SHA1
34704105ca798f9e9583b77e0bd4456b6eba03e6

SHA256
ac8d637dbc4d7aecf25442db6eccda2d7fa28ed994cd3d347f294656f5d7fa11

SHA512
2547ccf4eca9f36ed37a86a79248bcdb2e4e4c7a9af62d7c76053b2b0a51682504ef9641f9879839449175876e1c2d0ac6bad44d7bbdc7c65582e73018b88865

Download Submit
C:\Users\Admin\Desktop\SaveStart.doc

Filesize
496KB

MD5
8e618f30d88e1cb021ddd697f70f1a40

SHA1
f6378438ecedb840953cc32aa7df24ebbf4800dd

SHA256
808048592cf09206225e09dd217a64fbfebbcf437345acb867c614764e13291c

SHA512
1bb2baa1bb2f18004fb6ae8e4eafcc1f034c66f7c11072b5737eab291d562a2f7c4d564f1ffb81cfaa0615f6dae83ca8dcf5f9b8519f510dc71c4cd5f4a6d714

Download Submit
C:\Users\Admin\Desktop\SaveTrace.dib

Filesize
1.0MB

MD5
2ea300211b2bfe43a77632e5d29bde81

SHA1
b4e4537eaa8555068bdf481540163f94e9904b01

SHA256
7ecbd46e313ee95255d99e7e1489c4e7413d707c15dd2a1865e5774cdded5ac3

SHA512
89d16377381fa8704f698fa7cb78cd4d01766c7c65c30b98988157205cc10537430c946a5909ef6449b29b3eb4433c636d584a29a41f4eda0089afee54d88cf7

Download Submit
C:\Users\Admin\Desktop\SearchInstall.mpg

Filesize
864KB

MD5
306b165908cbd8adda6d2f02646f386d

SHA1
e730c5b1a37d54189067f9c1709785239277e16e

SHA256
92e1f41f6f5fb8bd79fd7ebfd412b25077c194d96e0488b324e605c5edffe93a

SHA512
2a390ea45ad91ee8ec3487663b1604b0dce5cd919c275750f9116bb579b52cb343d722956d44f12b035164de1d9b52ef23cd671bfd3a9bc914b90c7589062dc7

Download Submit
C:\Users\Admin\Desktop\SkipShow.ocx

Filesize
717KB

MD5
53dcf962ed3555765d446b2f7952fca1

SHA1
28b10fcb79dba58193cd70f6e9473d92c07f670a

SHA256
3b61da2d151255b2fcf4379d6ea0056f5597537115a8bbfcf4949a3b53f1bb03

SHA512
7501598d2046b86af358dad0a7df82d07dd02d85908937e44fa636ac571059c2bd17a62ea4290e4cbc0deee64c77f6c9eaa3a04079e9292936735d0006c84174

Download Submit
C:\Users\Admin\Desktop\TestUnregister.asp

Filesize
937KB

MD5
1296e29b5788a87e58e1b6ab03a66365

SHA1
80db5889274482962343cb13e3719c678e7bc1af

SHA256
cabec161744ca91e925a2023d276a9bee606734946f4209016cc67d537e0f676

SHA512
28fe7d7b5a2c45e3395dce990e4647587ddf376f8f46eb8149b747d2d93cf719bcfc2a5fd546a3b1cb07d77b5797ff2f4e7dda38c0bc40998d17f5fdef8421a9

Download Submit
C:\Users\Admin\Downloads\BackupResolve.pptx

Filesize
651KB

MD5
6417ee1652751fdd95bba861e9689df6

SHA1
987fccb4d0061ce6613d37d7942d26ec1b564bde

SHA256
cdbdb0580835f6260928168f440c358f46c3752e3dc48d3160e3a4f3cbc91205

SHA512
158a6d6d5df939866946a32babc3fea236a31306da042d6cf510eb5f90f6a68fa855a0e06e2891b7be9544a1c8577833a35d2cc850b9af5f5c7cedc949cea1ba

Download Submit
C:\Users\Admin\Downloads\ConnectDismount.svg

Filesize
548KB

MD5
e14a5fd42cd1c394088f4c6b501c9283

SHA1
4b231b952bad6bd53aec8b9941612bd8f10ea90e

SHA256
af03f086e87a56a5bd138d86842be24d8565921f2b3be69f56a0cd401a12f213

SHA512
4c9f9a5ea21bf14925d242259457d10c97315170d8ea1ff51f722e6d58098c81ac294fd5b2397cec13720ae3f5ba65897c5560cdd05c6ee4baebfd8addf16eff

Download Submit
C:\Users\Admin\Downloads\ConnectSync.midi

Filesize
920KB

MD5
0a6270081f7ef9598339556fccc5696e

SHA1
8130e34a59a7f6747e2adeeb4b94c109511f3120

SHA256
31f5f7343e3cabbbbeb6ac12c7ef3cda207a1a4c5d79b7cadff186518db0222b

SHA512
73665fb551e2b920e00073af819559cf4dc42ac8d4fe5a7bd449b804cfc12fe9f4f0f952886e4017b6f4c59a92bda7c9f19da7b01d1ec26ccebb1de48accdb6e

Download Submit
C:\Users\Admin\Downloads\ConnectUpdate.3gpp

Filesize
817KB

MD5
595abe1b78811e3cff26d841e301f504

SHA1
45c530635734f6be80c2f2aa6b430565af81a38f

SHA256
e8267c6ff4bd285306797377245df65f05a9fbe1a66ab8b2c8335a2b00c9d1a5

SHA512
1a8b13ef394ab27c75d07b789eaccfa3fc74ad8c13dcac3b645c9219ad23081ef66448d44d2301380a47a7ef493e2c817865838b9ed3099977e7ab79c0891424

Download Submit
C:\Users\Admin\Downloads\ConvertFromUnlock.dotx

Filesize
775KB

MD5
cb222041fd7432ca2457d9fcdb44cf88

SHA1
ed3eafbdc228e4a7b9528cb615a14e89b9e05dee

SHA256
a94f24c45da4627d38a45e503d9e546785b9fabef87c739405e6229290fe8330

SHA512
126d82e7e5b42f3650e351bf20975fd586eb2a9a988cbe0b41775e73c41e86dbb870ad59f1d31b4e3c8551d1431490845877bacb001fc41b62755d3dfea13667

Download Submit
C:\Users\Admin\Downloads\ConvertToJoin.ADTS

Filesize
755KB

MD5
7422d40c903fc240e3c056916bf8821d

SHA1
2784f36c15157c3d87553248d667379e30954041

SHA256
77f7f69c65e6c4ad8f8b588f6225504e236ae780b619b0a5f79f508cc69ca648

SHA512
b41f57b02702146b08a8777e50708cc7776d30ab794516da59c739218d03798c3cd481c991ffe17b076bc647d18feb4ec596af6ee9d089bdda6a2c5fc647f28f

Download Submit
C:\Users\Admin\Downloads\DebugSave.jpeg

Filesize
424KB

MD5
f1c3d7fc901d713b8015d54c499a1185

SHA1
0edfcc6680e55a01d369f431dd5f609d8685450d

SHA256
defc5563159d9622ab326460b219fae63d49371f791d0c0253b43b0bda334b14

SHA512
d5a7818b0de584ad0b4a0acf9903c4190eb6a136e18b1f963603ba8302ae51fb254973e18b587782ba88aafb9246829126adf9277b49dff200e6df26ade1f13d

Download Submit
C:\Users\Admin\Downloads\EditPublish.jpg

Filesize
403KB

MD5
d307e68095e2bac6872ce3699c4faef6

SHA1
dec58d60c4fe4bd7f0c1ccb617e6fb20fa10a771

SHA256
191d0d76415a567b478b53bd60075d52866d507c9d13dfc5c304fc98ff40e22c

SHA512
5d70c96db7eaf6c71307ba33616edede03e622bf5a96aa3fbedfee1ba2c4e43516f4cc41419fb26760b24b3e5dfe9ec79e5857891534e10b194529f46cf594dc

Download Submit
C:\Users\Admin\Downloads\EnterOpen.bmp

Filesize
630KB

MD5
43ae3f62af1705028ca9e1d1472e813d

SHA1
d68eb69eada5abd03b66a6a6781b0d2c42dbebc5

SHA256
912244ef2fa015fba300ddfc10a89bf67f17b37c090f9e89502ac8ae41a87a5b

SHA512
27edd941fea69831e4a9ea71d2963b26f553a7053f1d19e89d088fd9290260bb78225927494120c1e6baf3c0ad5b8c3b645c9b4f99298c8427df086a2e2fe682

Download Submit
C:\Users\Admin\Downloads\ExitRead.hta

Filesize
362KB

MD5
1736f43223f5405adda17ca2279da7e8

SHA1
94b802d6ccd4165ff6571117ca500ce5bf8f6059

SHA256
f39585a2a43f026fdb3a41fabfad64f07e3629135d4e91d31c190b741d5b8ae3

SHA512
bdc7b4ea64ddfa94834c05d6fdb730bd35955beae410eb28144356f2999be2f9b4d3de295ea2678d02f8c2f60a2438db97158170254483d0dfed4d523202c3a2

Download Submit
C:\Users\Admin\Downloads\GetMerge.reg

Filesize
692KB

MD5
303bff5fe49aeea844676e69f0c44fc5

SHA1
26b243059a3b69f5151f9e601fdff61ba8d789a5

SHA256
2898d209a9950b4c6e288a129e8b940593c097a69b148a418f6b6536bd0f0a87

SHA512
fd6e0a4e83234f81270437a1eda52d2323cdeb755279d1dcc51897988082bce7bc230de5679fb2677092dc3d305aa56dd447e0f5cd0509c04a1b7697fa0bb578

Download Submit
C:\Users\Admin\Downloads\GrantRestore.css

Filesize
796KB

MD5
374c2cdc03e86d97df2df86b7d7df04d

SHA1
ffa03abb0c1682b9e014e51f9a1d1e836ea56680

SHA256
333484c4ad2882a13727e71314f94fb50bcfd86f76a841be3419a5722dfe1f78

SHA512
52a0fa95eae7350edd45965fb2683cfa075ed95ce00718b8353fa5cc69a9a0d9a37630deb0a8ace06ab8b0c169cc65c981d0c8d72907a61e93bda44a8feb7de1

Download Submit
C:\Users\Admin\Downloads\GrantSave.nfo

Filesize
465KB

MD5
2f70a05ec51d896549cd1a4edfa3fec1

SHA1
1aeee71e7e0be8ae59e80741976ddbb89b8170f4

SHA256
b993c27ff14347a3f8506e263f0c48ab1808500f0a42cd361403a4788cd5b8a8

SHA512
7a787fde47f39115112cb2c53d4b2b328e2a17c091ce311f4ed231cfc4c8980cd454fdb1a8893c668176848fa5c1c1cd86a0451e966765d8700c729332954d81

Download Submit
C:\Users\Admin\Downloads\HideConfirm.mpeg2

Filesize
486KB

MD5
55ccb470a9f6cd56db1410d250df5c75

SHA1
be0da75aae0839c5bd094facb6d29575a60d42a9

SHA256
258efc315f97e19443de4fcb64e526387d331ed120f463029fd85a1686e105ce

SHA512
8cf3a5817905aa99d3a280defca76c1f33c5de643ddcbb6d323456c899d05b8436c2419c9763a96912556e37006702bc3f3e26539b9712402077e46c79395971

Download Submit
C:\Users\Admin\Downloads\ImportRead.tif

Filesize
527KB

MD5
2be00e5cb909b285db484b47e2c0b902

SHA1
ce90cab3fbe6063d2fb052827e9978f92255effb

SHA256
21f7a1aa456b6c66a304643472f39b85c505cc8a7ad2b33d3882f2cb85927547

SHA512
487c19c17f4ccf7be6e49d6d53bd3e917927e3541f7ae2494474c420c56190ab8ea55b2dd3c1c1b2f1e4c86a7e4d411147ed68eca0eb834e3acfe3d7b9769e13

Download Submit
C:\Users\Admin\Downloads\InvokeComplete.mpg

Filesize
672KB

MD5
5c17aefe4805f60eb408d4e8dd86fca5

SHA1
04e787935f521f5f781645a2c2bef5f72a34e505

SHA256
6eeab0faed21dcca201c8ae2fad99f712da1cecb09a62a6b39bccdb2038be4d2

SHA512
3e2a5237f12e6083953fb681c486e253779ed57a92338ec616caf1f1aa557e7a13535e013398e1da284865e9eac577b932c767346466e64b01ab4c8658dc74e9

Download Submit
C:\Users\Admin\Downloads\MeasureFind.rtf

Filesize
713KB

MD5
e21939b31f4e5b2f14957aa389f19c61

SHA1
65c2a2e4ebd08fdd0570e3ff1ae81213747c316c

SHA256
c881a6451f8e901eda4551333a40d07be22a134002e49804d8da5376672b3162

SHA512
d4009ad4edb07b3f52655d0ff58c4b5c32b3235a41be1c3674ca9baf80b7d6cddcd7b0e89ad427f5fa4df04bde293c129831993a1e8ce41be9e9476b7b5f14a3

Download Submit
C:\Users\Admin\Downloads\OptimizeRevoke.vsx

Filesize
341KB

MD5
5c475553d171081ffd310022de0b2182

SHA1
180e7661970f2ad7443848242c74d138ae0d4ff5

SHA256
8aa1e2c3d774c9b9420e35ebf34b22103274c94ee8b263789320da3418e5daf1

SHA512
f67837fcef9ed2681bcb366aebc3397b5ca96a74388abacf2625313e3e433cf168f5f4fc1ec2d1dd9a03ecce78b89549ad8b1157661ed046184a398bc49497f2

Download Submit
C:\Users\Admin\Downloads\PushBlock.ps1

Filesize
837KB

MD5
ce08b6e27927d3e04965c3cc843336c6

SHA1
a8ff4798746316e9f1636bedeea083cc6a5ab504

SHA256
779d0fe263c5509769c5e253bd45cb2422d0f332300a94c8ee6b27e9a5585cb8

SHA512
52e49c097ed90a7d5f771b0d2e61e328f8e4fdf83226121d2a38863f71d27cce4778386d3206e5fd0bd1fb5cc02daf90f7b722e231551d469df2aeb538cd0316

Download Submit
C:\Users\Admin\Downloads\RegisterDismount.xhtml

Filesize
1.3MB

MD5
d9a7fa5fc93450209d960fa8cc2bdd1c

SHA1
c5bb43b448ad920a6418845561c26965b8ad8605

SHA256
6ee54598c04a26e53576c06b53715189416d8c78da10d7176445d6a2cb537d6c

SHA512
90aa8e33cd354eec4ce327317aab192d5c01bc0461fb8b2f5e44515ce99adba547b44d344861c19a19d674d0fcaea6428ab4191be1a40de6344263bf2dd13fc5

Download Submit
C:\Users\Admin\Downloads\RestoreRedo.xht

Filesize
941KB

MD5
9aba6b21219873da8f1854af24a26266

SHA1
eafd113396ea4bbff5896c23f16c231280a0f700

SHA256
ef3d0fc1657663fa7e62204b3c3a1946bfa18810ee91d2bf354295cee329c37e

SHA512
8dd0b985b639e0cd1e3dfd5e4cecfda4b003c735d618f558119db1721e8d66c6375c4c352045985271adef39563f6dabb4d81b6b4da67676ae4cfd1820352862

Download Submit
C:\Users\Admin\Downloads\SelectGroup.vdx

Filesize
858KB

MD5
2ffa7d5ee6edb5e396d61d406da11ebf

SHA1
1ec983b15c507d6089839eb5bef43d8df45879d7

SHA256
546447c308faa36ab5809dac8c5d7c0c08c8429cb289d91e9366f2bbfe579df6

SHA512
062bef6edd7ceccfa8cd1773e684f6b68679d51b3813e86573581c06ba2c3ddf319514ecaee72d20c3b51ec91f9fd8cfe130cf77962b7a064e82ce87295253cf

Download Submit
C:\Users\Admin\Downloads\SendCheckpoint.asp

Filesize
961KB

MD5
d6a41054eb0e48a051d8b6ce238673ff

SHA1
f4bc84cb9dd86dfbed022bd97a5322be3844ebdc

SHA256
f4362523689ca827f49b1f0b859a1eb75310795f0b422062c7553d813d8426ed

SHA512
9f1a3ed94a4f051eac3fabffc04b68b27c7c9422eece91d8028f6a461322af90ff10ba47caf587a4cae1ebbd61dc7d06058910e7cdd866805fae6942371b6a74

Download Submit
C:\Users\Admin\Downloads\SplitMove.iso

Filesize
610KB

MD5
a6dbc9fcdcb95c7bd5dd95a338522dc9

SHA1
a5d95519446b9eadcb61683ccc17fd6c338c9b24

SHA256
3d6c92a3789f49c7b0ad7d67c574439d6893a758332c7440f4ed75873cd428fb

SHA512
ae91b8171d45d8f0a40aa3a56716758e138fe8b8addd6ba56b691c98da67a6be79f9880d79bc2db7006fcdbd512245a84fa7512ed9a692cbf6ce10c894972c02

Download Submit
C:\Users\Admin\Downloads\StepInstall.xlt

Filesize
734KB

MD5
b2714f134f219f8f80a32d0387e93117

SHA1
9f74effafc2d2eaf784e1383ac4f19d698579e99

SHA256
74f071de105876dc0dea44a643245c16a54018d0312c29f1314dba1088010403

SHA512
acbd6ad93b40c57ccc8706f10a98d295295f03e088bc16b2375cb77a9e819f906b8255fbbc3fa305aca87d1ea687b368243ee63ec1b61e89d967b4e0e8375f70

Download Submit
C:\Users\Admin\Downloads\StopHide.iso

Filesize
568KB

MD5
62981eaa480d0d99e0f74b4d8e3a821c

SHA1
f44f88a2ad243bb36c035437adb44480e84f0a8e

SHA256
e66f598415c90974632173c2aea62e82ca6c47becd6c21715cea9ad56ee6af43

SHA512
f345ba31ab5817a099effd22103227a173474b0ac0eb21fbb4e99c1b872260244d53f503edc37a539363c8f42965860cf2cd24a29aeb05d1fa0d5d982aa5de16

Download Submit
C:\Users\Admin\Downloads\StopRequest.wma

Filesize
879KB

MD5
14e52f272a62a7d3a801ca65acd4a5d8

SHA1
82194281806c8148c28d0f93a7c9321db9421d64

SHA256
971d548fc599ac1631cc75b8523fb417be76412f807182e0319941e8f1df3ba6

SHA512
9e30403b6b745720f5e5296cd49b38c09ffd8319ae18ef8b811127572fbf3057845973082cc9c643413d40d4bd275d6567beee77cac6a83a294403d7197c33aa

Download Submit
C:\Users\Admin\Downloads\TestCopy.cmd

Filesize
899KB

MD5
46daae31b7f83267b411bf1f06230c8c

SHA1
e58b710ed6ccff42feffbe0e38de47c0b9215ad6

SHA256
892e0ef2ed54795d808ee9b422775c775d2b0d96909149f2b64d5acab28854e3

SHA512
3ac83ea49f32d3e3cf3ea9f7e852f0d7bfd88fa0cfbbcc3596eae63263362e36d6fb789db74d454c6d285b6609ea692806fd338623ff92351f027f7a8f6bd974

Download Submit
C:\Users\Admin\Downloads\UnblockReset.vbe

Filesize
506KB

MD5
fdb654f67f7f63ba186dab79f4f6db37

SHA1
01587bffdc3727562ef4d0de5148ca517fd58d9c

SHA256
986561d01e271cb5f7637640e95256a555931d2c9bd5abd0aab25ef86bcb2706

SHA512
9d62e9f7f2caced15cdaccffd082ecbca073da127ba5a30ff6ffa135c02bf4360509e8d0354d74edfe2110f5ae62e6cc54315162ff9a08d308b4c34d68b5dbeb

Download Submit
C:\Users\Admin\Downloads\UndoDismount.zip

Filesize
589KB

MD5
f3a9334a0cdbbd914c6e75d467b08275

SHA1
ef5b7e9a52ae58931a3834d83811d034674dd0e7

SHA256
70674253f7df4fe9a4de05c7f7773eeaaad9c0e788a3e0dcc96952a38baf25cb

SHA512
ffec9f928be51379d77043a97465e932cbb3100b14140288e143f9c77f70791496ade7a6a5323ee6215aea47e70633a40675c38f54b30594d38b8d68bf1588d2

Download Submit
C:\Users\Admin\Downloads\UndoSave.png

Filesize
982KB

MD5
83b4798ea3c4b893469dae983e826991

SHA1
42bfd0985b69948ff3b2aa36e58e566d214090b2

SHA256
8fdc37739d3b9a83fce30d7cb883c7561effdf3e3f8e4ef431962a164cbc8389

SHA512
8f9a20fbb1986a430023caecf7a999c1c5c29f3c5f9c8b04a956715072e4b7cc97fc84936ff2eea1223c1e144ddc2552741cabf679f4ad46f6f994f1348ccc70

Download Submit
C:\Users\Admin\Downloads\UpdateRestore.txt

Filesize
444KB

MD5
cf2d58056e13c3bdfde907f149e800e0

SHA1
56ee9efe28aa5f81ccc5329b24faf31bbee97291

SHA256
2ff938ab600e06502e5d72dea6969bb9e7a025b1144590980cbceb21de1ec113

SHA512
6312e458bcd4835c52f4b67f10af2468127d86017c5a46b8e50df87e64ce31c55aa7802d661cd79a2b25d28b51debaaec9f4aa1e627befe7f94a7f173a06a41e

Download Submit
C:\Users\Admin\Downloads\WatchExpand.tiff

Filesize
382KB

MD5
0e8b9e9f7464f79f98b68a14151f9bed

SHA1
13869aaaec426f80d45199382aa07fdbaee70512

SHA256
1e81409d9f235b02ee6d9a45ac926575aa80049c896eb141514b53f719b14e14

SHA512
9ed2bbb0c7d039b295d916da0b11b71b1255acbda6ce84dfd5a5fb6f6de01be9e7ec0e10d776ab3fcd9950e6d690b30063cea203011750a7bef8e0e77db18e5b

Download Submit
memory/1340-2-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp

Filesize
9.9MB

Download
memory/1340-0-0x00007FFAA4D43000-0x00007FFAA4D44000-memory.dmp

Filesize
4KB

Download
memory/1340-186-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp

Filesize
9.9MB

Download
memory/1340-1-0x0000000000CF0000-0x0000000000D02000-memory.dmp

Filesize
72KB

Download
memory/5088-13-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp

Filesize
9.9MB

Download
memory/5088-10-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp

Filesize
9.9MB

Download
memory/5088-8-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp

Filesize
9.9MB

Download
memory/5088-7-0x0000016238140000-0x0000016238162000-memory.dmp

Filesize
136KB

Download
memory/5088-12-0x00000162382F0000-0x0000016238366000-memory.dmp

Filesize
472KB

Download
memory/5088-51-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp

Filesize
9.9MB

Download