Overview

overview

10

Static

static

3

downloader.exe

windows7-x64

10

downloader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    02-09-2024 03:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    downloader.exe

  • Size

    70.1MB

  • MD5

    d30d0e33a9ea2f4bbdad9eeb6d24d995

  • SHA1

    0a2fd43a5834fd742521a56d78c650fed9e6f62f

  • SHA256

    7eb2dfba9b11c74bde2304ae669e92acdd75df672df7f12aa7de609fcc6bb8b4

  • SHA512

    8ebb045789844ca8108b394f34f8c872b98ade89c11e36f0be0e1bbbc58a04fd82d0ea8639d451cf4d6641ce08c8738897416864da4d9a87124cc8ea21672170

  • SSDEEP

    393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qnsGg4GUo3Nl:lWoI7zGV5ahWc3Im3

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

83.38.28.117:1603

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    OneDrive.exe

Signatures

  • Detect Xworm Payload 14 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 11 IoCs
  • Executes dropped EXE 15 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\downloader.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\notepad.exe
        "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Users\Admin\OneDrive.exe
          "C:\Users\Admin\OneDrive.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1124
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2780
        • C:\Users\Admin\Runtime Broker.exe
          "C:\Users\Admin\Runtime Broker.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1352
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2736
        • C:\Users\Admin\SearchFilterHost.exe
          "C:\Users\Admin\SearchFilterHost.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2124
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3012
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SearchFilterHost" /tr "C:\Users\Admin\SearchFilterHost.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:352
        • C:\Users\Admin\SecurityHealthSystray.exe
          "C:\Users\Admin\SecurityHealthSystray.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2836
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2192
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1104
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\SecurityHealthSystray.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2588
        • C:\Users\Admin\svhost.exe
          "C:\Users\Admin\svhost.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1336
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1160
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3052
        • C:\Users\Admin\WmiPrvSE.exe
          "C:\Users\Admin\WmiPrvSE.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3016
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Admin\WmiPrvSE.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1928
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\clientquasar.exe""
      2⤵
        PID:2572
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\clientquasar.exe""
        2⤵
          PID:704
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {69389C65-8A69-47C3-B341-77D5ABA1C600} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
        1⤵
          PID:2116
          • C:\ProgramData\OneDrive.exe
            C:\ProgramData\OneDrive.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2232
          • C:\Users\Admin\WmiPrvSE.exe
            C:\Users\Admin\WmiPrvSE.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
          • C:\Users\Admin\SearchFilterHost.exe
            C:\Users\Admin\SearchFilterHost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1544
          • C:\Users\Admin\SecurityHealthSystray.exe
            C:\Users\Admin\SecurityHealthSystray.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2044
          • C:\ProgramData\OneDrive.exe
            C:\ProgramData\OneDrive.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2784
          • C:\Users\Admin\WmiPrvSE.exe
            C:\Users\Admin\WmiPrvSE.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Users\Admin\SecurityHealthSystray.exe
            C:\Users\Admin\SecurityHealthSystray.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3068
          • C:\Users\Admin\SearchFilterHost.exe
            C:\Users\Admin\SearchFilterHost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:280

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\notepad.exe
          Filesize

          886KB

          MD5

          a523443bf25cca341b51bd8dc46950e1

          SHA1

          48f1fd847092aa7e4953d25900f2af4654a120d6

          SHA256

          8033de2d5e64df2df391ddebdc41c6c6041b552779550c2e5f10ceedfd63c7ec

          SHA512

          107d62c74351105d142eb8aabad237d72eb8d8257dc76843ffe1597fa00843d7e33249b2105eb443b96a2c72a3d46090f0dfe34815b6b4f3985a9942e82672d9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          6b50a87e39eea2acdc61b07b005b308d

          SHA1

          8503fa286d597925226c8bcdaaf57064a47ba2ba

          SHA256

          21cf01768b3241c9dd2076e15199dda34e54cee8bc13e409a407c340c0e5c90f

          SHA512

          3712e2f20372269f703a9cc968c3a69447503611b772b403c052140a9840ba966c5ba1d3de87f34b7c3f72f2ca78b115b40e999b86fa2e083bda756406d75c0b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk
          Filesize

          670B

          MD5

          ada54ace6d157002cf45da6b43b8aa00

          SHA1

          6d308983b6c6f947fc6ec430d9a7102766a0c959

          SHA256

          1f6a62f8612df43e403254bc572a1afbf1ea53fad0be88b358aa42b992ad92db

          SHA512

          20a1ec190531a2009911cbe7f858b4a2929011aaf2037d80ec5b072d634f7e92ad3db8179507e9011fae226f4d6f5d909e43af5de6ded9855c8462ebba0dd9e1

          Download Submit

        • C:\Users\Admin\OneDrive.exe
          Filesize

          152KB

          MD5

          731a6b0a94253742accfb68745e1a8b3

          SHA1

          8009be2cee155287255858e4106b93a1f9081d77

          SHA256

          e0518344c2ebcccbf4dc06bc767b2e63841efaf20a30383305933bc44bdbf72f

          SHA512

          2db891f4925ce0417cf521b665401f6e9a8f0e8d504ed1738af6e6ebcd2bb474bdf48dc3490959a63e8bbf331b89b0891e24bef41192702a88c41be86391be4b

          Download Submit

        • C:\Users\Admin\Runtime Broker.exe
          Filesize

          62KB

          MD5

          fe7aa05ec37a488d26740405131c657a

          SHA1

          ec98d63efbbfafbc92bfdca3f537444b8130e6d6

          SHA256

          dace5f67e19e6db548a3584ebfe8d8264e48e17f9ba03ead495d29bc5069f12e

          SHA512

          2bb17bf278c46ae25b8c8b41caf13eb5d17a326330aa42731546eb1c6e43d23dc801604e465526747173b765a441ff6b6ca6fcd1a913284e9c1b13d3af782165

          Download Submit

        • C:\Users\Admin\SearchFilterHost.exe
          Filesize

          134KB

          MD5

          17e9194b574ff0563f30ea83e6e46b7e

          SHA1

          37021016d7dffbb0babf4d17dd3a5af871ecc8d7

          SHA256

          da2c9d51a6b9fc72d25aaf6f72502cb5742138cd6f9c7677230b1908153e881e

          SHA512

          9651fe896061fc1cc547256216caefcf0873b41fde952d4f01d4b9b03891589c663252b52c8160f5edd637c30ec6e5a9968776c4f4dec4aa414a3e0cbd5a611c

          Download Submit

        • C:\Users\Admin\SecurityHealthSystray.exe
          Filesize

          244KB

          MD5

          7a3c0396f400ed103a14596b9e252f86

          SHA1

          63f69aca6502efa9b41dc6803e78de907af4bd6d

          SHA256

          e56ce77197e3e990bd956a2bac029860331965fdcaf7be99aae6218020611900

          SHA512

          b8103a9f17e62f24ff56727e51bc0696077f51f37c0b82be9df231ec0a762f3612292f51c788e4405f2b210f15659973015b04370587adddb8cb27939e1b6e6b

          Download Submit

        • C:\Users\Admin\WmiPrvSE.exe
          Filesize

          117KB

          MD5

          304b0209272898a289730544e19a96dd

          SHA1

          01a2fecb493f778c28f88bc3aee898cb3b3ef47d

          SHA256

          6a84c51aa73136918570b0719d268935d532f92b3d95fe36825dd50230f72029

          SHA512

          b88ee6237dbab70c59c8f26fe9d407e8cf1c319874fdb3f88a368d80b90e371585dddfcda98d5a87b88857f35c2998275f32750ecd856d0908afa6c4599e03f5

          Download Submit

        • C:\Users\Admin\svhost.exe
          Filesize

          64KB

          MD5

          244889298e56dbbd4910cb00e945910b

          SHA1

          d857ead75977166f7c14df9ab128cce21c6aff96

          SHA256

          2298d1bd8e34e2c331d339ced7a2dfabba8d8fcd0644479a31a3ee0c04e3ef9b

          SHA512

          adc336364fafa060e7795eb5b640b363a846f61b749de029ffeadc2dbcc57c86b73ca322560c377985fab7fa1426c63825aae202fa4b9e45f7175938a5e79627

          Download Submit

        • memory/1336-43-0x0000000000C50000-0x0000000000C66000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1348-26-0x0000000001090000-0x00000000010BC000-memory.dmp

          Filesize

          176KB

          Download

        • memory/1456-42-0x00000000010A0000-0x00000000010C2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1988-7-0x00000000012A0000-0x0000000001382000-memory.dmp

          Filesize

          904KB

          Download

        • memory/2192-86-0x00000000027D0000-0x00000000027D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2192-85-0x000000001B670000-0x000000001B952000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2232-188-0x00000000012D0000-0x00000000012FC000-memory.dmp

          Filesize

          176KB

          Download

        • memory/2360-41-0x0000000001060000-0x00000000010A4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2620-24-0x0000000001110000-0x0000000001126000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2624-36-0x0000000000120000-0x0000000000148000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2784-198-0x0000000000120000-0x000000000014C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/2836-68-0x0000000001E00000-0x0000000001E08000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2836-66-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

          Filesize

          2.9MB

          Download