xworm | e3857938e984ebf091b7f9906513af059c2fa13fc6dc51a1d30858c7d5fde1e7

Analysis

max time kernel
236s
max time network
240s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11/11/2024, 05:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

skeetCRACK.rar
Size

48KB
MD5

87c5c8d41987fc8bda4cd1c0347c63b8
SHA1

7ce323c24f55ae24ebdc7253baf46775c9a6fd05
SHA256

e3857938e984ebf091b7f9906513af059c2fa13fc6dc51a1d30858c7d5fde1e7
SHA512

571ede528686b6cc5f0843704f31ba7de28786a7d7751b2281d32dd8f22f62f2d32fe8443505129fa37c42e3e4c2f0841f09e003e0fef15aa093463cef49ac0e
SSDEEP

768:n2mvZbIAkBVUCe8bmlovSfNXtha5CQO/poSQacJoGhWDeaiXRggvZ18QqKXplI:2acZV7vvSfThDRfQ9yG4GXymDqWY

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

council-field.gl.at.ply.gg:50139

Attributes

Install_directory
%AppData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001d00000002aacd-3.dat	family_xworm
behavioral1/memory/4480-5-0x0000000000600000-0x000000000061A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1676	powershell.exe
3440	powershell.exe
4028	powershell.exe
1184	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	skeetCRACK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	skeetCRACK.exe

Executes dropped EXE 3 IoCs

pid	Process
4480	skeetCRACK.exe
1640	skeetCRACK.exe
4524	skeetCRACK.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	skeetCRACK.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4568	WINWORD.EXE
4568	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1676	powershell.exe
1676	powershell.exe
3440	powershell.exe
3440	powershell.exe
4028	powershell.exe
4028	powershell.exe
1184	powershell.exe
1184	powershell.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe
4480	skeetCRACK.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4800	7zFM.exe
4480	skeetCRACK.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
636	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	4800	7zFM.exe
Token: 35	4800	7zFM.exe
Token: SeSecurityPrivilege	4800	7zFM.exe
Token: SeDebugPrivilege	4480	skeetCRACK.exe
Token: SeDebugPrivilege	1640	skeetCRACK.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	4480	skeetCRACK.exe
Token: SeDebugPrivilege	4524	skeetCRACK.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4800	7zFM.exe
4800	7zFM.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4480	skeetCRACK.exe
4832	SystemSettingsAdminFlows.exe
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
2284	LogonUI.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1676	4480	skeetCRACK.exe	86
PID 4480 wrote to memory of 1676	4480	skeetCRACK.exe	86
PID 4480 wrote to memory of 3440	4480	skeetCRACK.exe	88
PID 4480 wrote to memory of 3440	4480	skeetCRACK.exe	88
PID 4480 wrote to memory of 4028	4480	skeetCRACK.exe	90
PID 4480 wrote to memory of 4028	4480	skeetCRACK.exe	90
PID 4480 wrote to memory of 1184	4480	skeetCRACK.exe	92
PID 4480 wrote to memory of 1184	4480	skeetCRACK.exe	92

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\skeetCRACK.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4800

C:\Users\Admin\Desktop\skeetCRACK.exe
"C:\Users\Admin\Desktop\skeetCRACK.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\skeetCRACK.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'skeetCRACK.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1184

C:\Users\Admin\Desktop\skeetCRACK.exe
"C:\Users\Admin\Desktop\skeetCRACK.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4212

C:\Users\Admin\Desktop\skeetCRACK.exe
"C:\Users\Admin\Desktop\skeetCRACK.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4668

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1296

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2728

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RenamePC
1⤵
- Suspicious use of SetWindowsHookEx
PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:2768

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\nigger.txt\New Microsoft Word Document.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c6855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5ba388a6597d5e09191c2c88d2fdf598

SHA1
13516f8ec5a99298f6952438055c39330feae5d8

SHA256
e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

SHA512
ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\skeetCRACK.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
283958a716803c6e613f6075bf56e005

SHA1
5a3258c7e9e33f0a7f1949de7c2025b13e9d0e99

SHA256
a179b8f9baf30b57d17bf2f543a3d9d276e1db0562cc842c5380d24664113c31

SHA512
691cc2281c8c524aa9a0d2524e4a834ce5d3fe56ea2ae20757630d46e9429aaeefc121d37abc92b44db79389d6db3a24216047d8e73f79e56d8506e2035fc9a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a7f03a7ad1cae046d8ceac04256e5ae

SHA1
ef0bf767c91cba32b33c0b48f74f5eb153ae43d3

SHA256
e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60

SHA512
382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80707036df540b6657f9d443b449e3c3

SHA1
b3e7d5d97274942164bf93c8c4b8a9b68713f46f

SHA256
6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0

SHA512
65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqm5vcw1.o0u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
334B

MD5
bfeb11642d9250d9a08f4e86a762f9cd

SHA1
7c784041b82e9d97fc25b4171c5c31aa0d247189

SHA256
8adb4d7d9af8655649a64b9767aa1861bcfbe08484236fe9cf141d9e7c6f1926

SHA512
d8e98d51fd10f9a6edb01129f40ac1d4aef3b5d4ffe1f6ba4590c455a357e90e92ab7178547cf1c759ad2840850d0020eed830a1df46556ac2696e1a09ea601f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
d2b4d7c8ea519d6c3681e59c06610287

SHA1
2b10b81151d0706774b1564c3596f9645f870378

SHA256
2549718288e736d3d3785b32c6bf64f9b9993da503246d0690161c01d6105250

SHA512
235bd0e1ff1c8feb40b1b390bc3ff3bcf5812fa7db6a6825deecb96dae210be5799c99c6c75875723c81ab317f2e5232a0b127e45e2940918958b3d45a9a1d2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
7f13bec829a63b1f06bfcb2f9b55d124

SHA1
74584043ac0e389abe78f73c833d71f77b8b86a8

SHA256
172491e3b0e11044e2e269982d9b8139a90d21b818db99ed7afd66692744800c

SHA512
5cd9a6fd11c9fe54a3a0779460a3b736cff0416f3ce8af62f366d87d3554068984284a6d6b0b8f24edbcd585d58b4e8aa5791e5aa8c4f5e8cec4acd706815d1b

Download Submit
C:\Users\Admin\Desktop\nigger.txt\~WRD0000.tmp

Filesize
11KB

MD5
c117dc021ec67f68fe7b5960bf0cb038

SHA1
fac6aac9c6bc9fd2a9397ac28b42f3fdb86d78d5

SHA256
1124b50062d35b8fb0a893fa5793442c2236d4f9665d32cc8651f5b2e77a148a

SHA512
a9fb03c5edda9da8975975365c3fb257d8b562623a4c46ee954b228ab982f621c37935d22e54584e4eae6ef8e76290bb54cf98c6fe7847820a3f24fb48986e97

Download Submit
C:\Users\Admin\Desktop\skeetCRACK.exe

Filesize
81KB

MD5
8afa641abd65fc672fed8af6e1f2a192

SHA1
123b92dc7dcde3c972b18d80d1a5890af1dcc142

SHA256
14cb6e066d885fd92ba966ca3819cb9883f275dd1bdad6f62ca0081f714015d8

SHA512
24a8c181589377f37cd16788a91c2e5ecf4a919c111e50e55cc9ecb8a1cf4105703a71f2b314d49348a219c8cfa241cd76e7eff5e097ca6e0ce5bdcc750d4b84

Download Submit
memory/1676-21-0x000002A31D1D0000-0x000002A31D1F2000-memory.dmp

Filesize
136KB

Download
memory/4480-203-0x00007FF970660000-0x00007FF971122000-memory.dmp

Filesize
10.8MB

Download
memory/4480-6-0x00007FF970660000-0x00007FF971122000-memory.dmp

Filesize
10.8MB

Download
memory/4480-12-0x00007FF970660000-0x00007FF971122000-memory.dmp

Filesize
10.8MB

Download
memory/4480-4-0x00007FF970663000-0x00007FF970665000-memory.dmp

Filesize
8KB

Download
memory/4480-9-0x00007FF970663000-0x00007FF970665000-memory.dmp

Filesize
8KB

Download
memory/4480-5-0x0000000000600000-0x000000000061A000-memory.dmp

Filesize
104KB

Download
memory/4568-89-0x00007FF951DD0000-0x00007FF951DE0000-memory.dmp

Filesize
64KB

Download
memory/4568-91-0x00007FF94F230000-0x00007FF94F240000-memory.dmp

Filesize
64KB

Download
memory/4568-87-0x00007FF951DD0000-0x00007FF951DE0000-memory.dmp

Filesize
64KB

Download
memory/4568-90-0x00007FF94F230000-0x00007FF94F240000-memory.dmp

Filesize
64KB

Download
memory/4568-88-0x00007FF951DD0000-0x00007FF951DE0000-memory.dmp

Filesize
64KB

Download
memory/4568-85-0x00007FF951DD0000-0x00007FF951DE0000-memory.dmp

Filesize
64KB

Download
memory/4568-86-0x00007FF951DD0000-0x00007FF951DE0000-memory.dmp

Filesize
64KB

Download
memory/4568-208-0x00007FF951DD0000-0x00007FF951DE0000-memory.dmp

Filesize
64KB

Download
memory/4568-211-0x00007FF951DD0000-0x00007FF951DE0000-memory.dmp

Filesize
64KB

Download
memory/4568-210-0x00007FF951DD0000-0x00007FF951DE0000-memory.dmp

Filesize
64KB

Download
memory/4568-209-0x00007FF951DD0000-0x00007FF951DE0000-memory.dmp

Filesize
64KB

Download