xworm | 239584ed2b45abd89565c75968a8ca7d0624b2df851463f80a485e1efc04d9e4

Analysis

max time kernel
132s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.exe
Size

3.3MB
MD5

631c497597c5c12304d528b24ccc31df
SHA1

9da881cd6797e4e8646de4df60eea73ae45c3133
SHA256

239584ed2b45abd89565c75968a8ca7d0624b2df851463f80a485e1efc04d9e4
SHA512

35a6bb13ff373aebb2a6fc080ea0f69e968fbef3441ce7f69604e5f97645ae9e6feb95bad1058fa58f8e652dcc2befd6464d9f62d707d8115c743c57a912957e
SSDEEP

98304:gm7q1K/hJp6SjJjtPzGhHzKIfx+ceJpTYZ:x7q1Irp9jltPahVfx+ceJtYZ

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7119

Mutex

Ljk1RFh4f0rbZvhE

Attributes

Install_directory
%Temp%
install_file
Realtec.exe

aes.plain

Extracted

Family

xworm

147.185.221.23:25808

Attributes

Install_directory
%LocalAppData%
install_file
Realtek HD Audio Universal Service.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000800000001660e-11.dat	family_xworm
behavioral1/memory/2540-12-0x00000000009D0000-0x00000000009E0000-memory.dmp	family_xworm
behavioral1/files/0x0009000000016890-17.dat	family_xworm
behavioral1/memory/2512-22-0x0000000001240000-0x000000000125A000-memory.dmp	family_xworm
behavioral1/memory/532-84-0x00000000013D0000-0x00000000013E0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1224	powershell.exe
836	powershell.exe
304	powershell.exe
908	powershell.exe
1952	powershell.exe
2840	powershell.exe
1820	powershell.exe
2484	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtec.lnk	Realtek.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtec.lnk	Realtek.exe

Executes dropped EXE 7 IoCs

pid	Process
1892	SAM X222C#.exe
2540	Realtek.exe
2512	Realtek HD Audio Universal Service.exe
1804	SAM X222C#.exe
1184	Process not Found
532	Realtec.exe
1528	Realtec.exe

Loads dropped DLL 3 IoCs

pid	Process
1892	SAM X222C#.exe
1892	SAM X222C#.exe
2708	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Realtec.exe"	Realtek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Local\\Realtek HD Audio Universal Service.exe"	Realtek HD Audio Universal Service.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAM X222C#.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00090000000120f9-6.dat	nsis_installer_1
behavioral1/files/0x00090000000120f9-6.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SAM X222C#.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SAM X222C#.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SAM X222C#.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	SAM X222C#.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	SAM X222C#.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2840	powershell.exe
1820	powershell.exe
2484	powershell.exe
1224	powershell.exe
2540	Realtek.exe
836	powershell.exe
304	powershell.exe
908	powershell.exe
1952	powershell.exe
2512	Realtek HD Audio Universal Service.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	Realtek.exe
Token: SeDebugPrivilege	2512	Realtek HD Audio Universal Service.exe
Token: SeDebugPrivilege	1804	SAM X222C#.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	532	Realtec.exe
Token: SeDebugPrivilege	1528	Realtec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2540	Realtek.exe
2512	Realtek HD Audio Universal Service.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1892	2352	Output.exe	30
PID 2352 wrote to memory of 1892	2352	Output.exe	30
PID 2352 wrote to memory of 1892	2352	Output.exe	30
PID 2352 wrote to memory of 1892	2352	Output.exe	30
PID 2352 wrote to memory of 2540	2352	Output.exe	31
PID 2352 wrote to memory of 2540	2352	Output.exe	31
PID 2352 wrote to memory of 2540	2352	Output.exe	31
PID 1892 wrote to memory of 2512	1892	SAM X222C#.exe	32
PID 1892 wrote to memory of 2512	1892	SAM X222C#.exe	32
PID 1892 wrote to memory of 2512	1892	SAM X222C#.exe	32
PID 1892 wrote to memory of 2512	1892	SAM X222C#.exe	32
PID 1892 wrote to memory of 1804	1892	SAM X222C#.exe	33
PID 1892 wrote to memory of 1804	1892	SAM X222C#.exe	33
PID 1892 wrote to memory of 1804	1892	SAM X222C#.exe	33
PID 1892 wrote to memory of 1804	1892	SAM X222C#.exe	33
PID 2540 wrote to memory of 2840	2540	Realtek.exe	35
PID 2540 wrote to memory of 2840	2540	Realtek.exe	35
PID 2540 wrote to memory of 2840	2540	Realtek.exe	35
PID 2540 wrote to memory of 1820	2540	Realtek.exe	38
PID 2540 wrote to memory of 1820	2540	Realtek.exe	38
PID 2540 wrote to memory of 1820	2540	Realtek.exe	38
PID 2540 wrote to memory of 2484	2540	Realtek.exe	40
PID 2540 wrote to memory of 2484	2540	Realtek.exe	40
PID 2540 wrote to memory of 2484	2540	Realtek.exe	40
PID 2540 wrote to memory of 1224	2540	Realtek.exe	42
PID 2540 wrote to memory of 1224	2540	Realtek.exe	42
PID 2540 wrote to memory of 1224	2540	Realtek.exe	42
PID 2540 wrote to memory of 2856	2540	Realtek.exe	44
PID 2540 wrote to memory of 2856	2540	Realtek.exe	44
PID 2540 wrote to memory of 2856	2540	Realtek.exe	44
PID 2512 wrote to memory of 836	2512	Realtek HD Audio Universal Service.exe	46
PID 2512 wrote to memory of 836	2512	Realtek HD Audio Universal Service.exe	46
PID 2512 wrote to memory of 836	2512	Realtek HD Audio Universal Service.exe	46
PID 2512 wrote to memory of 304	2512	Realtek HD Audio Universal Service.exe	48
PID 2512 wrote to memory of 304	2512	Realtek HD Audio Universal Service.exe	48
PID 2512 wrote to memory of 304	2512	Realtek HD Audio Universal Service.exe	48
PID 2512 wrote to memory of 908	2512	Realtek HD Audio Universal Service.exe	50
PID 2512 wrote to memory of 908	2512	Realtek HD Audio Universal Service.exe	50
PID 2512 wrote to memory of 908	2512	Realtek HD Audio Universal Service.exe	50
PID 2512 wrote to memory of 1952	2512	Realtek HD Audio Universal Service.exe	52
PID 2512 wrote to memory of 1952	2512	Realtek HD Audio Universal Service.exe	52
PID 2512 wrote to memory of 1952	2512	Realtek HD Audio Universal Service.exe	52
PID 1608 wrote to memory of 532	1608	taskeng.exe	56
PID 1608 wrote to memory of 532	1608	taskeng.exe	56
PID 1608 wrote to memory of 532	1608	taskeng.exe	56
PID 1608 wrote to memory of 1528	1608	taskeng.exe	57
PID 1608 wrote to memory of 1528	1608	taskeng.exe	57
PID 1608 wrote to memory of 1528	1608	taskeng.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\SAM X222C#.exe
  "C:\Users\Admin\AppData\Roaming\SAM X222C#.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
    "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe
    "C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- C:\Users\Admin\AppData\Roaming\Realtek.exe
  "C:\Users\Admin\AppData\Roaming\Realtek.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Realtek.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtec.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtec.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Realtec" /tr "C:\Users\Admin\AppData\Local\Temp\Realtec.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2856

C:\Windows\system32\taskeng.exe
taskeng.exe {939ABAC9-8001-40A3-86CE-C2674501CE6E} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\Realtec.exe
  C:\Users\Admin\AppData\Local\Temp\Realtec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Users\Admin\AppData\Local\Temp\Realtec.exe
  C:\Users\Admin\AppData\Local\Temp\Realtec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
069359f6dce31444182d3d155919e6c4

SHA1
1930a381ce868f2a6fe32293587e64681b50955d

SHA256
5fa0f3dd5277d4d0be324ac9a557a70cb647430ee834df85db2c5774249104be

SHA512
e41b894031dac5394d84683d7f9ca3a8c855929f9816ef15571b733bac9a3b439a16ab25a6d9972e8c27f86f5ec1e967e19d5f65c42aa7abb62189bbe2d7f4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Realtek.exe

Filesize
39KB

MD5
27794afa5d5c5cf091e80de14bdb218a

SHA1
ec07edcd5c705ae72a7d477f0ffeb867ea7eb5db

SHA256
502c51b32b810e755b91cfd9a11230f6e0bf3baceda87f527f4ccc555aac9946

SHA512
667de7a923e39214db1f40175984832098b4a75869c145888536e21ec1fa6a36777e5c0b6d89669611377b19b04b8c818fdb05a2db1c94ab135bc796167a2491

Download Submit
C:\Users\Admin\AppData\Roaming\SAM X222C#.exe

Filesize
3.3MB

MD5
918951c4657e9cdf39ac1b275bfd2e95

SHA1
7323e59b2c4d60b6639bfcba11f4c02bcb94e347

SHA256
b50d25c24ba5f1f096e883b3a9970d2c080afb37dfe2f55a25a1c7ed3ca36505

SHA512
438c7554d8b72db63d598085b2c6fae9bfa1895154ebbaf96a5d2a498459b9a3516611613515f04dbc198edb8b2d7ce2ce63975064f28af63f3efa1e50e3e0d7

Download Submit
\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

Filesize
79KB

MD5
066d90fb1d671648842a3b46622eb7ce

SHA1
6d0949bd4f494c9f8d80b705a79cfa9038c80e51

SHA256
8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8

SHA512
b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745

Download Submit
\Users\Admin\AppData\Local\Temp\SAM X222C#.exe

Filesize
3.7MB

MD5
ad991add5af431b8d808cf9035a5cd46

SHA1
d7ac382fa834529219db1b76e4d928ff24f1245b

SHA256
a1dfdf32f2a82156bb3007896a9672fa05aba8ce4c668c3f4dce449a1a811a19

SHA512
b876e8380ab97dade3f875a7e0cee2dc598ba55143921bdd1f1d9d2d5be55c25d62b12aaef424227e1450f6ddf67a4e04e3f4fc846182abb842c4c821997cbbd

Download Submit
memory/532-84-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/1804-28-0x0000000001240000-0x0000000001604000-memory.dmp

Filesize
3.8MB

Download
memory/1804-30-0x000000001C8A0000-0x000000001CAB4000-memory.dmp

Filesize
2.1MB

Download
memory/1820-43-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1820-42-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2352-1-0x0000000000FF0000-0x000000000134C000-memory.dmp

Filesize
3.4MB

Download
memory/2352-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

Filesize
4KB

Download
memory/2512-22-0x0000000001240000-0x000000000125A000-memory.dmp

Filesize
104KB

Download
memory/2540-29-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-79-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-12-0x00000000009D0000-0x00000000009E0000-memory.dmp

Filesize
64KB

Download
memory/2840-36-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2840-35-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download