xworm | 239584ed2b45abd89565c75968a8ca7d0624b2df851463f80a485e1efc04d9e4

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SAM X222C#.exe
Size

3.3MB
MD5

631c497597c5c12304d528b24ccc31df
SHA1

9da881cd6797e4e8646de4df60eea73ae45c3133
SHA256

239584ed2b45abd89565c75968a8ca7d0624b2df851463f80a485e1efc04d9e4
SHA512

35a6bb13ff373aebb2a6fc080ea0f69e968fbef3441ce7f69604e5f97645ae9e6feb95bad1058fa58f8e652dcc2befd6464d9f62d707d8115c743c57a912957e
SSDEEP

98304:gm7q1K/hJp6SjJjtPzGhHzKIfx+ceJpTYZ:x7q1Irp9jltPahVfx+ceJtYZ

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7119

Mutex

Ljk1RFh4f0rbZvhE

Attributes

Install_directory
%Temp%
install_file
Realtec.exe

aes.plain

Extracted

Family

xworm

147.185.221.23:25808

Attributes

Install_directory
%LocalAppData%
install_file
Realtek HD Audio Universal Service.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d0e-11.dat	family_xworm
behavioral1/memory/2404-12-0x0000000000CA0000-0x0000000000CB0000-memory.dmp	family_xworm
behavioral1/files/0x0009000000016d18-17.dat	family_xworm
behavioral1/memory/2740-22-0x0000000000C70000-0x0000000000C8A000-memory.dmp	family_xworm
behavioral1/memory/1936-86-0x0000000000C30000-0x0000000000C40000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1432	powershell.exe
1696	powershell.exe
2892	powershell.exe
1384	powershell.exe
2988	powershell.exe
1608	powershell.exe
2356	powershell.exe
904	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtec.lnk	Realtek.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtec.lnk	Realtek.exe

Executes dropped EXE 6 IoCs

pid	Process
2664	SAM X222C#.exe
2404	Realtek.exe
2740	Realtek HD Audio Universal Service.exe
2580	SAM X222C#.exe
1200	Process not Found
1936	Realtec.exe

Loads dropped DLL 3 IoCs

pid	Process
2664	SAM X222C#.exe
2664	SAM X222C#.exe
2016	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Realtec.exe"	Realtek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Local\\Realtek HD Audio Universal Service.exe"	Realtek HD Audio Universal Service.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAM X222C#.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a00000001227e-6.dat	nsis_installer_1
behavioral1/files/0x000a00000001227e-6.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SAM X222C#.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SAM X222C#.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SAM X222C#.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	SAM X222C#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	SAM X222C#.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1432	powershell.exe
1696	powershell.exe
2892	powershell.exe
1384	powershell.exe
2404	Realtek.exe
2988	powershell.exe
1608	powershell.exe
2356	powershell.exe
904	powershell.exe
2740	Realtek HD Audio Universal Service.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	Realtek.exe
Token: SeDebugPrivilege	2740	Realtek HD Audio Universal Service.exe
Token: SeDebugPrivilege	2580	SAM X222C#.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	1936	Realtec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2404	Realtek.exe
2740	Realtek HD Audio Universal Service.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2664	2728	SAM X222C#.exe	30
PID 2728 wrote to memory of 2664	2728	SAM X222C#.exe	30
PID 2728 wrote to memory of 2664	2728	SAM X222C#.exe	30
PID 2728 wrote to memory of 2664	2728	SAM X222C#.exe	30
PID 2728 wrote to memory of 2404	2728	SAM X222C#.exe	31
PID 2728 wrote to memory of 2404	2728	SAM X222C#.exe	31
PID 2728 wrote to memory of 2404	2728	SAM X222C#.exe	31
PID 2664 wrote to memory of 2740	2664	SAM X222C#.exe	32
PID 2664 wrote to memory of 2740	2664	SAM X222C#.exe	32
PID 2664 wrote to memory of 2740	2664	SAM X222C#.exe	32
PID 2664 wrote to memory of 2740	2664	SAM X222C#.exe	32
PID 2664 wrote to memory of 2580	2664	SAM X222C#.exe	33
PID 2664 wrote to memory of 2580	2664	SAM X222C#.exe	33
PID 2664 wrote to memory of 2580	2664	SAM X222C#.exe	33
PID 2664 wrote to memory of 2580	2664	SAM X222C#.exe	33
PID 2404 wrote to memory of 1432	2404	Realtek.exe	35
PID 2404 wrote to memory of 1432	2404	Realtek.exe	35
PID 2404 wrote to memory of 1432	2404	Realtek.exe	35
PID 2404 wrote to memory of 1696	2404	Realtek.exe	38
PID 2404 wrote to memory of 1696	2404	Realtek.exe	38
PID 2404 wrote to memory of 1696	2404	Realtek.exe	38
PID 2404 wrote to memory of 2892	2404	Realtek.exe	40
PID 2404 wrote to memory of 2892	2404	Realtek.exe	40
PID 2404 wrote to memory of 2892	2404	Realtek.exe	40
PID 2404 wrote to memory of 1384	2404	Realtek.exe	42
PID 2404 wrote to memory of 1384	2404	Realtek.exe	42
PID 2404 wrote to memory of 1384	2404	Realtek.exe	42
PID 2404 wrote to memory of 2708	2404	Realtek.exe	44
PID 2404 wrote to memory of 2708	2404	Realtek.exe	44
PID 2404 wrote to memory of 2708	2404	Realtek.exe	44
PID 2740 wrote to memory of 2988	2740	Realtek HD Audio Universal Service.exe	46
PID 2740 wrote to memory of 2988	2740	Realtek HD Audio Universal Service.exe	46
PID 2740 wrote to memory of 2988	2740	Realtek HD Audio Universal Service.exe	46
PID 2740 wrote to memory of 1608	2740	Realtek HD Audio Universal Service.exe	48
PID 2740 wrote to memory of 1608	2740	Realtek HD Audio Universal Service.exe	48
PID 2740 wrote to memory of 1608	2740	Realtek HD Audio Universal Service.exe	48
PID 2740 wrote to memory of 2356	2740	Realtek HD Audio Universal Service.exe	50
PID 2740 wrote to memory of 2356	2740	Realtek HD Audio Universal Service.exe	50
PID 2740 wrote to memory of 2356	2740	Realtek HD Audio Universal Service.exe	50
PID 2740 wrote to memory of 904	2740	Realtek HD Audio Universal Service.exe	52
PID 2740 wrote to memory of 904	2740	Realtek HD Audio Universal Service.exe	52
PID 2740 wrote to memory of 904	2740	Realtek HD Audio Universal Service.exe	52
PID 1460 wrote to memory of 1936	1460	taskeng.exe	55
PID 1460 wrote to memory of 1936	1460	taskeng.exe	55
PID 1460 wrote to memory of 1936	1460	taskeng.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe
"C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Roaming\SAM X222C#.exe
  "C:\Users\Admin\AppData\Roaming\SAM X222C#.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
    "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:904
- - C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe
    "C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- C:\Users\Admin\AppData\Roaming\Realtek.exe
  "C:\Users\Admin\AppData\Roaming\Realtek.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Realtek.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtec.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtec.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1384
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Realtec" /tr "C:\Users\Admin\AppData\Local\Temp\Realtec.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2708

C:\Windows\system32\taskeng.exe
taskeng.exe {9636B1FD-3B8A-4486-AD4D-AD5FAFC0617A} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\Realtec.exe
  C:\Users\Admin\AppData\Local\Temp\Realtec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe

Filesize
3.7MB

MD5
ad991add5af431b8d808cf9035a5cd46

SHA1
d7ac382fa834529219db1b76e4d928ff24f1245b

SHA256
a1dfdf32f2a82156bb3007896a9672fa05aba8ce4c668c3f4dce449a1a811a19

SHA512
b876e8380ab97dade3f875a7e0cee2dc598ba55143921bdd1f1d9d2d5be55c25d62b12aaef424227e1450f6ddf67a4e04e3f4fc846182abb842c4c821997cbbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EC1XMF7HDGSTB8O2CIAB.temp

Filesize
7KB

MD5
eae835dc12ffb9d1d56196bfb9c7db43

SHA1
b7131cfc15ebb81307fb070a9a249265a6451949

SHA256
754ec1dd44b9205dc7c23f1dc0cb5af9c29a5f1fc97922f3d79189b2c40bb7c3

SHA512
2be1dc7b3066ed32eb8fed1b30cb072f0801258e9c21aaeccb98758edb6a5e3036c33d7e3d27dfefbc16e96c256c642f890e745ea34029c53be6d294863f72bc

Download Submit
C:\Users\Admin\AppData\Roaming\Realtek.exe

Filesize
39KB

MD5
27794afa5d5c5cf091e80de14bdb218a

SHA1
ec07edcd5c705ae72a7d477f0ffeb867ea7eb5db

SHA256
502c51b32b810e755b91cfd9a11230f6e0bf3baceda87f527f4ccc555aac9946

SHA512
667de7a923e39214db1f40175984832098b4a75869c145888536e21ec1fa6a36777e5c0b6d89669611377b19b04b8c818fdb05a2db1c94ab135bc796167a2491

Download Submit
C:\Users\Admin\AppData\Roaming\SAM X222C#.exe

Filesize
3.3MB

MD5
918951c4657e9cdf39ac1b275bfd2e95

SHA1
7323e59b2c4d60b6639bfcba11f4c02bcb94e347

SHA256
b50d25c24ba5f1f096e883b3a9970d2c080afb37dfe2f55a25a1c7ed3ca36505

SHA512
438c7554d8b72db63d598085b2c6fae9bfa1895154ebbaf96a5d2a498459b9a3516611613515f04dbc198edb8b2d7ce2ce63975064f28af63f3efa1e50e3e0d7

Download Submit
\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

Filesize
79KB

MD5
066d90fb1d671648842a3b46622eb7ce

SHA1
6d0949bd4f494c9f8d80b705a79cfa9038c80e51

SHA256
8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8

SHA512
b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745

Download Submit
memory/1432-37-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1432-36-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1696-44-0x00000000021A0000-0x00000000021A8000-memory.dmp

Filesize
32KB

Download
memory/1696-43-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1936-86-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/2404-28-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2404-12-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/2404-81-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-29-0x0000000000FB0000-0x0000000001374000-memory.dmp

Filesize
3.8MB

Download
memory/2580-30-0x000000001C610000-0x000000001C824000-memory.dmp

Filesize
2.1MB

Download
memory/2728-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2728-1-0x0000000001020000-0x000000000137C000-memory.dmp

Filesize
3.4MB

Download
memory/2740-22-0x0000000000C70000-0x0000000000C8A000-memory.dmp

Filesize
104KB

Download
memory/2892-50-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download