xred | 411d03fc0033d10d8b0f59e6838828246033c94860831f51088798cd6ad56eec

Analysis

max time kernel
15s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SAMXPrivateAIMBOTAIESPLINE.exe
Size

2.8MB
MD5

5237179905c59d4110036f8b250466e2
SHA1

18f8eb69c0645b4bcc315d658f6328697b989890
SHA256

411d03fc0033d10d8b0f59e6838828246033c94860831f51088798cd6ad56eec
SHA512

81367da947778e34257ba93d0137a0b8194d45c8d961163595cc8797b8a4ef03e80ec11494c76a8c298b575da6a236888c3cc59fbd668927a96a0bfba7204b5a
SSDEEP

49152:RnsHyjtk2MYC5GD/dT0ynE9sua+PfPBnFJghdfwqOAaR8fHYW9:Rnsmtk2aUF0yn01hWwqOPRm9

Score

10^/10

xred xworm backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

Version

5.0

147.185.221.24:4236

Mutex

sMqfq2Kriwy3pLvt

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015e71-31.dat	family_xworm
behavioral1/files/0x000800000001658c-47.dat	family_xworm
behavioral1/memory/2664-56-0x0000000000400000-0x00000000004CD000-memory.dmp	family_xworm
behavioral1/memory/2552-63-0x0000000000DC0000-0x0000000000DD2000-memory.dmp	family_xworm
behavioral1/memory/1548-90-0x0000000000400000-0x00000000004CD000-memory.dmp	family_xworm
behavioral1/memory/1932-107-0x0000000000400000-0x00000000004CD000-memory.dmp	family_xworm
behavioral1/memory/2524-204-0x0000000000980000-0x0000000000992000-memory.dmp	family_xworm
behavioral1/memory/2712-247-0x0000000000AA0000-0x0000000000AB2000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe
2788	powershell.exe
2652	powershell.exe
2588	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	._cache_svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	._cache_svchost.exe

Executes dropped EXE 14 IoCs

pid	Process
2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe
2744	SAM X HUTTA.exe
2664	svchost.exe
2696	Synaptics.exe
2552	._cache_svchost.exe
2996	Synaptics.exe
1484	._cache_Synaptics.exe
1720	SAM X HUTTA.exe
2164	._cache_Synaptics.exe
1932	svchost.exe
2332	SAM X HUTTA.exe
1548	svchost.exe
668	._cache_svchost.exe
1692	._cache_svchost.exe

Loads dropped DLL 23 IoCs

pid	Process
1868	SAMXPrivateAIMBOTAIESPLINE.exe
2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe
2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe
2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe
1868	SAMXPrivateAIMBOTAIESPLINE.exe
1868	SAMXPrivateAIMBOTAIESPLINE.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2996	Synaptics.exe
2696	Synaptics.exe
2696	Synaptics.exe
1484	._cache_Synaptics.exe
2996	Synaptics.exe
2996	Synaptics.exe
1484	._cache_Synaptics.exe
2164	._cache_Synaptics.exe
1548	svchost.exe
1932	svchost.exe
1548	svchost.exe
1548	svchost.exe
1932	svchost.exe
1932	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	SAMXPrivateAIMBOTAIESPLINE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe"	._cache_svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAMXPrivateAIMBOTAIESPLINE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_SAMXPrivateAIMBOTAIESPLINE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1964	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1508	EXCEL.EXE
2552	._cache_svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1604	powershell.exe
2788	powershell.exe
2652	powershell.exe
2588	powershell.exe
2552	._cache_svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	._cache_svchost.exe
Token: SeDebugPrivilege	668	._cache_svchost.exe
Token: SeDebugPrivilege	1692	._cache_svchost.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2552	._cache_svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1508	EXCEL.EXE
2552	._cache_svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2004	1868	SAMXPrivateAIMBOTAIESPLINE.exe	31
PID 1868 wrote to memory of 2004	1868	SAMXPrivateAIMBOTAIESPLINE.exe	31
PID 1868 wrote to memory of 2004	1868	SAMXPrivateAIMBOTAIESPLINE.exe	31
PID 1868 wrote to memory of 2004	1868	SAMXPrivateAIMBOTAIESPLINE.exe	31
PID 2004 wrote to memory of 2744	2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe	32
PID 2004 wrote to memory of 2744	2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe	32
PID 2004 wrote to memory of 2744	2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe	32
PID 2004 wrote to memory of 2744	2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe	32
PID 2004 wrote to memory of 2664	2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe	33
PID 2004 wrote to memory of 2664	2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe	33
PID 2004 wrote to memory of 2664	2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe	33
PID 2004 wrote to memory of 2664	2004	._cache_SAMXPrivateAIMBOTAIESPLINE.exe	33
PID 1868 wrote to memory of 2696	1868	SAMXPrivateAIMBOTAIESPLINE.exe	34
PID 1868 wrote to memory of 2696	1868	SAMXPrivateAIMBOTAIESPLINE.exe	34
PID 1868 wrote to memory of 2696	1868	SAMXPrivateAIMBOTAIESPLINE.exe	34
PID 1868 wrote to memory of 2696	1868	SAMXPrivateAIMBOTAIESPLINE.exe	34
PID 2664 wrote to memory of 2552	2664	svchost.exe	35
PID 2664 wrote to memory of 2552	2664	svchost.exe	35
PID 2664 wrote to memory of 2552	2664	svchost.exe	35
PID 2664 wrote to memory of 2552	2664	svchost.exe	35
PID 2664 wrote to memory of 2996	2664	svchost.exe	36
PID 2664 wrote to memory of 2996	2664	svchost.exe	36
PID 2664 wrote to memory of 2996	2664	svchost.exe	36
PID 2664 wrote to memory of 2996	2664	svchost.exe	36
PID 2696 wrote to memory of 1484	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1484	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1484	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1484	2696	Synaptics.exe	37
PID 1484 wrote to memory of 1720	1484	._cache_Synaptics.exe	39
PID 1484 wrote to memory of 1720	1484	._cache_Synaptics.exe	39
PID 1484 wrote to memory of 1720	1484	._cache_Synaptics.exe	39
PID 1484 wrote to memory of 1720	1484	._cache_Synaptics.exe	39
PID 2996 wrote to memory of 2164	2996	Synaptics.exe	41
PID 2996 wrote to memory of 2164	2996	Synaptics.exe	41
PID 2996 wrote to memory of 2164	2996	Synaptics.exe	41
PID 2996 wrote to memory of 2164	2996	Synaptics.exe	41
PID 1484 wrote to memory of 1932	1484	._cache_Synaptics.exe	40
PID 1484 wrote to memory of 1932	1484	._cache_Synaptics.exe	40
PID 1484 wrote to memory of 1932	1484	._cache_Synaptics.exe	40
PID 1484 wrote to memory of 1932	1484	._cache_Synaptics.exe	40
PID 2164 wrote to memory of 2332	2164	._cache_Synaptics.exe	42
PID 2164 wrote to memory of 2332	2164	._cache_Synaptics.exe	42
PID 2164 wrote to memory of 2332	2164	._cache_Synaptics.exe	42
PID 2164 wrote to memory of 2332	2164	._cache_Synaptics.exe	42
PID 2164 wrote to memory of 1548	2164	._cache_Synaptics.exe	43
PID 2164 wrote to memory of 1548	2164	._cache_Synaptics.exe	43
PID 2164 wrote to memory of 1548	2164	._cache_Synaptics.exe	43
PID 2164 wrote to memory of 1548	2164	._cache_Synaptics.exe	43
PID 1548 wrote to memory of 668	1548	svchost.exe	44
PID 1548 wrote to memory of 668	1548	svchost.exe	44
PID 1548 wrote to memory of 668	1548	svchost.exe	44
PID 1548 wrote to memory of 668	1548	svchost.exe	44
PID 1932 wrote to memory of 1692	1932	svchost.exe	45
PID 1932 wrote to memory of 1692	1932	svchost.exe	45
PID 1932 wrote to memory of 1692	1932	svchost.exe	45
PID 1932 wrote to memory of 1692	1932	svchost.exe	45
PID 2552 wrote to memory of 1604	2552	._cache_svchost.exe	48
PID 2552 wrote to memory of 1604	2552	._cache_svchost.exe	48
PID 2552 wrote to memory of 1604	2552	._cache_svchost.exe	48
PID 2552 wrote to memory of 2788	2552	._cache_svchost.exe	50
PID 2552 wrote to memory of 2788	2552	._cache_svchost.exe	50
PID 2552 wrote to memory of 2788	2552	._cache_svchost.exe	50
PID 2552 wrote to memory of 2652	2552	._cache_svchost.exe	53
PID 2552 wrote to memory of 2652	2552	._cache_svchost.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SAMXPrivateAIMBOTAIESPLINE.exe
"C:\Users\Admin\AppData\Local\Temp\SAMXPrivateAIMBOTAIESPLINE.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\._cache_SAMXPrivateAIMBOTAIESPLINE.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_SAMXPrivateAIMBOTAIESPLINE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\SAM X HUTTA.exe
    "C:\Users\Admin\SAM X HUTTA.exe"
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Users\Admin\svchost.exe
    "C:\Users\Admin\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1964
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Users\Admin\SAM X HUTTA.exe
        
        "C:\Users\Admin\SAM X HUTTA.exe"
        6⤵
        Executes dropped EXE
        
        PID:2332
      - C:\Users\Admin\svchost.exe
        
        "C:\Users\Admin\svchost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Users\Admin\SAM X HUTTA.exe
      "C:\Users\Admin\SAM X HUTTA.exe"
      4⤵
      Executes dropped EXE
      PID:1720
  - - C:\Users\Admin\svchost.exe
      "C:\Users\Admin\svchost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\system32\taskeng.exe
taskeng.exe {429BCEA9-B3AE-4492-B7DE-62BD6820D918} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
PID:808
- C:\Users\Admin\svchost.exe
  C:\Users\Admin\svchost.exe
  2⤵
  PID:2524
- C:\Users\Admin\svchost.exe
  C:\Users\Admin\svchost.exe
  2⤵
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.8MB

MD5
5237179905c59d4110036f8b250466e2

SHA1
18f8eb69c0645b4bcc315d658f6328697b989890

SHA256
411d03fc0033d10d8b0f59e6838828246033c94860831f51088798cd6ad56eec

SHA512
81367da947778e34257ba93d0137a0b8194d45c8d961163595cc8797b8a4ef03e80ec11494c76a8c298b575da6a236888c3cc59fbd668927a96a0bfba7204b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtyFgrIf.xlsm

Filesize
26KB

MD5
a9e6b26e6a4232bc4176097b0d4cba2d

SHA1
0bbcdf08686b01d43c2b4a3c85cbc605ace0273c

SHA256
2e2ff6f31a1397b6bce90af5d4074e84ec7f4fde79ab88fc8b9c198b948418bd

SHA512
cfaafe0b9b3180eb01669da08d529ec0ec8a9df5a48d2427b9fc5bb52c79f570d49e6b88c0c75b07951df93c55c4e8f3157699f07bd7065d58fe9f308758885d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtyFgrIf.xlsm

Filesize
29KB

MD5
79269501de62896f5c07b335e245a9f5

SHA1
ed276b18a7e8b2a2204b534dad6c91c2393c3dd7

SHA256
c1ad48451a16833ea84612f6893106cdb80303d9c8a4ffcd181a0b94d9b455be

SHA512
3a7319138e1b606e40a9033db8eab846b9b6a3799d615fecadcb2ff122f265ab18d524350967186a8bcb6af541c799aa12e8c87bf14c5cd0df0bfaf9ab6e57ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtyFgrIf.xlsm

Filesize
29KB

MD5
44e8aee69258d741c163b3afb6d2ba5b

SHA1
0f8d4f45252a34e7a46eedb72444ed7865ed6909

SHA256
afba74a4974967c79eafc274b1b30d5eb0bb870bd63b32caed498b57f702db98

SHA512
b3699a7e974fb0ce0302713b32e2edd5c5775dda9160ac091120941a70854c4db6eebcdc4c8460ee470f10654caf176dd4c113b232bc5733b239f2b94540d7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtyFgrIf.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtyFgrIf.xlsm

Filesize
30KB

MD5
cb833ee868b6d3173e06ee4639d828e1

SHA1
eb492308f18d60f3615db5c9b8e900be3bf79842

SHA256
a755d75257b24c8f0467238e4601ccaa9d5545da660de8d33416ffc6780e8559

SHA512
728d322b8cd40928ab1ad0bab190cf261f8ba751f87e8e2967aee781b4d3c4fa9f5d86ce2dfb6de8e36bcfe2ede170d45845a3f34f4e7a3ea472b9982a2388eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$jtyFgrIf.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f4391b50281f204fb970b273ab59528

SHA1
ff84d7925a65ee9ead60d69d1d5bb177b22b4f3f

SHA256
b33038ddf0a873be92afa0da68e2ac05180a4f0eba4ca6e9f8a0a736548b265e

SHA512
645c3ae04a06ff8e46395140c51a7851e5073cdef99b7daa1707ad0955342b2abf9c985160fdae054c8c5feb82494d95ed1771bdf3e3e3a717c1677b3c00587c

Download Submit
C:\Users\Admin\svchost.exe

Filesize
797KB

MD5
63d88f269efd7ed3a5b44b285dd30bab

SHA1
b54410712a60d6004e09c96893b3ab2bc991e814

SHA256
ff4f9974e9e49e68fe433940289a7e38de533d8089532a82c33d69786e12bbc6

SHA512
da0ec300fb8c3fe3bdb29814dedd6926cf6f49538f3e92d5ef93c42235b3ad5bdb8e270cdf801a5e6d6f36bcc24dc8b42442892194113cd6e85de36eec55e1ab

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_SAMXPrivateAIMBOTAIESPLINE.exe

Filesize
2.1MB

MD5
aaff00706d8ec73235fb063fd5f6f504

SHA1
2e0146da29b32f015d213751c4c95b2921aff9f9

SHA256
c6ecdeaebb0346bfbd8f591376e9fe7bee47c64b794b75fbbbdf185373b18adb

SHA512
ce763c2bc79ba3616930757531b2fef88139391c3bc2d9299453aabb88470644a824f0d413af0511ab9d531b36b935b8258c8643fce098af824e6cc2b3d445f8

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_svchost.exe

Filesize
44KB

MD5
915a239651c9fb559bcec11cb0acf752

SHA1
f1a737defacaff35f711fde979678cb9aafba0ca

SHA256
ee7cbbb0f54b585b2efbbeb218a5d166df028b8d1d035a1463f284ad32465e86

SHA512
6d7be5cfadb068bbb644f101dc312436b38fb42d94381c946ac477431eec55b3e77abb3912c00c4f7199f03406531713e77fd7342867fff67be98e4aa19d9cac

Download Submit
\Users\Admin\SAM X HUTTA.exe

Filesize
1.3MB

MD5
7d57b6456ec3fdfd1ecfcb8cd7016185

SHA1
bc2a446083332b5ede87c634c7ae53bf65ca917d

SHA256
8834db4e7a3abc24aa49582bc3b680f27c22f2d68053223bf6f5c1d545bef77a

SHA512
0845991ea72baf1705e4424bd5100bf4d19ab636b827297eda21420f5561db5a00d63d27c479e8b12c72ca8dba21b442d43c57d79484111414f11bfbd4aeab13

Download Submit
memory/1508-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1508-169-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1548-90-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1604-174-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1604-175-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/1868-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1868-41-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/1932-107-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2524-204-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/2552-63-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/2588-196-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2664-56-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2696-183-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2696-205-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2696-244-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2712-247-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2788-182-0x0000000001C80000-0x0000000001C88000-memory.dmp

Filesize
32KB

Download
memory/2788-181-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2996-184-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download