xworm | c3dbb0cdfb5ffc4c6165592894ce40ef5c4eb08cab0fc0eba653754c1e9226c4

Analysis

max time kernel
261s
max time network
270s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-01-2025 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6.rar
Size

28.4MB
MD5

ae964c40d3d4685854dd99ee42c5bede
SHA1

ecb17be9b845e8f5197d323081e5b175c3f3776b
SHA256

c3dbb0cdfb5ffc4c6165592894ce40ef5c4eb08cab0fc0eba653754c1e9226c4
SHA512

7add1340cba6bd70c32c293d645249083fa1b68b8031c959e4642f89842fafbcdcea65a072182bbab4b8e45849553d7a032847c514ee2f386b53efa5c5d1ed98
SSDEEP

786432:RUfB6rabFkApfjyzdw35cJ0BJwE8FWH3s9z/H/hE2:Rgx6MfEw35c3PFWEi2

Score

10^/10

xworm execution rat trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002aac1-56.dat	family_xworm
behavioral1/memory/2840-67-0x0000000000BD0000-0x0000000000C04000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3424	powershell.exe
3176	powershell.exe

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001d00000002aa87-20.dat	net_reactor
behavioral1/files/0x001b00000002aac1-56.dat	net_reactor
behavioral1/memory/2840-67-0x0000000000BD0000-0x0000000000C04000-memory.dmp	net_reactor

Executes dropped EXE 9 IoCs

pid	Process
4484	Xworm V5.6.exe
4912	XwormLoader.exe
1948	Xworm V5.6.exe
2840	taskhostw.exe
4956	XwormLoader.exe
4544	Xworm V5.6.exe
4984	Xworm V5.6.exe
400	taskhostw.exe
4264	Xworm V5.6.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\taskhostw.exe	XwormLoader.exe
File created	C:\Windows\taskhostw.exe	XwormLoader.exe
File opened for modification	C:\Windows\taskhostw.exe	XwormLoader.exe
File created	C:\Windows\taskhostw.exe	XwormLoader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1552	schtasks.exe
1136	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2840	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3796	7zFM.exe
3796	7zFM.exe
3424	powershell.exe
3424	powershell.exe
3796	7zFM.exe
3796	7zFM.exe
2840	taskhostw.exe
3796	7zFM.exe
3796	7zFM.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
3176	powershell.exe
3176	powershell.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3796	7zFM.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	3796	7zFM.exe
Token: 35	3796	7zFM.exe
Token: SeSecurityPrivilege	3796	7zFM.exe
Token: SeSecurityPrivilege	3796	7zFM.exe
Token: SeDebugPrivilege	4912	XwormLoader.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	2840	taskhostw.exe
Token: SeSecurityPrivilege	3796	7zFM.exe
Token: SeSecurityPrivilege	3796	7zFM.exe
Token: SeDebugPrivilege	4956	XwormLoader.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	400	taskhostw.exe
Token: SeSecurityPrivilege	3796	7zFM.exe
Token: SeSecurityPrivilege	3796	7zFM.exe
Token: SeSecurityPrivilege	3796	7zFM.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe
3796	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	taskhostw.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4484	3796	7zFM.exe	77
PID 3796 wrote to memory of 4484	3796	7zFM.exe	77
PID 3796 wrote to memory of 4912	3796	7zFM.exe	83
PID 3796 wrote to memory of 4912	3796	7zFM.exe	83
PID 4912 wrote to memory of 1948	4912	XwormLoader.exe	85
PID 4912 wrote to memory of 1948	4912	XwormLoader.exe	85
PID 4912 wrote to memory of 3424	4912	XwormLoader.exe	86
PID 4912 wrote to memory of 3424	4912	XwormLoader.exe	86
PID 4912 wrote to memory of 1552	4912	XwormLoader.exe	88
PID 4912 wrote to memory of 1552	4912	XwormLoader.exe	88
PID 4912 wrote to memory of 2840	4912	XwormLoader.exe	90
PID 4912 wrote to memory of 2840	4912	XwormLoader.exe	90
PID 3796 wrote to memory of 4956	3796	7zFM.exe	94
PID 3796 wrote to memory of 4956	3796	7zFM.exe	94
PID 3796 wrote to memory of 4544	3796	7zFM.exe	97
PID 3796 wrote to memory of 4544	3796	7zFM.exe	97
PID 4956 wrote to memory of 4984	4956	XwormLoader.exe	98
PID 4956 wrote to memory of 4984	4956	XwormLoader.exe	98
PID 4956 wrote to memory of 3176	4956	XwormLoader.exe	99
PID 4956 wrote to memory of 3176	4956	XwormLoader.exe	99
PID 4956 wrote to memory of 1136	4956	XwormLoader.exe	101
PID 4956 wrote to memory of 1136	4956	XwormLoader.exe	101
PID 4956 wrote to memory of 400	4956	XwormLoader.exe	103
PID 4956 wrote to memory of 400	4956	XwormLoader.exe	103
PID 3796 wrote to memory of 1476	3796	7zFM.exe	110
PID 3796 wrote to memory of 1476	3796	7zFM.exe	110
PID 2860 wrote to memory of 4020	2860	cmd.exe	117
PID 2860 wrote to memory of 4020	2860	cmd.exe	117
PID 3796 wrote to memory of 4264	3796	7zFM.exe	118
PID 3796 wrote to memory of 4264	3796	7zFM.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\Temp\7zO4DE83838\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4DE83838\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Users\Admin\AppData\Local\Temp\7zO4DEEA068\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4DEEA068\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\7zO4DEEA068\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4DEEA068\Xworm V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:1948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "taskhostw" /SC ONLOGON /TR "C:\Windows\taskhostw.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1552
- - C:\Windows\taskhostw.exe
    "C:\Windows\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2840
- C:\Users\Admin\AppData\Local\Temp\7zO4DEC7088\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4DEC7088\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\7zO4DEC7088\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4DEC7088\Xworm V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3176
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "taskhostw" /SC ONLOGON /TR "C:\Windows\taskhostw.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1136
- - C:\Windows\taskhostw.exe
    "C:\Windows\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- C:\Users\Admin\AppData\Local\Temp\7zO4DEDD8F8\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4DEDD8F8\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO4DE3DB59\Fixer.bat" "
  2⤵
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\7zO4DED34F9\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4DED34F9\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:4264

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Fixer.bat" "
1⤵
PID:3896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Fixer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\XwormLoader.exe.log

Filesize
496B

MD5
960277d850a1bf8c4e1bebf4ac24e470

SHA1
5d17283c2f2a829a8ffcbc90d20724e454d102db

SHA256
486aa8e2fdc112d56044724909c72ebe18d18e1e71cd75100317df87b12d84a8

SHA512
cdbdf25788bd7a1f389c1a39e14d3124b2effff2f20dd5349c8582764b8f664640ca57bdb36ac216bee921a646b4460c9f13dd145f0687b609a4f149862fcc52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\fd55cdd9-2866-406a-b322-4695af2d6ced.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4DE3DB59\Fixer.bat

Filesize
122B

MD5
2dabc46ce85aaff29f22cd74ec074f86

SHA1
208ae3e48d67b94cc8be7bbfd9341d373fa8a730

SHA256
a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

SHA512
6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4DE83838\Xworm V5.6.exe

Filesize
14.9MB

MD5
cac67604904dce94d230953f170d4391

SHA1
9ea639f23a5699bb66ca5da55b2458347aed6f13

SHA256
64e5b7463d340b9a8b9d911860b4d635b0cf68afbe3593ed3cc6cbb13db0b27b

SHA512
af358008abb47a345a53dab222a01ab6c0ed10185fca8d2be9af2892161f150c8cc8a7f75272d1eb1acd17b49f32d3531adbc1cfdd153cc7c3e90841cabe766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4DEEA068\XwormLoader.exe

Filesize
7.9MB

MD5
004c566cb64a9b99f4422a767c072a22

SHA1
ab709644ce1f58b4a1874351a7971dd3fb9466a6

SHA256
d0c67ff5fa0ac161777a95d150fa523e0b26ea106144f99c32de8716a880236e

SHA512
9c0d2fa2bb5137e2d5934ff985c710a371c8f74d67f92a914da0ece44c2660d8abca5d90188ac5088e885d7e197c4ebb3488faf01516435e9e781c367f6bcc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iteips51.eab.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
49KB

MD5
3fe48fb25091a9d13b94f8b81c1be040

SHA1
21f5adcd4f852b3e3a84ae7788ede8f2f26a6515

SHA256
d5d9ec6461c30880496d1ee5a8d770d59ced59d1b28e015d08d44832ced60591

SHA512
e02f495ee34dd013bba39a1c4a8bf22db122d54fcda84a8aa8557462a2f13a058f05d0eb13a817ba45b5527f830492e5a00365b5eb4122ed6b8f28a9ffd2d308

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
52KB

MD5
d38a4df37fc1e0de13628e4df4e09578

SHA1
4e4282e1d01a2c74dd83f7792250f339d71cdf1d

SHA256
3d4ed1437a34be6f0828a390ca1ae3b171708c3454107eb76633edef0b7312ab

SHA512
58b318d17da49d186a4b71331cb638f67b8b435f28533f8612a37ebfe10681ea28fbdc181da147b1394198becb34e215a8cad58d0f580bfefd71c7d0527bf4cf

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
48KB

MD5
76589979ba83b9d9e42e862628f31a76

SHA1
110e05c6620d0b4c554a4fb8cea33eb17c90c7a4

SHA256
8470fd388fbcd28f9b32489965bb4f29afa197c036b990739e4529e6c0dbada1

SHA512
03a90d11c6e693b61e9de77ea0ae66fa9b3875e11430ce98ce5c63f52102b31595d4e6344ca53afa2af5166dffb9489e0a3d687db2b0cc8c13135b643f9de97d

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
46KB

MD5
9c127d90b405f6e4e98e60bb83285a93

SHA1
358b36827fb8dbfd9f268d7278961ae3309baaa1

SHA256
878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578

SHA512
bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
39KB

MD5
ae29a896b340c460ce1c203d37c958b0

SHA1
f41325f3aa7e0165646cdc69405d9a513eda9532

SHA256
84b10a46dab646f3d5ed4531501849bbfcd5edaf33507f7c86e4ed818d782078

SHA512
b6d440fb52fca19912b1453af1fefaa15f891da3c55f225fb9bbf12b08f04825bd305130f2bf8ffcdc27a5a928b7db6ae8b6f22854adfccf4fdc4f34ef03da59

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
343KB

MD5
2c9ad275facb1b7e0c4ebed236149670

SHA1
68d7790d94162eab9c4b10e65d6b8b0b3037fdd7

SHA256
eb8032b911ac2970a111f99c57f007062a2d3cdd974fb918c120d1a837247bb9

SHA512
e7d342cea8146f4b4a14c610cb95733129e98c18f6abe927e5bd09ee48e80c7f44ebac90284339444a99f2cbd14aa3cd0f95a2297da853b61c545e93a616f931

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
330KB

MD5
eef040904001b47846b0254cbb163f1d

SHA1
0de996c13d07554f6accb91ce3349215390983b9

SHA256
0c5473a5dda4d667feb16c06194432b8d04d359c24419643294a815e67e1e362

SHA512
1bf3679bd36a5440ee0bd784613a2f26146aa1dea2b293a952e9b6b21c3ee99d770929d9605e0ceae5951e9a51c82665e29881883c45149bae8172afe93fcfa3

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
383KB

MD5
47c74f80a817dedccc920e25a3e83cef

SHA1
7c21cf9043e6c671f668deb27aab60a2443b04fd

SHA256
eb2888b009cca1e5f0c6cab07ac98a6cef6c00124ffc714817ef04ccccbcda03

SHA512
8013253a01bd561c77a4c329678963c2db7879c4a964bb506220578d490b9751f129bb8950f559b6d7eb4b58fceb6e8ddaf05bfaa20b02667c6e389e99e69047

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
385KB

MD5
c36ea3ddca7925200ea1192570123135

SHA1
097777edccace51e12deed802c864eaaf3ecc7d4

SHA256
5e658f8c7f720322ab41c286c886708dad068c62f718a4c1310a5d1a68a5031d

SHA512
7e3f4be49efb6d244fea4ec6641c348733fc71c4de864c982c9029c62a42e877c25605221bb7bfd7326a6bd6511d0ae34c624641b7b84323c2fdff2e4b66526d

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
378KB

MD5
967414fb708a10f37d841b21106a5650

SHA1
0b659f22fbc4c5ff9ac9f3c5e0cc955aa29ed46a

SHA256
565e887a5df25361120964d0a30d4ad12dbf7aaf6ae3770ed3795e9aad7f0995

SHA512
bc595cd992faa9c1de046b25bfba33aaa9cbbf429128d5973bd80b78f559d7616cd97fe6b92029ca40bda42985fe1a7a8c4899171d2b5d5a722d8761e90eec14

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
159KB

MD5
394e68a48cbedf2aa4290ad4be6c1254

SHA1
e9b5a4204bedd201adfee94cd4bd475f92d508a0

SHA256
48dbdc9f160e51c14f7cf0f4f31856fc5c51bb5a157eefc9159612227def9d88

SHA512
5b3ebefb252a4ea2b5504fdb79fba35f256ee544df6385eeb47a05be4eddd41063fe9a025d5e8393d34cc34abd431810b5c5cc21c777316200c9cfa769fcfd6c

Download Submit
C:\Windows\taskhostw.exe

Filesize
183KB

MD5
31207a3ec25c1530f368a0298d108a09

SHA1
e80b4ef16a1f3df9764e6e9ae92a5372276a3a83

SHA256
7063531cc8e3c206a2f5c23c033d382dd1f2296650196179f8c64d68588288c8

SHA512
861538173fed16fbadd131659bc4289cd72f0a716d2d84bd9918a2b8c565e1cfdd4656cc40463d4c17356d6b9ab290f5fb0d323bfce9f3ed194993fc7f4fc523

Download Submit
memory/2840-67-0x0000000000BD0000-0x0000000000C04000-memory.dmp

Filesize
208KB

Download
memory/3424-49-0x00000297EA1E0000-0x00000297EA202000-memory.dmp

Filesize
136KB

Download
memory/4484-13-0x000001B57B860000-0x000001B57C748000-memory.dmp

Filesize
14.9MB

Download
memory/4484-14-0x00007FFF55630000-0x00007FFF560F2000-memory.dmp

Filesize
10.8MB

Download
memory/4484-15-0x00007FFF55630000-0x00007FFF560F2000-memory.dmp

Filesize
10.8MB

Download
memory/4484-12-0x00007FFF55633000-0x00007FFF55635000-memory.dmp

Filesize
8KB

Download
memory/4912-28-0x000000001C500000-0x000000001C562000-memory.dmp

Filesize
392KB

Download
memory/4912-29-0x000000001CA20000-0x000000001CAC6000-memory.dmp

Filesize
664KB

Download