xworm | 29e587daa7349fb2b43549afa499283b8449daea51365d2bba22a2bfe727fc75

Analysis

max time kernel
50s
max time network
51s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-06-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCINSTALLER.exe
Size

15.8MB
MD5

eeb2753555dacb5baf2845522740627d
SHA1

0d0cb6b3d5d9e126f6ae60f60d0ac8cbe164ef33
SHA256

29e587daa7349fb2b43549afa499283b8449daea51365d2bba22a2bfe727fc75
SHA512

4839507182bda9a2f782da5e5be30f9fae167cdce2a78d8bab3df3cb321fab7c1c3ef2b28e0a079f75a29c27df5b5b1bbaddf75852450a1691f3137521655070
SSDEEP

393216:zKjbZBCC8qxl0ARCxhApMeQaHsWWWlbjJtKhPM1JR9:zKnZtLl0ARCxK+4Hs+lihU7n

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

hardware-bands.gl.at.ply.gg:63257

Mutex

GRHeRJRFnCzlkxGI

Attributes

Install_directory
%AppData%
install_file
DiscordAutoUpdate.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Updater.exe family_xworm
behavioral1/memory/2636-26-0x0000000000810000-0x0000000000824000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3116 powershell.exe
4220 powershell.exe
1340 powershell.exe
2860 powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Updater.exe	family_xworm
behavioral1/memory/2636-26-0x0000000000810000-0x0000000000824000-memory.dmp	family_xworm

Drops startup file 2 IoCs

Processes:

Updater.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordAutoUpdate.lnk	Updater.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordAutoUpdate.lnk	Updater.exe

Executes dropped EXE 3 IoCs

Processes:

Updater.exeSCINSTALLER.exeUpdater.exe

pid process

4576 Updater.exe
1156 SCINSTALLER.exe
2636 Updater.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exe

pid process

5060 MsiExec.exe
5060 MsiExec.exe
5060 MsiExec.exe
5060 MsiExec.exe
5060 MsiExec.exe
5060 MsiExec.exe

pid	process
4576	Updater.exe
1156	SCINSTALLER.exe
2636	Updater.exe

pid	process
5060	MsiExec.exe
5060	MsiExec.exe
5060	MsiExec.exe
5060	MsiExec.exe
5060	MsiExec.exe
5060	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Updater.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordAutoUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\DiscordAutoUpdate.exe"	Updater.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SCINSTALLER.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	SCINSTALLER.exe
File opened (read-only)	\??\U:	SCINSTALLER.exe
File opened (read-only)	\??\W:	SCINSTALLER.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	SCINSTALLER.exe
File opened (read-only)	\??\L:	SCINSTALLER.exe
File opened (read-only)	\??\S:	SCINSTALLER.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	SCINSTALLER.exe
File opened (read-only)	\??\B:	SCINSTALLER.exe
File opened (read-only)	\??\K:	SCINSTALLER.exe
File opened (read-only)	\??\N:	SCINSTALLER.exe
File opened (read-only)	\??\T:	SCINSTALLER.exe
File opened (read-only)	\??\V:	SCINSTALLER.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	SCINSTALLER.exe
File opened (read-only)	\??\Q:	SCINSTALLER.exe
File opened (read-only)	\??\R:	SCINSTALLER.exe
File opened (read-only)	\??\Z:	SCINSTALLER.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	SCINSTALLER.exe
File opened (read-only)	\??\X:	SCINSTALLER.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	SCINSTALLER.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	SCINSTALLER.exe
File opened (read-only)	\??\J:	SCINSTALLER.exe
File opened (read-only)	\??\M:	SCINSTALLER.exe
File opened (read-only)	\??\Y:	SCINSTALLER.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4296 schtasks.exe

flow	ioc
4	ip-api.com

pid	process
4296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeUpdater.exe

pid	process
3116	powershell.exe
3116	powershell.exe
3116	powershell.exe
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe
1340	powershell.exe
1340	powershell.exe
1340	powershell.exe
2860	powershell.exe
2860	powershell.exe
2860	powershell.exe
2636	Updater.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Updater.exemsiexec.exeSCINSTALLER.exe

description	pid	process
Token: SeDebugPrivilege	2636	Updater.exe
Token: SeSecurityPrivilege	3764	msiexec.exe
Token: SeCreateTokenPrivilege	1156	SCINSTALLER.exe
Token: SeAssignPrimaryTokenPrivilege	1156	SCINSTALLER.exe
Token: SeLockMemoryPrivilege	1156	SCINSTALLER.exe
Token: SeIncreaseQuotaPrivilege	1156	SCINSTALLER.exe
Token: SeMachineAccountPrivilege	1156	SCINSTALLER.exe
Token: SeTcbPrivilege	1156	SCINSTALLER.exe
Token: SeSecurityPrivilege	1156	SCINSTALLER.exe
Token: SeTakeOwnershipPrivilege	1156	SCINSTALLER.exe
Token: SeLoadDriverPrivilege	1156	SCINSTALLER.exe
Token: SeSystemProfilePrivilege	1156	SCINSTALLER.exe
Token: SeSystemtimePrivilege	1156	SCINSTALLER.exe
Token: SeProfSingleProcessPrivilege	1156	SCINSTALLER.exe
Token: SeIncBasePriorityPrivilege	1156	SCINSTALLER.exe
Token: SeCreatePagefilePrivilege	1156	SCINSTALLER.exe
Token: SeCreatePermanentPrivilege	1156	SCINSTALLER.exe
Token: SeBackupPrivilege	1156	SCINSTALLER.exe
Token: SeRestorePrivilege	1156	SCINSTALLER.exe
Token: SeShutdownPrivilege	1156	SCINSTALLER.exe
Token: SeDebugPrivilege	1156	SCINSTALLER.exe
Token: SeAuditPrivilege	1156	SCINSTALLER.exe
Token: SeSystemEnvironmentPrivilege	1156	SCINSTALLER.exe
Token: SeChangeNotifyPrivilege	1156	SCINSTALLER.exe
Token: SeRemoteShutdownPrivilege	1156	SCINSTALLER.exe
Token: SeUndockPrivilege	1156	SCINSTALLER.exe
Token: SeSyncAgentPrivilege	1156	SCINSTALLER.exe
Token: SeEnableDelegationPrivilege	1156	SCINSTALLER.exe
Token: SeManageVolumePrivilege	1156	SCINSTALLER.exe
Token: SeImpersonatePrivilege	1156	SCINSTALLER.exe
Token: SeCreateGlobalPrivilege	1156	SCINSTALLER.exe
Token: SeCreateTokenPrivilege	1156	SCINSTALLER.exe
Token: SeAssignPrimaryTokenPrivilege	1156	SCINSTALLER.exe
Token: SeLockMemoryPrivilege	1156	SCINSTALLER.exe
Token: SeIncreaseQuotaPrivilege	1156	SCINSTALLER.exe
Token: SeMachineAccountPrivilege	1156	SCINSTALLER.exe
Token: SeTcbPrivilege	1156	SCINSTALLER.exe
Token: SeSecurityPrivilege	1156	SCINSTALLER.exe
Token: SeTakeOwnershipPrivilege	1156	SCINSTALLER.exe
Token: SeLoadDriverPrivilege	1156	SCINSTALLER.exe
Token: SeSystemProfilePrivilege	1156	SCINSTALLER.exe
Token: SeSystemtimePrivilege	1156	SCINSTALLER.exe
Token: SeProfSingleProcessPrivilege	1156	SCINSTALLER.exe
Token: SeIncBasePriorityPrivilege	1156	SCINSTALLER.exe
Token: SeCreatePagefilePrivilege	1156	SCINSTALLER.exe
Token: SeCreatePermanentPrivilege	1156	SCINSTALLER.exe
Token: SeBackupPrivilege	1156	SCINSTALLER.exe
Token: SeRestorePrivilege	1156	SCINSTALLER.exe
Token: SeShutdownPrivilege	1156	SCINSTALLER.exe
Token: SeDebugPrivilege	1156	SCINSTALLER.exe
Token: SeAuditPrivilege	1156	SCINSTALLER.exe
Token: SeSystemEnvironmentPrivilege	1156	SCINSTALLER.exe
Token: SeChangeNotifyPrivilege	1156	SCINSTALLER.exe
Token: SeRemoteShutdownPrivilege	1156	SCINSTALLER.exe
Token: SeUndockPrivilege	1156	SCINSTALLER.exe
Token: SeSyncAgentPrivilege	1156	SCINSTALLER.exe
Token: SeEnableDelegationPrivilege	1156	SCINSTALLER.exe
Token: SeManageVolumePrivilege	1156	SCINSTALLER.exe
Token: SeImpersonatePrivilege	1156	SCINSTALLER.exe
Token: SeCreateGlobalPrivilege	1156	SCINSTALLER.exe
Token: SeCreateTokenPrivilege	1156	SCINSTALLER.exe
Token: SeAssignPrimaryTokenPrivilege	1156	SCINSTALLER.exe
Token: SeLockMemoryPrivilege	1156	SCINSTALLER.exe
Token: SeIncreaseQuotaPrivilege	1156	SCINSTALLER.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SCINSTALLER.exe

pid process

1156 SCINSTALLER.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Updater.exe

pid process

2636 Updater.exe

pid	process
1156	SCINSTALLER.exe

pid	process
2636	Updater.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

SCINSTALLER.execmd.exeUpdater.exemsiexec.exeUpdater.exe

description	pid	process	target process
PID 600 wrote to memory of 4740	600	SCINSTALLER.exe	cmd.exe
PID 600 wrote to memory of 4740	600	SCINSTALLER.exe	cmd.exe
PID 4740 wrote to memory of 4576	4740	cmd.exe	Updater.exe
PID 4740 wrote to memory of 4576	4740	cmd.exe	Updater.exe
PID 600 wrote to memory of 1156	600	SCINSTALLER.exe	SCINSTALLER.exe
PID 600 wrote to memory of 1156	600	SCINSTALLER.exe	SCINSTALLER.exe
PID 600 wrote to memory of 1156	600	SCINSTALLER.exe	SCINSTALLER.exe
PID 4576 wrote to memory of 2636	4576	Updater.exe	Updater.exe
PID 4576 wrote to memory of 2636	4576	Updater.exe	Updater.exe
PID 3764 wrote to memory of 5060	3764	msiexec.exe	MsiExec.exe
PID 3764 wrote to memory of 5060	3764	msiexec.exe	MsiExec.exe
PID 3764 wrote to memory of 5060	3764	msiexec.exe	MsiExec.exe
PID 2636 wrote to memory of 3116	2636	Updater.exe	powershell.exe
PID 2636 wrote to memory of 3116	2636	Updater.exe	powershell.exe
PID 2636 wrote to memory of 4220	2636	Updater.exe	powershell.exe
PID 2636 wrote to memory of 4220	2636	Updater.exe	powershell.exe
PID 2636 wrote to memory of 1340	2636	Updater.exe	powershell.exe
PID 2636 wrote to memory of 1340	2636	Updater.exe	powershell.exe
PID 2636 wrote to memory of 2860	2636	Updater.exe	powershell.exe
PID 2636 wrote to memory of 2860	2636	Updater.exe	powershell.exe
PID 2636 wrote to memory of 4296	2636	Updater.exe	schtasks.exe
PID 2636 wrote to memory of 4296	2636	Updater.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SCINSTALLER.exe
"C:\Users\Admin\AppData\Local\Temp\SCINSTALLER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Update.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Updater.exe
Updater.exe -p1 -dC:\
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Updater.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Updater.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Updater.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DiscordAutoUpdate.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DiscordAutoUpdate.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2860

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DiscordAutoUpdate" /tr "C:\Users\Admin\AppData\Roaming\DiscordAutoUpdate.exe"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\SCINSTALLER.exe
"C:\SCINSTALLER.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1156

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F6BC46580315CF80E88F497AF3327698 C
2⤵
- Loads dropped DLL
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SCINSTALLER.exe
Filesize
17.6MB

MD5
b0ea56470940e14501f3de3704ee3dfd

SHA1
344a32cd672ae105a3d4d154c58c7c10345746a7

SHA256
a08acf97b669ad3896c129066e8afaea4173ff8e6d49256475adb07491dc160b

SHA512
ff3d9f9d9102f72daee17b86d30e6b6bb52c3b8b8f7f36e41d5bf656d3f1f8dc678bc41d446cde4519761942578bd16676dfe47797c7459cda3cd4420113708f

Download Submit
C:\Update.bat
Filesize
32B

MD5
3f9796a1e6dd10ed454b549ca3fdf90b

SHA1
21e091cd74c2f64177151a9dc3145af4afe180c9

SHA256
0be82af909a46119371c621504e53fee8c82ae691dccbf5c04cbcc9e51eb87f2

SHA512
81b631669d3b9510b903edbe372c02899ef6abd699198b296f0495e6d917dba4985ff12b0e4c44256c4e89bbcd888044fd610326d03d7f2d834256df12b36507

Download Submit
C:\Updater.exe
Filesize
471KB

MD5
d4948d78b2f0090c8b648a01fbedbd09

SHA1
83d365b0740babd40d7e88e8a479e720a4369878

SHA256
d742be12a3f9cec578354e3f4aeb85f6b577f03f8a6fee887602e23ede55b1c0

SHA512
91eeeb7172a40409cef92e0e5d0ceb4e8f332e0aeabc9baa4666e4fe9c99842d5dd1b125ebf7a6e0f06639b8039c7fa45d7e652c066998fe4eae181854b3dfc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4efc3e54176f9977e6d94aef0a7ceecb

SHA1
ead91e356f71a7e8c30d1df3fac4c58de0492433

SHA256
7523a699fd1cc2504908ee4c5d1ae209835d4f5854ee6ceee016d7546cf84b36

SHA512
2a6654240750d35df581df39928bd0ee5bf6a395c4f51b94d47ef342cca9846094d0965713f75356130df0c4a949ef55b059196a5e5797a937dc6115f956b04b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2f13e03b2889fc038b2fd136227d2a65

SHA1
cf385345afeb0184a5673079c81425237c2eeac7

SHA256
13d51ee83dea2330422d3fe49d55689dea07272bc81fe48b27be1ca7bac27112

SHA512
e43db36e10fc86a5bea7af1e59893da2d84e47c5ce2bce7be0acd3acc35d3a015a0fc4907b22a592dd59909e79d5f65b54aad2b9bedd593507a84c85e6987f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
21f30fc02ee39ea6ad863f274363386e

SHA1
baa426003561fdffc474d397486a411bc13641a9

SHA256
4f25ba849e507694737ef4559dcced4ef12e0a00d53328044e607b5b0a1fe5e3

SHA512
da94e5a9dd82e6b7f7205af0f5595cf777ba29c92cbaf0f0009bb426661876838df77ab550b44870b682b881ab18ccf5c87dcf4307d83f91c94a8dfc822909fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1156\aboutbtn
Filesize
1KB

MD5
b51b54b77e9cbfdb1063f7487c1c07ec

SHA1
8a8a7036cfbc86a537447bf71b9f6795923db8b9

SHA256
9d7243c688264329a8cb9e22da00b651e0a9407741d722e03dd67cc8b3ee1335

SHA512
04cef1aa3a530e7f03054369450eb42f36bf45c13c7445adf450ec4635a8601447c5bb6e978b3adabe9021019644681bf1609539eb548dd50ada973aac0c6555

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1156\background
Filesize
2KB

MD5
9e23da7c3cd3fb8113e698a12a3d3047

SHA1
6d021109495d77a53afe101f2b03a4da847e6d99

SHA256
b671008e5d4a15409051d7b3d2aa40f7c028e1dab5876c2882976793abb9356c

SHA512
65e885984681cee190764515f61bb8da3c29463b87f4371fff27ae4c4089af46c9b98910a847ec29d7368160d6aaf841fb93f1347c9abc47bce5cf997c8b4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1156\buttonimgs
Filesize
1KB

MD5
6956ac5e9d5e47daeb7d147d67d9e526

SHA1
427449cf08f0c78f1bf3850565201991828e278c

SHA256
f8f4efdb34b00775638c95568761c93436812af56c8f41116f2f92a987ca9ae0

SHA512
a82f9d199e36dfcdad7393761d1cf541d67b0b70d4b31cf71ad38dab3e95b351143c1aff4adea3207d1fd1e9c3523e9b7e3cea37cb61f9f2845894c60327651c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1156\checkernewicon.png
Filesize
3KB

MD5
b1618ec6d5e7c1e293cb36ab87371615

SHA1
a9c47241b1378bca3b541abb07aeb4b1feb0ccf4

SHA256
76adccd20b35ba40b9be5ac4194941625826084f32a9c7c07090708946fc39c5

SHA512
a45e20225fe4d5989f6f8891274a8ed07f27c2b33545458f36bbb3356124fbf83c6d1523155b4830e6bb78a96e4fd282a7f43ec3d3ce77fe488f8640ff49da2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7503.tmp
Filesize
587KB

MD5
9e0aef52f6c03b2fea067342d9d4f22f

SHA1
d4431a858c8a7a79315829ec7aa82e838c2714f4

SHA256
42b8adafcb4e8496d9822a0c504f449e56456528a9251c153381d3f63d197e5b

SHA512
42858a6695d7906b3df4dc97f3b1fac737633a51ffb52e8ec8eddeb21f8cdb53c199bb698e54c4a931155eafd879de6fff114b84f298c84436b776e286ebeeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI767D.tmp
Filesize
1.1MB

MD5
c04ed00ddcb3518e8cf6db24db294a50

SHA1
cc98cc3ab9c4371f85ea227d9f761bab4aa76baa

SHA256
3c21e1f3bb3ebeb5f0ff68658db8abd18b62f8b195288c4bf87936fc51f8ae9e

SHA512
736946a3130f294878ea51145960017babcc1b8ac2c96afd8b9e2a4d120f173afb84bbd04b6f0113f286d4bc671befecd4e92c582f1de1a0d5bc8738c3cae9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI77E5.tmp
Filesize
709KB

MD5
eb7811666ac7be6477e23af68511424f

SHA1
1623579c5a3710dcc694a2fd49defa27d56d9175

SHA256
ad706739b04256b9215e80d2d030863a37f0d7fd0e4071d0a3a73d6704d8bd8f

SHA512
3055baa15c92f476513c66a423043dc4b8c5f83f47643ad77665d6a2f823f4655bf4ae241d8af4bc34d53630df1c35989f0b11b934a631960668fcc7a8c81a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Updater.exe
Filesize
57KB

MD5
90a6868b7ce2020387d453aa38668584

SHA1
7bde411bb0d7b6aa7a020266a61ce0d61ef0b362

SHA256
d2b430a0c74ef2bd97c86d95c35fe964bd00ed17d2e6542be33cc7c99def9d5a

SHA512
243c6010cbee28f5181383565a00c22375828f8b5293d35d9512adb249a4fadfd04eab3fb7b9789d6e1bea39f1cf513439e0f7d72ecb69e00a16e8f6d7f0efcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1b00axfo.gdc.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\install\51B5780\SandeLLoCHECKER_Installer.msi
Filesize
4.7MB

MD5
69d9a69f84bc67feed975148b9e2ec7c

SHA1
b4cd30ae6c20a0a5297589a4739d9b5a3fc5154f

SHA256
2fc0bc7675b71742b759f44f00e23662f28ad3d04cc5e2956428e57cb61d55b7

SHA512
63b5c471d372611b3936f9f2dba302b95490719f228b7362c99957162f92fb4fb31d82dc5c6a55cf1f793dca9f321d601439c7f61aa94c11cc25302e365a428f

Download Submit
memory/2636-26-0x0000000000810000-0x0000000000824000-memory.dmp

Filesize
80KB

Download
memory/3116-133-0x000001F071C80000-0x000001F071CF6000-memory.dmp

Filesize
472KB

Download
memory/3116-130-0x000001F0714D0000-0x000001F0714F2000-memory.dmp

Filesize
136KB

Download