Analysis

  • max time kernel
    108s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2024 17:30

General

  • Target

    CTF.exe

  • Size

    52KB

  • MD5

    742202b5ba58f3d7070309cc25d55289

  • SHA1

    30713b70173b58c33af8a85ccd1be2d87359b085

  • SHA256

    27f05dfa1faa3d5e32972dd559db095a9b535f2f5698df247b26dd0a57bf1467

  • SHA512

    fde78c427c05e5be820d3905776491ca29b8dd119cb8ab31d06daeb513e6f4b7769cf024ac45de7fdbdcb3359563b77df507350071d1bda3b17adda119d037cf

  • SSDEEP

    768:uL2+qG2JR4W4HFDuayfrxym0EYOubkLyGQ0TqU6GO5hF8cHJ:HdunJuVDUlbkGGQOqU6GO5b3p

Malware Config

Extracted

Family

xworm

C2

0.tcp.eu.ngrok.io:15487

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • ModiLoader Second Stage 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\CTF.exe
    "C:\Users\Admin\AppData\Local\Temp\CTF.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CTF.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CTF.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3284
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\obptie.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1736
    • C:\Users\Admin\AppData\Local\Temp\tgipou.exe
      "C:\Users\Admin\AppData\Local\Temp\tgipou.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2864
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1064
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3484
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4008
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3068
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2616
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3084
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3836
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:1040
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1668
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2912
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:4828
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2364
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4328
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3604
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1064
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4536
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:4028
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:4828
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:3764
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:3156
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:4592
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:3840
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:720
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:2020
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:4468
                      • C:\Windows\system32\msinfo32.exe
                        "C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\StopConvert.nfo"
                        2⤵
                          PID:2364
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:4952
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:728

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                            Filesize

                            471B

                            MD5

                            0298c8a5b1db1a03e13bf3090825351b

                            SHA1

                            33f731752599253e9db28a3f654133bdcb5f743a

                            SHA256

                            6b1b8cd62483a00f1f24e39d077ba8a5a6580b2a2c571cae354a1d56c7019fba

                            SHA512

                            d8b65d1d5575f2efb5cfe32367f381146173feb86dc611d7edb2ad4c7f9fab91d501b23b58c453455741f309d5fd3a20bf9dad4264aa47ed4ad4009eb9988563

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                            Filesize

                            412B

                            MD5

                            a57feedea962ab3d6333df75ab26df68

                            SHA1

                            da0ea2a14f81ed9a7adeb6f309fe48c15a8d69df

                            SHA256

                            5a3692c6e0b3792da6aff02015bd02db9d7d952c46c7bb0b1503115b9ffd9f69

                            SHA512

                            4258ffe5700eb8c3381f5bcbd5b7a4be6c275470d528b6763b4f30f0b7a406607ad011b9e81ff9a9df67d441c283c18011217c14ffb8be5327d474c41403fd5f

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                            Filesize

                            2KB

                            MD5

                            d85ba6ff808d9e5444a4b369f5bc2730

                            SHA1

                            31aa9d96590fff6981b315e0b391b575e4c0804a

                            SHA256

                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                            SHA512

                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            944B

                            MD5

                            77d622bb1a5b250869a3238b9bc1402b

                            SHA1

                            d47f4003c2554b9dfc4c16f22460b331886b191b

                            SHA256

                            f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                            SHA512

                            d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            944B

                            MD5

                            5eb22cd0efc6546df9ac335ef6a13ae6

                            SHA1

                            b46be73d3bd52e784a481496ff590f32eda2a3a9

                            SHA256

                            296cc72d6ed688e329518aadbfcaa6d8d49567aea62ec88af7d95bdd96b94e8f

                            SHA512

                            ea865f87c8d7a073a48e7dd245e574f7beff0f13c435f58c0babd404c7fa5d05000d2c38aea4d503c73acaaa3f8442273ee1223193bd1e1634f221d1672e2395

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            944B

                            MD5

                            98baf5117c4fcec1692067d200c58ab3

                            SHA1

                            5b33a57b72141e7508b615e17fb621612cb8e390

                            SHA256

                            30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

                            SHA512

                            344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

                            Filesize

                            2KB

                            MD5

                            313ca7096678f593f0fb245a71d5524d

                            SHA1

                            01ec06effdcc1eb6ed321bf8570a5fe3ca641866

                            SHA256

                            2219dbd037c23fb9e84d35eaae2a3cbc1a78832681b5a545f759ae83807fff96

                            SHA512

                            7be7e45abb8073570bf4d58935ead0487f49aa2d29d38100612f39964fe527ed95edfbfba7068a4cb84a7ab4db7217477714c7b753de554196a76e198640704d

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133592311073221071.txt

                            Filesize

                            75KB

                            MD5

                            e7494073aeaffe7245802f28cd30054f

                            SHA1

                            092227bbf58c514ba5829345ec903b622cd2c636

                            SHA256

                            0792b6ce23ecab01dcc88e8fe286355f09b4fcc4708797a42574181a44ce1356

                            SHA512

                            4edeb6dae45dd79893541beb8343b469d7dfe876d2463ec1141dfd475831923443b45828b032ccc6faa36b9c735e4484ccce62f30b725ffee650e417dc3c39f7

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\N2176ZEZ\microsoft.windows[1].xml

                            Filesize

                            97B

                            MD5

                            bdd90a1d11585d1f2b7720be412bc048

                            SHA1

                            b6245dfce68b60c708dd7ecabaebeabcbb53920f

                            SHA256

                            ddf2d606339b78bea2b3d3e823f4074cc7a4c8281242a81cc0c2c0332b08330e

                            SHA512

                            e62ea18449d0d36f50bcb3590a2c60397a8dbb7654b375facab3ee3ef6d0efb9a1cd67ba8e4af23ac1b3ca5955a9125c7b8fa2fa6781ad214f37d0ed3ef8c950

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4xypnbt.fkj.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\obptie.txt

                            Filesize

                            73B

                            MD5

                            14971ff50a2c64ab66b3c75dbc7d4843

                            SHA1

                            06ccc16cc89657fcb273ce32a9e08e390bb941b2

                            SHA256

                            89958b18030ce0c7df6fbfd12060ad8352ed9db5c15d322fcefcf3fc3989519d

                            SHA512

                            1aa3ec9efab14b0aca49605e721555e5f4c04dc289faa5513948bca004da9c8c7ed615f1d75d40b2ab14dab03500bdb3939c497b8e10bf67378e1557556c3f7e

                          • C:\Users\Admin\AppData\Local\Temp\tgipou.exe

                            Filesize

                            206KB

                            MD5

                            9f651f1d0558abd7b1c154e2f62ca805

                            SHA1

                            ff55de48651bd4f35b7a41b56db2c37a038289bc

                            SHA256

                            12d7b0e21dc5c11862794b698e2e675810fbaae69cb106e43ce2b4e372265284

                            SHA512

                            cf25c4402b4156c8148b8d5567f97bca98666d1c7a493e2bd661e5468599ca13adf2bd9bbc158797d4ae46113017020b65316ddeacb1126fe0ea9a5f3056a2a2

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

                            Filesize

                            7KB

                            MD5

                            a0afd869fd9b377a44b3ecdaee1a1b89

                            SHA1

                            8b04cdbd5c4bdc81e61c5221d2f5d1cc403e52bb

                            SHA256

                            ce4445ac04f3b3dbb95d156e061365feb825e0b6b2f8984d983369c0f5d574c6

                            SHA512

                            a8d907b1674cb25b0ca92d972f79cfd98ec91bad454e4993d563d0273cdf4250189d9528ed25e0b55bcc2244254191e9fb12c829abe3c74eaec7efe31acfd7c8

                          • memory/720-986-0x000000000A460000-0x000000000A609000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/728-991-0x0000026324240000-0x0000026324340000-memory.dmp

                            Filesize

                            1024KB

                          • memory/728-1006-0x0000026B25770000-0x0000026B25790000-memory.dmp

                            Filesize

                            128KB

                          • memory/728-993-0x0000026324240000-0x0000026324340000-memory.dmp

                            Filesize

                            1024KB

                          • memory/728-992-0x0000026324240000-0x0000026324340000-memory.dmp

                            Filesize

                            1024KB

                          • memory/728-996-0x0000026B257B0000-0x0000026B257D0000-memory.dmp

                            Filesize

                            128KB

                          • memory/1040-389-0x0000000009480000-0x0000000009629000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/1040-253-0x0000000002A50000-0x0000000002A51000-memory.dmp

                            Filesize

                            4KB

                          • memory/2440-75-0x000000001C290000-0x000000001C439000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/2440-1-0x00000000000F0000-0x0000000000104000-memory.dmp

                            Filesize

                            80KB

                          • memory/2440-61-0x000000001AF90000-0x000000001AF9C000-memory.dmp

                            Filesize

                            48KB

                          • memory/2440-693-0x000000001C290000-0x000000001C439000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/2440-84-0x000000001C290000-0x000000001C439000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/2440-0-0x00007FFB8E373000-0x00007FFB8E375000-memory.dmp

                            Filesize

                            8KB

                          • memory/2440-74-0x000000001C290000-0x000000001C439000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/2440-62-0x000000001C290000-0x000000001C439000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/2440-64-0x000000001C290000-0x000000001C439000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/2440-56-0x00007FFB8E370000-0x00007FFB8EE31000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/2440-390-0x000000001C290000-0x000000001C439000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/2440-983-0x000000001C290000-0x000000001C439000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/2440-57-0x00007FFB8E370000-0x00007FFB8EE31000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/2600-73-0x0000000000400000-0x0000000000487000-memory.dmp

                            Filesize

                            540KB

                          • memory/2600-76-0x0000000000400000-0x0000000000487000-memory.dmp

                            Filesize

                            540KB

                          • memory/2600-78-0x0000000000400000-0x0000000000487000-memory.dmp

                            Filesize

                            540KB

                          • memory/2616-249-0x000000000A610000-0x000000000A7B9000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/2616-91-0x0000000002E20000-0x0000000002E21000-memory.dmp

                            Filesize

                            4KB

                          • memory/2864-83-0x000000000AE90000-0x000000000B039000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/2912-259-0x0000019C84FE0000-0x0000019C85000000-memory.dmp

                            Filesize

                            128KB

                          • memory/2912-255-0x0000019C84500000-0x0000019C84600000-memory.dmp

                            Filesize

                            1024KB

                          • memory/2912-274-0x0000019C858C0000-0x0000019C858E0000-memory.dmp

                            Filesize

                            128KB

                          • memory/2912-262-0x0000019C84FA0000-0x0000019C84FC0000-memory.dmp

                            Filesize

                            128KB

                          • memory/2912-254-0x0000019C84500000-0x0000019C84600000-memory.dmp

                            Filesize

                            1024KB

                          • memory/3156-984-0x000000000A070000-0x000000000A219000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/3156-846-0x0000000003F00000-0x0000000003F01000-memory.dmp

                            Filesize

                            4KB

                          • memory/3604-542-0x0000000002E50000-0x0000000002E51000-memory.dmp

                            Filesize

                            4KB

                          • memory/3604-692-0x000000000A8C0000-0x000000000AA69000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/3764-726-0x000002B2A9CC0000-0x000002B2A9CE0000-memory.dmp

                            Filesize

                            128KB

                          • memory/3764-699-0x000002B2A8800000-0x000002B2A8900000-memory.dmp

                            Filesize

                            1024KB

                          • memory/3764-714-0x000002B2A96A0000-0x000002B2A96C0000-memory.dmp

                            Filesize

                            128KB

                          • memory/3764-697-0x000002B2A8800000-0x000002B2A8900000-memory.dmp

                            Filesize

                            1024KB

                          • memory/3764-702-0x000002B2A96E0000-0x000002B2A9700000-memory.dmp

                            Filesize

                            128KB

                          • memory/3764-698-0x000002B2A8800000-0x000002B2A8900000-memory.dmp

                            Filesize

                            1024KB

                          • memory/3836-97-0x000001B59DDE0000-0x000001B59DE00000-memory.dmp

                            Filesize

                            128KB

                          • memory/3836-98-0x000001B59DDA0000-0x000001B59DDC0000-memory.dmp

                            Filesize

                            128KB

                          • memory/3836-128-0x000001B59E1B0000-0x000001B59E1D0000-memory.dmp

                            Filesize

                            128KB

                          • memory/3840-855-0x0000024BC3A40000-0x0000024BC3A60000-memory.dmp

                            Filesize

                            128KB

                          • memory/3840-854-0x0000024BC3630000-0x0000024BC3650000-memory.dmp

                            Filesize

                            128KB

                          • memory/3840-852-0x0000024BC3670000-0x0000024BC3690000-memory.dmp

                            Filesize

                            128KB

                          • memory/3840-848-0x0000024BC2520000-0x0000024BC2620000-memory.dmp

                            Filesize

                            1024KB

                          • memory/3840-847-0x0000024BC2520000-0x0000024BC2620000-memory.dmp

                            Filesize

                            1024KB

                          • memory/4008-88-0x000000000AD50000-0x000000000AEF9000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/4028-843-0x000000000A8A0000-0x000000000AA49000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/4028-696-0x0000000004D80000-0x0000000004D81000-memory.dmp

                            Filesize

                            4KB

                          • memory/4328-409-0x000001D609700000-0x000001D609720000-memory.dmp

                            Filesize

                            128KB

                          • memory/4328-394-0x000001D608600000-0x000001D608700000-memory.dmp

                            Filesize

                            1024KB

                          • memory/4328-393-0x000001D608600000-0x000001D608700000-memory.dmp

                            Filesize

                            1024KB

                          • memory/4328-419-0x000001D609B10000-0x000001D609B30000-memory.dmp

                            Filesize

                            128KB

                          • memory/4328-398-0x000001D609740000-0x000001D609760000-memory.dmp

                            Filesize

                            128KB

                          • memory/4468-990-0x0000000002D80000-0x0000000002D81000-memory.dmp

                            Filesize

                            4KB

                          • memory/4520-13-0x00007FFB8E370000-0x00007FFB8EE31000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4520-12-0x00007FFB8E370000-0x00007FFB8EE31000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4520-2-0x00000197B08F0000-0x00000197B0912000-memory.dmp

                            Filesize

                            136KB

                          • memory/4520-14-0x00007FFB8E370000-0x00007FFB8EE31000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4520-17-0x00007FFB8E370000-0x00007FFB8EE31000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4536-548-0x000001A6E3880000-0x000001A6E38A0000-memory.dmp

                            Filesize

                            128KB

                          • memory/4536-545-0x000001A6E2720000-0x000001A6E2820000-memory.dmp

                            Filesize

                            1024KB

                          • memory/4536-544-0x000001A6E2720000-0x000001A6E2820000-memory.dmp

                            Filesize

                            1024KB

                          • memory/4536-543-0x000001A6E2720000-0x000001A6E2820000-memory.dmp

                            Filesize

                            1024KB

                          • memory/4536-572-0x000001A6E3C50000-0x000001A6E3C70000-memory.dmp

                            Filesize

                            128KB

                          • memory/4536-561-0x000001A6E3840000-0x000001A6E3860000-memory.dmp

                            Filesize

                            128KB

                          • memory/4828-539-0x000000000AEA0000-0x000000000B049000-memory.dmp

                            Filesize

                            1.7MB

                          • memory/4828-498-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

                            Filesize

                            4KB