Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 11:19

General

  • Target

    receipt.exe

  • Size

    2.0MB

  • MD5

    fb1cd25e6a5154eb70d1f10c56b41ca6

  • SHA1

    c294d819ff140d153dac91df321b7135d5e59ede

  • SHA256

    68535d5ca02f0c0bbd40b4ec132111abcb835945095498bb6c5eec282042818f

  • SHA512

    dcd241be029953a436fca00ec3eb8f9d3dd3b78d84c3143bdc7f5fc5829c23b3ad0ff8a04745fb9743edf8fdcb959f2095c4a591fe0b3e0e03fe739abfa48b8b

  • SSDEEP

    12288:CIUG1oR2wJRCZZzbnSzsfwYAO4rdvN8WkEeI5Q9zf4AoTf3iqY33yCRqiwGVf:CIUz2wnCZZzbn/4ymDyk0T3iodFh

Score
10/10

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

UxOlPOZZNwNV9srk

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/Dh8E7H3R

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\receipt.exe
        "C:\Users\Admin\AppData\Local\Temp\receipt.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k copy Adrian Adrian.cmd & Adrian.cmd & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1332
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:5108
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:2544
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2156
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:4904
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 824903
                4⤵
                  PID:5000
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "RELAXATIONTENNISYOURSSCAN" Seek
                  4⤵
                    PID:4420
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Measurements + Asked + Report 824903\t
                    4⤵
                      PID:3184
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif
                      824903\Suse.pif 824903\t
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:4440
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:3768
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c schtasks.exe /create /tn "Preferred" /tr "wscript //B 'C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js'" /sc minute /mo 5 /F
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2124
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks.exe /create /tn "Preferred" /tr "wscript //B 'C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js'" /sc minute /mo 5 /F
                    3⤵
                    • Creates scheduled task(s)
                    PID:4168
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url" & echo URL="C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url" & exit
                  2⤵
                  • Drops startup file
                  PID:836
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2600

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe

                Filesize

                63KB

                MD5

                0d5df43af2916f47d00c1573797c1a13

                SHA1

                230ab5559e806574d26b4c20847c368ed55483b0

                SHA256

                c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

                SHA512

                f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif

                Filesize

                915KB

                MD5

                b06e67f9767e5023892d9698703ad098

                SHA1

                acc07666f4c1d4461d3e1c263cf6a194a8dd1544

                SHA256

                8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

                SHA512

                7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\t

                Filesize

                210KB

                MD5

                9353f07f92f74999c1befc17a611b4f8

                SHA1

                cef59bfdee8c304b718b48a7ae396f932f1974c3

                SHA256

                6a8181307afaf192a4bb0b20a9707c5be09faa9e82f1ef96682849c45480bd3e

                SHA512

                5e715f7d5d29efe8d8d90f3522c2570862636d93cefa21fc16d9589c000a373c9f0364886041c7b034cce882ba18a873fb8c9a3bb9f0104dea4a168f2a4a9af3

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Accidents

                Filesize

                18KB

                MD5

                7c2436e544a3abd424d29343a41366d0

                SHA1

                139e3da90cfca5825161ce8f5af519b1db2c95c0

                SHA256

                01678427aeec32aa7babdeeb5804a48c77eb4b0a8ce75dcaa9dd603a5f27db82

                SHA512

                e4725d4ca1b865fc0eb400fa15fdb06a66378c87819447443322a4eb55d1ac8a2715cdadffae10fe28c141fa4bd98aba1ba7a8d53e19ef0ebb9ec775e88ba511

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Activists

                Filesize

                57KB

                MD5

                05bf8eaa80ed61c659b29fbbc5210e15

                SHA1

                09d54bfe876025303f5f6195adfd3deb9e009695

                SHA256

                bee181608b58e65ae70586ce1fea3f8666adbdf180c7a2090e0d7a76307436d1

                SHA512

                7d528b570d48d6d112d636924ac3f2812332a3884c90113fb787c3958ed351e75ab2bb77203816712199bd7310e8e5b0bb70d0ce8809ab088e8464386ebf114f

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Adrian

                Filesize

                11KB

                MD5

                669bcb845485adbcaed94cee013b506d

                SHA1

                6c4e86b2fbd3f1d1a0ae44403a7d8617de533dc6

                SHA256

                879480c9b69cfc918318d9cedcdb5c06038dc1108a9cf6ce9ef63eff89974757

                SHA512

                b8719eddda11472f8023b6205b2f225eea1aee861161906b1a6002143b3493c844cab2e315a386d88fac38341860c60be613ded40a073984e4b496942a6dd469

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Alarm

                Filesize

                668B

                MD5

                a6342ebd229baed52bef276f6d98e45a

                SHA1

                22705bc04655919f9f907df9bb35f09eb225fd3c

                SHA256

                562a2f26bed375112b6b07de8deabe6cab519dd219426ccbd263215a0e34f308

                SHA512

                d3b48ebf1c7636512e42adab344a9384e798076970a9f8fae07b7bb612a88d430c90449253d02066546fa6d334fbb635129dda3a3e35417b126173a4c7427ae0

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\America

                Filesize

                41KB

                MD5

                5ecf891e5790eca39dfc47de2642a290

                SHA1

                3b7c0fd78edb35cbdcbb7fa0e58dd236b6072627

                SHA256

                b8b03938c9e19283c45c8b0f3c47719741ba93b5305c5be6f3f16ba96f58e017

                SHA512

                d4d960c261657ca817db72a1b8c2ffddee8f87009d46d91d1804b39a12ef9209b0c0a476195c4db1a25c1d865a22960c22eff18dd2f3e924ffb45fecc387114f

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Appearance

                Filesize

                52KB

                MD5

                a02321b286bb90393ee73f07182af12a

                SHA1

                c4e4bdfccd9754bea38d42a41be8a36e4efdcfd9

                SHA256

                ebe905d945c10ad2aa3d31e6faac37fd119e0000b12111b99fdaf436506a6a6e

                SHA512

                f6b0c2a5d4b773f4f2769cc31f425ad9d1420187ab757d7bfa131612419efc81a98d2358920a0e4e2de08d16ed3907fc8620895822d4c0a0e4372bdcd21fa025

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Asked

                Filesize

                138KB

                MD5

                6634844e4bc5c860419ee18ef5af3f71

                SHA1

                3641e5c55e09ac3c79cb8569de6b5de4c300fd65

                SHA256

                7fb6bc021397eee905c1bb7d23216b21bcb94bd7795d0bd1006237c56fcf4d2f

                SHA512

                0c4a1529ccf46a47c3135901e967e50fbc0fa41b6c4805acd7673c113e1d1e62c8551be7cb7cb8a4487d9b7c7907d9dfe6ee6bfa649fae79f76527046b1953c8

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bomb

                Filesize

                24KB

                MD5

                432c3fb47d74bfaf66fad92ab18ebe2e

                SHA1

                f91def68a64c7264bbb628bb3462ec852e58bb85

                SHA256

                558a2cd4c4682aa34450b7076aa4ae85a0f258d4b52904d13a0404be4d91897b

                SHA512

                7b96c40798466a52325d03364ade9f2fc57553493fea6bcb83ed3dd3b73b6a8646d5870b77ca8d57fc71564a19efe213fe76982856200935ced5c882afd1a816

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Calvin

                Filesize

                53KB

                MD5

                4d19078157a311f1346f191caea7e509

                SHA1

                8121ad256d953cd92cf8dfa9534c1b6faf997832

                SHA256

                f6f2c4c9ed18d938a44faeea9da23c817f0fc0768c4aab5e4440c68c16f703a0

                SHA512

                db30db32616d0603584cf68691af76f814da57ff1ed0e7914df796d688fb262239041d6089b31f27f09d8f306718b54b3a65070999890becb716672c43c10822

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Education

                Filesize

                53KB

                MD5

                e0e36a8fab76f17638d4c66d7bf47387

                SHA1

                41cb341f8d74bdf6ab2fcb6c5de2ef0fe4f2a209

                SHA256

                9327b77e25664dcb9bc61d4af63acc998c528947d4628bdb59c8c3121f6c74af

                SHA512

                982105d230869a83cc7b002ce928720967417206bb0d748ca860dfa4c167554dc271756e1f5ca773490643a1d4c77383f287135202c40b1d37f4b2bf16998fca

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Empty

                Filesize

                5KB

                MD5

                f9db912fb6697a36aaff57fe92c53d7b

                SHA1

                50dac97644d0041b29b4da9ef8226294abd391d2

                SHA256

                c8a0d30ea5ab2b0dbdfcef9908bf7f1e1e8840f3248c2b8128e3234ce33dac55

                SHA512

                ad6fdee6f566de1a57730eccedcf5f838bb67e7fadb06f66fd0583750a9a6593b3fbf1c686a19f9926d0ee7a79f40e7cba3089539c03cd474bd491c3810017bb

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Endorsement

                Filesize

                44KB

                MD5

                4a26c986918b78352da428c9880ca685

                SHA1

                cb2f1211d2f87f3b9494d0a83f574b1e58835184

                SHA256

                b327e7db0d1ac5cad2b1935a1708bab247664fb009fd923a1153933d24a920bf

                SHA512

                be84ac35b5d32899fc2a5420df08ffb45eefe510e64f08a7ec9efc5443c18496a679bf4b277754ffb43915e5681bd9c2a628c10b41f94504aa9ed2988225012d

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Environments

                Filesize

                45KB

                MD5

                62b77ad8e1c448c98a17899bf03733fb

                SHA1

                2d3f165d8e2d99decbb1cfd7f5bfc6b53d8900bf

                SHA256

                2f754307b97b0f915751f4668bef0eeb209a091f4a64b3282fbba44215740a77

                SHA512

                39d73bcec98ab7d72af590acc68659d33d0d08e9c231a5f65686365453079c1b66e7200d997dd71ceb16fd0908afa0eee4210d153ca624871e7db75187b75cb1

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fr

                Filesize

                17KB

                MD5

                fe66f07a1dc3527572e662308b33f2d1

                SHA1

                8eaef41529ddfc9ad45df088b40265d75a590546

                SHA256

                e68d5a6047ce198cc348da288cea64dfa8d3cdc534bdb095b123b1c796fbceff

                SHA512

                2f6c8e2c1ece9d69f8b7707ee4a0ff9cef3fba652c4ab22172f756563ff2d016326c7e62629d4af11920c7251de4ea78f0b26530340bfca18b1288df5ec2cb0b

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Gr

                Filesize

                13KB

                MD5

                ac36046d34acdbb2ca74a24a50cbd51e

                SHA1

                302aae6fdf37cd88ce7c59a02ce4f74ce0674900

                SHA256

                a1bd4270c698656f4ea48772a127d45d6dc81b23c33ea69b233ebe1b425cab3e

                SHA512

                d8839258506bd448c76a674ec053a962a4d5f0dddec659f9cd36e2d2af4d50307f7dad7beb8eb56add8dc6048327310e03cee964343ecde3466d14ce72ec9b06

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Grocery

                Filesize

                19KB

                MD5

                79445655d7e5636383812464b6357fe9

                SHA1

                984c34514f98cc5629c722d05656d1461e5a0a59

                SHA256

                1c7360c90613a8ef95e42017b474457a6a031c9e07c2a70f367f559420c542b0

                SHA512

                78ea9b653d35788a451da91757be7bf48cae2d37274d773b6db04a783d1bbeaa892c79c9664e84d56a6b9f71ef9ab36c75663856ee4c05035ea9e0fb0064c340

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Heart

                Filesize

                67KB

                MD5

                ef90eff38af57e222a94fe9445264f79

                SHA1

                15022846a434e73984808b3d844beda2bd794e43

                SHA256

                bf042e2854f6545cb3a1bf5a18e010ed72428a1d120655d5452264eff6c7c5f2

                SHA512

                ce96d72a17ec59dbf51dc1a30d492e45bfd09595c2938b7879308f727792d538fd92f345a2e23a14c3aad5a3f14a55184e1da0bf6311dd3d31e184d23581b35c

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Identified

                Filesize

                47KB

                MD5

                6082167936c48350accec4e5a73345e2

                SHA1

                9ee4d3b6fc70cee284a981b823074b52c9c97c5f

                SHA256

                f2acd6c3c25755396b97706d999feacc41d649c846eca4c447d8c55808cba84d

                SHA512

                b60d8c9256d4dfa4b3bc62dde7c4cad08fc0a27bef4c17fa963bc07577d392bb10bbf24fa98048046ef0011933971710aec067fc89b1caf589cfe29d52da5b0e

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Information

                Filesize

                36KB

                MD5

                2113d64d2825d8f335cb97226dedcf21

                SHA1

                717127436c7d315618099ef3788b4f8a2efb04f9

                SHA256

                3c83b5d248f30faf27709bf466d8410319d42f31dd02767c2a6cf35488e87578

                SHA512

                9170c1150a348badbdab5aa177f2963bae784e55a22fe273cf9934ae82581c43b80230e4535dc2fa21e7b421712790bf4326aa68c166ed1ade802d0ff7a3ec7d

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jamaica

                Filesize

                24KB

                MD5

                a39644e2ce927c92272cf8107fb3327b

                SHA1

                26c8d5eb1539b64398d9b23913a05ec070773f9c

                SHA256

                85d4421aee35da360bb53ae599549fddb4b1463d36770db3fdc1ffb89f985fd0

                SHA512

                015ca51a93ab2ffd345302cb0948ae653b780effc08bd86aea2dfd8098a2a48c94c817059b55dd5325ebb8edcf81ac0d052df2b1ac698f9837bc8272f0786449

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lesbian

                Filesize

                23KB

                MD5

                619654a36360c018f16e384fd1e6b387

                SHA1

                b232c087e34fda965d6f88bde7a35664d796f1c3

                SHA256

                fa44132bde285d5768d4d952c358b40469304aeb3b66ee8cdb4a54fb575d40c7

                SHA512

                dca163feea318903e535d899300df1d7e9ff6c1639c166c0d4ba8060735f081ee931e613b218cb9aa71f198ad9d9569c6dcf667265b904519cae8b8bbf5b71e0

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Me

                Filesize

                10KB

                MD5

                c58fc578f490d1ad28c01b6080af1259

                SHA1

                114fd98f30a53b122f73ea6466d6cb68fe2f0896

                SHA256

                1ae3afce9c7787b42ae8b543fc5412a99a7ff2540116b59c4c3f8b82c75742fa

                SHA512

                6afa9b5ec23cb3936fc2a2fb11ea2d63f61ef08ee777a35844aa5209438c52f00e256f42f201eda31fee055f166be2b27a38ab500d1176c5892652800dcca47f

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Measurements

                Filesize

                41KB

                MD5

                9ab2dcded3fc4ba015e8ec987e4229d7

                SHA1

                0aaa4773d061ec53a27133e33296a4fa51fc0a0e

                SHA256

                a119d3ff7398d4d3774e31dbf066bd1211e081848777b21bf9ac3ae5d3186179

                SHA512

                d0e9f5bdfb6e4aa0c22ce6510f8ddb59b645d53b8d9c86a2a5ccd4ec3c72338f2a3b4b7bea0970697caf28894539478c6b6be5d2b071c533799b8262bfda8535

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Numerical

                Filesize

                39KB

                MD5

                6c714307641de8c93d261ed9cc77646e

                SHA1

                6cba8af80995c69b1952cd36c03b70dbfeb8cae2

                SHA256

                cd65eb96896d272cbc5b0983ab6f4e22531234b8d135a74775a6e1cf373b9018

                SHA512

                3fa4f131d511de5bd5f1cddaf888a214e152444045ac1495f2f643aaf6b36d866a81867a53006e6eae6e9670e53b2ab06b84363e1f05dc5efbfed00b014d9a9d

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Persistent

                Filesize

                36KB

                MD5

                8d2121bb8a9b7ad27e69e1bc957f8979

                SHA1

                3fe2d692d2af03c4d36dfac9f3fde4d00edc1716

                SHA256

                aaba07f2e70929d5f4f3912dea2e71495ebca035873037afb9a9a3f678fdc7cf

                SHA512

                c4fe975c8ee22a53c9131b231612591601035b9401a8f88f05dbdae3edf198d9c119c055df5f4bf44fc1e42ad9a49819a791e412460f776b552a2930bbea84e9

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Planned

                Filesize

                53KB

                MD5

                99012f57b2e272c1d30b732d3a9f17fd

                SHA1

                0f166ffceed30fe753799bd7fbfa4852848f72c2

                SHA256

                4776ce1bebd9bc4890ba149d1b6a6695c7e9d8ac95b932ffb58f02d5f4d14875

                SHA512

                f12b81498a5e71edc47de26706b924e5f0f48e4a1096632c4fbf3a286828ea1c09ab04e6dce164df885bee081d5bdfce18def9d43ea1123b4415b4864e3d8fb8

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Report

                Filesize

                31KB

                MD5

                30bdb23ed924fed83d32c9a0e807d258

                SHA1

                19c61b6d940418cd33d35b0cb9799c125c094775

                SHA256

                c041ead8e3a73b7172d894acf130330abe3c633b1d611ec0056283d939e52f4f

                SHA512

                70f877127dbb3eba87a0f6e273c13b629e5e76f8640df9907bb46aea44896aac98d8cddda94e8b2afb02d76ccb454be3be360f8df9c755eaa43746a133894c9c

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rogers

                Filesize

                36KB

                MD5

                d0f3d612fd98c067cbee5c1a9d191fb9

                SHA1

                532cac39990879f4530c44cba0f7f4c6f5737817

                SHA256

                4982dcc44f35e26ac9ab0c9a893e8c095b461e22cb8deb50f9146c8028c2da2d

                SHA512

                ed6cdae54129de8bc5cdc020fdeb3d87a5259ff8d85ebcf5abee77499ed8f9c8e2dda1dbe679c467d21d6ab8897c230bbe9711878b8d4842fc9ba20d7f861127

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sealed

                Filesize

                11KB

                MD5

                c979fd8c1c9972e5bf7f4121c363d8d1

                SHA1

                1da51ad6a8b89c164095a82264a4dabaaf2f5693

                SHA256

                c0a872d2bb4cb884183f4c31d161005a5704a1ec91ef72bf6ede4f91e9fd3461

                SHA512

                defb9b133a59499544110cd99414cc11a669a61b4441057b5b43d94a983212be4e920e30e0d574411889aa75f925b6da987448880a4bdc28a08a5b8b1b88fc73

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Seek

                Filesize

                175B

                MD5

                8aca5459b5f158e0ed914703c45bd5b8

                SHA1

                44a0c6306ef7dcbd45ddc1d3143badcb8db4219d

                SHA256

                79187028f716e643081f3c14e5cc25ca6280ef8d87b1913663c64bfca1b46a47

                SHA512

                c10a6120f108671ebe38b38580364dd2565088b2cf7d7fbba38f738c7424eabfb1362fa765e21ff713affa30016df97f26af249fa85523e38f7236ffed4cb186

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spring

                Filesize

                6KB

                MD5

                72f0225d667c4395eab1c35726d56f36

                SHA1

                c57f5a6d4953b7b7c8fd9fe1c1217b880ca4d9e0

                SHA256

                7b69034a324e195ef42af77762c22b5894b9b36787942fa2cb42390c7d30673a

                SHA512

                fc7bb12e8984d9fc7ccba5c3ad3b7f2d84ab00a561c0a884d2bde15b8b990bf5682615f49ed0b8ac609a6b5c7e2ac06fc363b852b49c9ba64759ba7b6204ac6a

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Weeks

                Filesize

                24KB

                MD5

                fdece249a5d06a1e3e483a1fb90adc11

                SHA1

                4c7b38f058453381cdda55311321fbf5d4512852

                SHA256

                306b5e9a26aed7e1fce882211ddd4f21dd52ad32a3da9faa6f4a6bf9be9830d9

                SHA512

                42cc76f5f01b0ff56f8a4e2fd80c91fb58264a09be29ba8300625b0479e5dc8df5a71ed626d860b48d6e4c06911aac67b2c1fdb0b5c31cb47630dc5f1e9b7879

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wma

                Filesize

                62KB

                MD5

                0c0d45b09678e013f980ddd29471df41

                SHA1

                40e95ece09bbb93211f3c10d5301a990f7fd45a6

                SHA256

                9b49033aa0789d646c2b007960831faafa63e0643db365c90edc1725370ba42d

                SHA512

                1d339c47349c161ef1f34aeb06cdc411a667944cbbde0c1d8bed0490b9845f68f0edefdb0b762252d1e9acb4e0adb24ff5e444159f0743b7e828f031bbbd321e

              • memory/2600-326-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

                Filesize

                64KB

              • memory/2600-329-0x0000000005080000-0x000000000511C000-memory.dmp

                Filesize

                624KB

              • memory/2600-330-0x0000000006300000-0x00000000068A4000-memory.dmp

                Filesize

                5.6MB

              • memory/2600-331-0x0000000005F30000-0x0000000005FC2000-memory.dmp

                Filesize

                584KB

              • memory/2600-332-0x0000000005F10000-0x0000000005F1A000-memory.dmp

                Filesize

                40KB

              • memory/2600-333-0x0000000006140000-0x00000000061A6000-memory.dmp

                Filesize

                408KB