Overview

overview

10

Static

static

10

svchost.exe

windows10-2004-x64

svchost.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    134s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-09-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.exe

  • Size

    90KB

  • MD5

    8f535a06fc7c41dcef821b0459066961

  • SHA1

    279430ac0656ca0863aea9e02e47bd1988fa63c1

  • SHA256

    acd88b193946ae308f578a08a3426bf6d162f6af6f01401ba264b01e732bbddc

  • SHA512

    0ffe370fe384b4a7dc3b8003f7d9e7a5901bb9cf7d3524852db3dbad3b8dc0f3ec3de9a0787db72d79c2ded1166e8ea3b8772e0841e776793ecc2996b3aa729f

  • SSDEEP

    1536:2BveucywHzpDOGugyUGlFCxdGqPKlbuQbcfhE50T6UiLlOBDf1vJJF82jik:kvcySpDImxalbuVhE9lOVf1vbh

Score
10/10
xwormdiscoveryexecutionransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.22:46682

127.0.0.1:46682
Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7460424057:AAFqb7sl9YoUjtnfCXABy_ETYSrIdrvDNo8/sendMessage?chat_id=7309152263

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3308
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:892
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff81ee53cb8,0x7ff81ee53cc8,0x7ff81ee53cd8
        3⤵
          PID:1244
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,2502668874613687441,3479932274862480127,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
          3⤵
            PID:4400
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,2502668874613687441,3479932274862480127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2676
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,2502668874613687441,3479932274862480127,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
            3⤵
              PID:4272
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2502668874613687441,3479932274862480127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
              3⤵
                PID:496
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2502668874613687441,3479932274862480127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
                3⤵
                  PID:4788
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,2502668874613687441,3479932274862480127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:8
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3416
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,2502668874613687441,3479932274862480127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1372
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2502668874613687441,3479932274862480127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
                  3⤵
                    PID:4896
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2502668874613687441,3479932274862480127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
                    3⤵
                      PID:2224
                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                  C:\Users\Admin\AppData\Local\Temp\svchost.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3900
                • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                  1⤵
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:2640
                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                  C:\Users\Admin\AppData\Local\Temp\svchost.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1908
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4880
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:1668

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      627073ee3ca9676911bee35548eff2b8

                      SHA1

                      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                      SHA256

                      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                      SHA512

                      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
                      Filesize

                      654B

                      MD5

                      2cbbb74b7da1f720b48ed31085cbd5b8

                      SHA1

                      79caa9a3ea8abe1b9c4326c3633da64a5f724964

                      SHA256

                      e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                      SHA512

                      ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      ea667b2dedf919487c556b97119cf88a

                      SHA1

                      0ee7b1da90be47cc31406f4dba755fd083a29762

                      SHA256

                      9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

                      SHA512

                      832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      2ee16858e751901224340cabb25e5704

                      SHA1

                      24e0d2d301f282fb8e492e9df0b36603b28477b2

                      SHA256

                      e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

                      SHA512

                      bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      5KB

                      MD5

                      487662004b6c137b8efdd841be946425

                      SHA1

                      cc45053b37317d174a09c045cbf44aae6738b833

                      SHA256

                      0e6aa2c3dfbe932c7983242450a00d060edf962b365891a3f0fb7f00b7b1902e

                      SHA512

                      2b82b3ac4338913ee9a8d005e4ddf113742e591ff1b8bd6e90f0e36310bbc1dee238c787188ef1904fe147bd1a1425a30238f5b0dc412ffa388027ed001beef5

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      5KB

                      MD5

                      9f0ea0d558ab534f050b90c6b28dd36d

                      SHA1

                      00e5d9884a9882b0a213aa48ff4a0c593b182444

                      SHA256

                      b82beaac11396f06c98bf6f0aaac701886e3aaf4b63bed122ab1b4e954097c33

                      SHA512

                      ca9b14798b92e38e7cb2a563b4275e78d580fe184190b26e561d2bed74450ca9d2c17ce0930a382ccc162e88a9f789146fb18e91684e7dc262e793fdbc867c8c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                      Filesize

                      16B

                      MD5

                      6752a1d65b201c13b62ea44016eb221f

                      SHA1

                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                      SHA256

                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                      SHA512

                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                      Filesize

                      10KB

                      MD5

                      5b57ae8e6f03445b478791d00e190df8

                      SHA1

                      c819dc1dbd34787e61d4925523a7ddc6581040e9

                      SHA256

                      9c089772a7e2503483c62e8cfdc2ef2151e127e6673e484db0ef07a59411daf8

                      SHA512

                      a5b66dba504e411fff1f275f8f65373ee5b6efae95de5b5349e1442cc3c5da584ed81f45f9a3bfaab56961bd2f5e1bee6bc10341f938c28c40b0317c815005d0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      d0a4a3b9a52b8fe3b019f6cd0ef3dad6

                      SHA1

                      fed70ce7834c3b97edbd078eccda1e5effa527cd

                      SHA256

                      21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

                      SHA512

                      1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      df808b11175970c23f00e611a7b6d2cc

                      SHA1

                      0243f099e483fcafb6838c0055982e65634b6db6

                      SHA256

                      2d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d

                      SHA512

                      c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      69416944dac24129d0969e2ac46f0533

                      SHA1

                      d71969659956b32411e0606a9bee640a0b108ef4

                      SHA256

                      dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca

                      SHA512

                      aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                      Filesize

                      10KB

                      MD5

                      3e1f5eeae74491d8850ef2c8b03a9a3b

                      SHA1

                      0c02c9c2550107de6dd0eb740ac5668f292883c0

                      SHA256

                      66756c0edf3925de7bcb685385e2a4f0b854cffd796a9e90eb1ed064b1fb0e30

                      SHA512

                      7637f0807d88dbceeb68823a044583e2248ac1ba73c000da6560f94075635a27d15970df7e52f8315bdc2f1c45cff6f1ab7690e916b58307a533f8df24329c2a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                      Filesize

                      10KB

                      MD5

                      26d98b946f17c556ed48590e1e6afa3a

                      SHA1

                      e8f42f8fc64a498a5549da2a7e687f65346ebf84

                      SHA256

                      b2b3884625d0b3bc36888649d7c3a9187a29aa782fa68a3dd5ddf82f19ed9f91

                      SHA512

                      f09c4a67232efa5cf2a66bae57a2222b89fb45700da028a37598fa6b3cb760a8a84609a4ac91d4b314bc5e32f5f5d198d048ffdb9804b38d93e741a87285884e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ghhfixvn.up1.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                      Filesize

                      639B

                      MD5

                      d2dbbc3383add4cbd9ba8e1e35872552

                      SHA1

                      020abbc821b2fe22c4b2a89d413d382e48770b6f

                      SHA256

                      5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

                      SHA512

                      bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

                      Download Submit

                    • C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
                      Filesize

                      16B

                      MD5

                      773101bef09ac39bbffce7a75bb833f4

                      SHA1

                      12ba8283cd6f7e1891314b1a7cb95c20c7622b60

                      SHA256

                      a82883fb0da0e8e01789294ebc81cc94ad9294c98e8fef7f6c008c55f1d70a0c

                      SHA512

                      725a7b6e30ae605ef5b92deae277dafc6d62bd8ef1b9f5c5318b612da8f4945834f689391beffde201c72017427c0686dc032f4bd8b284b00a6860cea11d8874

                      Download Submit

                    • \??\pipe\LOCAL\crashpad_3512_ENRKUCBLSOSQIODT
                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                      Download Submit

                    • memory/2004-14-0x00007FF823CB0000-0x00007FF824772000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2004-18-0x00007FF823CB0000-0x00007FF824772000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2004-17-0x00007FF823CB0000-0x00007FF824772000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2004-13-0x0000014AF8620000-0x0000014AF8642000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2004-9-0x00007FF823CB0000-0x00007FF824772000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2004-8-0x00007FF823CB0000-0x00007FF824772000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2004-2-0x00007FF823CB0000-0x00007FF824772000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2376-73-0x000000001D740000-0x000000001D74C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2376-50-0x00007FF823CB3000-0x00007FF823CB5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2376-0-0x00007FF823CB3000-0x00007FF823CB5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2376-1-0x0000000000AD0000-0x0000000000AEC000-memory.dmp

                      Filesize

                      112KB

                      Download