xworm | 12f2da4d791bd7654bb4e89d48cef58c07e2b804be1c6f79ee3d68e9e9566906

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

playit-0.9.4-signed.exe
Size

4.5MB
MD5

b5a2f8dde0d824b64b749f0db69d00d4
SHA1

2cf1025a87a2dee9972b71f54e399e37ae75e043
SHA256

12f2da4d791bd7654bb4e89d48cef58c07e2b804be1c6f79ee3d68e9e9566906
SHA512

107a05c44148d9b4c7ae597c94e1a99809addeb43ade7178effd83758bd443afbaf9d3008894c8e5834ac9acb308517097418bc8a5f9f0d50d25a373aa6637d6
SSDEEP

98304:yJd9khieA3BPOtdBrkFVYBh7IoAyTzZwFkQoGtczBOlzp2ybcBk:yJnkvAxPO3BrkFVYBKoASaFJekl92AcB

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

147.185.221.23:24311

Attributes

Install_directory
%AppData%
install_file
RegEdit.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/3016-17-0x0000000000D90000-0x0000000000DA4000-memory.dmp	family_xworm
behavioral1/files/0x00090000000164c8-16.dat	family_xworm
behavioral1/memory/2448-645-0x00000000002A0000-0x00000000002B4000-memory.dmp	family_xworm
behavioral1/memory/2020-1205-0x0000000000280000-0x0000000000294000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1708	powershell.exe
2628	powershell.exe
1356	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 5 IoCs

pid	Process
2144	playit-0.9.3-signed.exe
3016	XClient.exe
2448	XClient.exe
2600	XClient.exe
2020	XClient.exe

Loads dropped DLL 3 IoCs

pid	Process
2956	playit-0.9.4-signed.exe
2956	playit-0.9.4-signed.exe
3024	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000d4066aeb0edb136a8a03b32014e331cb756ce9c5b036aed99d3b7d819c244797000000000e80000000020000200000003d907ad6044192baa2fe1a789adc2fc114889fe021a9dbceb292c7017868877d90000000a58787739ed8470cbdc5d8631453d3af310ab86974dfe999ed2ab6805a15de3fbc84e14a13722e1be0e0fb345b3749956fbbd7b012baf9942726b34acde5b0b60f1f52660469175878314a1cc868ed84ee023f513ce0c6a3a56ede493ebb466fdd8820c8038f0e5738cfbb84183e9775886943655fc47c0b5709acae255b0dcbce5fd614acff6731d219636d552e66584000000004622cf271f62082a398514d68066012d0631f8ef2a3bb738744ddbcea0e1787d515b9e7351c14a103242e31f0b0aa6c412252a5351b6dff4eecf0d9deb55df2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000007fbec1cbbf656422821b166094a3aabf2d7f104826ea26164487a4919b3c436b000000000e8000000002000020000000433d906a81e37a8ebdd9bf482ba214ed0cfae7d27a4b76851c8afa470079868c20000000a40d4b6af0588384c8a48bd0d78553df8fa4f803e0186ca63678bd6ad5a6e18b400000006cb3411d59ccf3ec44666d91048992b0a72ccd4e6e12525c432bb57b1d310a7030391547489d80cb695323abdbfa13d4f30d845d07974d4f9b8c46253420004e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68FD2BE1-9F02-11EF-9107-E62D5E492327} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0104d400f33db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437363685"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2628	powershell.exe
1356	powershell.exe
1708	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	XClient.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	3016	XClient.exe
Token: SeDebugPrivilege	2448	XClient.exe
Token: SeDebugPrivilege	2600	XClient.exe
Token: SeDebugPrivilege	2020	XClient.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2840	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2840	iexplore.exe
2840	iexplore.exe
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2144	2956	playit-0.9.4-signed.exe	30
PID 2956 wrote to memory of 2144	2956	playit-0.9.4-signed.exe	30
PID 2956 wrote to memory of 2144	2956	playit-0.9.4-signed.exe	30
PID 2956 wrote to memory of 3016	2956	playit-0.9.4-signed.exe	31
PID 2956 wrote to memory of 3016	2956	playit-0.9.4-signed.exe	31
PID 2956 wrote to memory of 3016	2956	playit-0.9.4-signed.exe	31
PID 2144 wrote to memory of 2840	2144	playit-0.9.3-signed.exe	34
PID 2144 wrote to memory of 2840	2144	playit-0.9.3-signed.exe	34
PID 2144 wrote to memory of 2840	2144	playit-0.9.3-signed.exe	34
PID 2840 wrote to memory of 2844	2840	iexplore.exe	35
PID 2840 wrote to memory of 2844	2840	iexplore.exe	35
PID 2840 wrote to memory of 2844	2840	iexplore.exe	35
PID 2840 wrote to memory of 2844	2840	iexplore.exe	35
PID 3016 wrote to memory of 2628	3016	XClient.exe	36
PID 3016 wrote to memory of 2628	3016	XClient.exe	36
PID 3016 wrote to memory of 2628	3016	XClient.exe	36
PID 3016 wrote to memory of 1356	3016	XClient.exe	38
PID 3016 wrote to memory of 1356	3016	XClient.exe	38
PID 3016 wrote to memory of 1356	3016	XClient.exe	38
PID 3016 wrote to memory of 1708	3016	XClient.exe	40
PID 3016 wrote to memory of 1708	3016	XClient.exe	40
PID 3016 wrote to memory of 1708	3016	XClient.exe	40
PID 3016 wrote to memory of 1740	3016	XClient.exe	43
PID 3016 wrote to memory of 1740	3016	XClient.exe	43
PID 3016 wrote to memory of 1740	3016	XClient.exe	43
PID 2216 wrote to memory of 2448	2216	taskeng.exe	47
PID 2216 wrote to memory of 2448	2216	taskeng.exe	47
PID 2216 wrote to memory of 2448	2216	taskeng.exe	47
PID 2216 wrote to memory of 2600	2216	taskeng.exe	48
PID 2216 wrote to memory of 2600	2216	taskeng.exe	48
PID 2216 wrote to memory of 2600	2216	taskeng.exe	48
PID 2216 wrote to memory of 2020	2216	taskeng.exe	49
PID 2216 wrote to memory of 2020	2216	taskeng.exe	49
PID 2216 wrote to memory of 2020	2216	taskeng.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe
"C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
  "C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://playit.gg/claim/05cb33ea3b
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2844
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1740

C:\Windows\system32\taskeng.exe
taskeng.exe {79A3FCE1-B55E-4DEB-9E15-7C7FE93CE862} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
64fecf92ad820154729ed1313b3756b9

SHA1
9a3c055995beaa3bab8bd6222ea2d284f7601af3

SHA256
3287f5c84451bb0099921d26225cc11312f4ab70e95106f4108ab465b071e420

SHA512
da9d960936f8627462e173831071e7bb0e09e0606677662eae137d6452e0e9d36c1b7051c03182fadee9a5f04c65b9164c484558e078688dd56007d5c5e63bf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
bffd6b04a3a7aa506dfb49323756e174

SHA1
bcf97b94f6542ba9ab33ec760b3e3a40ad426299

SHA256
8e1d6b0daef7cec5488f92c7d0fa599218a79789829421e09ccfc59526897787

SHA512
366e1c9174bd4254905ae80bbf8862b88a3b24704f03c6c2609ee4d9e248de0c9e5f5acd23c9bd6ae1ded7ec3bd981f5cfe376f5f8a7f7ecba7d842bb4b585f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7368c4b853bbed0fe5e18ae5c656c32

SHA1
58932820d9c562f836f69233796b590257af6a5f

SHA256
9ebff48f2f937f79892ab7ab96075b9979185872c0517efa7e2b49419bc5f1cb

SHA512
3842c6ed6bc97d00f84bd2d07a22a6fe92b2ddd6867a131452ab0135b1104baa1d78653b65b8f7e043f9924d466a6f6523e3f521dc06c96806fff80cf036c3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7aa445e8988537e1857a9264f9330a0b

SHA1
06fe259d99d54a2454bd20ed5c38234e0634a4d0

SHA256
48c22410d2fcf4456de25e5a9a1a3497d162c70553fc08fc88bd68c947569e62

SHA512
5dc58ab8c26f1adb798917ac14757795ba87c59bbfc815548fd30ed60a72fd7489bcc86313f98168e305e2b69be0658465e26d2af3de8ef9117c4b554bcfb962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74d852583a69ea615aa6af1bfa9e6114

SHA1
4955eb31bf90c5ec8be3e8e658f562cfc82cc77c

SHA256
151920fe8720b00d188ee9d305b06862cb305888df374de1f38a536c203c3165

SHA512
831cb4567ff0ebc8460f7277ca7b9142675b84b543dd471b9dfbce985cf6f1ef9eaba9ef3adbaedaf00b6462b854b3b396c8516053024265291dcb197500f2e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e7a6e33165fe9b9f21f1327e0c9d7ad

SHA1
b845ce1e25315dc63b7d50d28aef81d70a58aa1f

SHA256
7e3be9be6a3d147c95a64ce8c90665ce14acce1e34e3153521f3acf6f80ab21b

SHA512
ce481820f49eb610fd5a3e976aa32df34c6feaecc6f337e2f5cb3829dea8036d1f0e797889d8b8e86fcb2fa495c4707ffdb62e7ab343896922cf6172fa8fba9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b099432d126bb32592e7fe046c631c9

SHA1
93bc25d0c8b7106a867f38735a7eb0ee7a6c49cd

SHA256
9051544fb96b802ff74c5c51961f6a629680bd34b1c55b0c6f1c1d840c1b4021

SHA512
cd512bb93868d313d87a50b0886526a5b6604a675591b97f419fb6b000c1946eb94a7b67920ae9e221b2e379702a9480f442b18752aa02e328b11cead5dffce0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98ba2d75e26f5d14e648d6e1b0712d8b

SHA1
655b15f52d8589a938a568b75be78a411a15bbf3

SHA256
06e7dbebed51df62dc7d5b5302f7efb83202f55d5fba9262ada3ac1212160142

SHA512
c494febf5267ad574cdfcb2914382a570e1de8cf529d1925cec65671260c99da1a481914d407871593f84ca1974a72281b0130f674c8c475275e04f642e0e286

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab18a1a23eb6168f2ce432e7d344aeff

SHA1
07ed05dafcbe7c4355b2945b584feb6b6ec9beda

SHA256
c93a44c9aeecb178b28f61a8fc36c1be44bbbd31e6c2ca3cc4a08d06ccb22ba7

SHA512
3aba5ab44583f58f12e2af763dfc9e59740eea7d50c153e48db662c74069b883aa285e8d0ae249d1d708bad8929a85da6cdd75afc782df0b8244747de5ccb74a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6af7bd0a42cf19f440c4ceb898284b4

SHA1
f8823cc885375f2716eeef6c9fac2377c0898ecb

SHA256
a7c9d3444d38c79b9354ed028db65278b81c63699af1f6f14d3a2ce045c2a103

SHA512
16fa04e6c5f7b33a7128d7a140c861290f49a0da1cef9cbb7879f720d4f74da501d09385c69144ab97b63e73688030d55e3f0333c72e60f0d8e9f12f4224c5ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38f1a1bb89deb5082c46db928072c249

SHA1
5718562c9ca0bf028d6d5018a592f594f2e427d8

SHA256
72cce7d8cae05253c2253c6ba49cbd46be1eb2eb0b3fc05fd1c562d1c0cd50e9

SHA512
8bcf53cc3c64ca59b66bd274ce8b8dd811d69d43b7012e6572efc36ed3d4ecf0d7eed0895fd115121ecaf247d0ce7029873ddc00916154ec0e024b8bf1fc0005

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39b0fa5bbe16db8d5f519d7da735cc3b

SHA1
1c0d84f3cb55068c1f17fe1969b703a740df70fc

SHA256
b7e7372d668b9db15f48d68ea1753af874773a251212d91d7eb12abe70b6aa3e

SHA512
68d2ad8d74595c6029e82317a1bbe55a94f80090951dc8b072064245b479ebe10b095a95f3610dff79e88b71ca12f8e568b9dfef3dfda03da9dbfd00c3e069c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
348ee8ddd7b9683f5ba9c9b3ff1edbe0

SHA1
160dd73c182192159e75f16196412db02a5a7b39

SHA256
5b404ee494c048cc712d960e4aa68aee37a011cd3200df394dbedf9ee2a6ddff

SHA512
4408cef85aa2fdd9f278ad824bd348dad647e0432e16302f617cfd66ac878cc21c47245a43d33cbf540a324f6d62dcb913955f13f2b725e3d07762058b82052a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bbed9754c6b92563377d668c5c02d6e

SHA1
970e97dc86755ed374af79fad92f1cd276ce8f3e

SHA256
987dfcc5665f069a2ee11803d36f6e0032df422e9b5c5172f2147c9e4aa12ea7

SHA512
52cc847c496036abe2e5606d5de8b897335a914ec07f463125b32c0a81b45cb612fc782aab0f3fb518a54174b220270362c111821edc4a1b1c15d6060c65a554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ef09cca38c3707dfad1dbe948bf24fa

SHA1
bf1fd2e97bf7e8019f23a3fd20944497ff7ff521

SHA256
65f39786f625f8ed9407cd3dc5c04c39e82337dca10d45725da66d767e32022f

SHA512
56e11d03dc312d8134536f71cbb13f39b9ab46c90cc427638671db5a2226bef9ba5a7031a5a6f242a0fece14ee730426e7b044ef033880575e41bf587269afed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7601ecf94aaa3238ab9e43d4c66fe948

SHA1
6f1c4825a130a76d777f3eb6c552a3bc7a1f32b6

SHA256
9fadccc7366e43e62a4d63ffcd5bd8b48c3a835105a18ac187b4b97eab9d2251

SHA512
a031b22501b541937a0475e41917e1213515156b748d8aff77465e0d82984dd68d7161aff16c025337d4435ed8738dbe6a603135480c41a5aec4f55f27481ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e384363b122c4d05e092f681c536fe0

SHA1
3f4cd9b7b3f3fe745e4349ec7e9268b3cc144b19

SHA256
539de95e011a1fe1b6cbe1c77daef45513280cb4f9a1458e9e289d23edc3c540

SHA512
e19e3fc03102b7697a4d014ad8d9a7613fe3d3b33f3338fbb0161f13094bb7150736142f8e4e408ecb3fd3edb4e55eeefef1509860a3f4a4a3fa2d4c6bbf2629

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc5769ad645ca0fa7ba68ad3f7e96e5a

SHA1
c5cbbd0c2e2d11ad2eef896db7e685a3867a9f87

SHA256
2c06d01194b357b31e2ba0a467f724e1d17b0a645eb0fd4f6d3a25ab621c1562

SHA512
357359e453f1113a3dfc87743987bf24ec788da5c801a5b89c354ae201f13f984124bf21a465c104fa8db4cb65c897d55a1ecf5d33c52d807c5657a5e6a282ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef71e4ac40854b4e3f908b4bfa0ec698

SHA1
4355a90dbfcccea2f0572046e34c48d5b7c90323

SHA256
f789ded265aaeecc7b69ad136ce7a26fb5f43335e080283c2a12c19cd3fd85bc

SHA512
98628d07097081252f017a71590935806e7fb9e9069f04da508135a9d507b9c894697ffee5a2ff4c9aadbc21cf9e9797bec3bfa4dea2f1778dba788e4f34fc21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ce4295ca71da3b4d0853478a86c223d

SHA1
a54ae9d3aa2b9f211c8cc9f7995262d3bc17f815

SHA256
279c70d26039a4ca78f5541ad7c981d36578ce2c5d918ce0678c95fecc5d7563

SHA512
2942d8c242765c6cfd0f5a1c0ee4f08f6d547e8ca688c565f451958d0411763245d951fda6d4a1db2c6f18adf86cd9fc9607c8ed6883dbd002a739f7c99c2cb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
877cceaeb459498dd359b5cf66f1d218

SHA1
17d0fad3e5fed8477694769213c6c6db2660ae81

SHA256
855ce507e869b14c16c100bc1044db9df156491376f68cd7040be9873f4abe1a

SHA512
902d0dcaeab8199afc0bfe91ef801ec7cae3a78ca0fdc109e44a5d6df7e90e8b66fb342639415e747ac4092d370286e920ba2156f55153a3d6789f9b1f8d7ffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a6ebddb0acf9058515907a5ef93767f

SHA1
9060721d26b424b7914bcb8042e9a2839b30c1b0

SHA256
f03ca13e0ebde56517fd0dd3980d47b9c2dd7bd3c3386c3a8c473bd554425d32

SHA512
6f19c03fd9345691614f3957aad44660b5c5d7869fbf04ad78eefbfe73f56e529fb310635ec4719552043d77bcf05b5f2c13f0920f256dabc9250105261af5bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ab6da43179e65283f0573cf718d5f4bf

SHA1
ec8e1dbf97a1337c7bae71a0f5db979a630c0bd5

SHA256
4cb6c6b40c4c7f66f5a5cac292c0586003ab0bede15eb1097cbcd634c81ebbe4

SHA512
981b96540fb4412e2c46a6f8dbd210e516d75794b7b80efca68a297b81d23ef671442f2c9c1e9126e408cdef91fd5248d8c44574e95e653a12f3de939cbcc046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9fajjbh\imagestore.dat

Filesize
15KB

MD5
1f76c0f3c86ba8f5b539bd62b774a62a

SHA1
66ec93bbd4bf80fa501ef2d5e5dc60175178f16f

SHA256
dc07181558f89052090764bba2d361d92e92ecf38fc8d56328db18b6dc1758a0

SHA512
256b1d7ac39f62156c77e8b08cc0cc9cd7f485c13d76c1042859b922eb05f2d5f6dd8ab46e119eb96a7d6f7c506f0de7343241c7e9e50889ac1181706a61f139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\favicon[1].ico

Filesize
15KB

MD5
e15402a41f04d656bceedb8d0a3ea40a

SHA1
31fee0b94d2a286a3d9b8094d5549a9ab1def5b0

SHA256
d8004341ba5458033d06eaa55af945a158f0bf170c5cbfb30a626e930e048bbe

SHA512
ffe902b3466bd6e96110ffe20a800b96a82f4042a6826fcea1750d0ffdde0aacc164aca51bceda7bdfef5047fcd41bb2026ba1e3b5109888396847881e944470

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB73.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDBD3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
57KB

MD5
f2a9ba24fda65a5e298a37965de4258f

SHA1
5c91e7c89233c45933ac106cd4d1110d293c9206

SHA256
6ea59e69f350e9f0311dfc3d58fcc3ebd22f2401b3047f454a518e73a12569dd

SHA512
e53b4e702ba04350d3c5f4c3780394b53360100b67f9856831a49235d1561cb864616823be3308911629416a5e69d88f2c3fdff8907547a9d821714e1eb94386

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b38d9e92930809d62d4a9ffdedd24152

SHA1
9c6b0c610775c2d8ce0a244e4c96c6337c15976e

SHA256
5ba9aee71b36fdf5010520e3e092e67fe6f18ff23d574e008abb5bf5192ff76c

SHA512
1028f61205f2a7a1886e3a35c3c3081ebd9d9e3b29c515e9bfad3e646c987ece4fd233e1fdbc16e31dcd9718e038e1aac241b9b2cd93391e61f0083281ff7e12

Download Submit
\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe

Filesize
13.1MB

MD5
da0750733bf36c61222eefaba4805dcb

SHA1
304e90d123300e646b768f1f358e59ba506b7dce

SHA256
c9ff8f05cdde137cb0e1e386184a42d4889988c4cfd235fd3340fe545f5e06ac

SHA512
f9a8e89f294257f785388e237a6da1f363f8d78af7c9b473d67261b99526224eb84598eacbba17f01a9f2eb2f6fea0740f7e37df92891df8fa39a33820287454

Download Submit
memory/1356-32-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/1356-31-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2020-1205-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/2144-647-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-1199-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-211-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-1203-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-1202-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-650-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-1201-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-648-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-1200-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-646-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-1198-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-641-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-1196-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2144-1195-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2448-645-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/2628-24-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2628-25-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2956-1-0x00000000002B0000-0x0000000000732000-memory.dmp

Filesize
4.5MB

Download
memory/2956-19-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2956-2-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2956-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

Filesize
4KB

Download
memory/3016-17-0x0000000000D90000-0x0000000000DA4000-memory.dmp

Filesize
80KB

Download