xworm | 54e8a0545faac8f1de60cfacd3baf32135ee0a2b296f5ff36a0bd4a87abe1394

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm V6.0.exe
Size

15.5MB
MD5

fae9f588f8bf2ea148c92de1083eb8a2
SHA1

8103ee4ad2ba5c5ab6fafa80fbc536646fdabaa9
SHA256

54e8a0545faac8f1de60cfacd3baf32135ee0a2b296f5ff36a0bd4a87abe1394
SHA512

f05ddbcc784d3903e3d151155060a6fccbda672c183c2b71d7601e7c16579ff225a00156d3203ee3990b6a19cce7022644352f3db8b5b862928d6b3b0034ec0e
SSDEEP

393216:DjrikmL1xyfdd124DII+WNCKkSblVnUN:P+BxyfJ24DqW7S

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

jrutcxTxqD08SKSB

Attributes

Install_directory
%ProgramData%
install_file
OneDrive.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Signatures

Detect Xworm Payload 10 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012267-5.dat	family_xworm
behavioral1/files/0x0008000000015d5d-12.dat	family_xworm
behavioral1/files/0x0007000000015d85-16.dat	family_xworm
behavioral1/memory/2788-15-0x0000000000AA0000-0x0000000000ACE000-memory.dmp	family_xworm
behavioral1/memory/2728-18-0x0000000001180000-0x00000000011A8000-memory.dmp	family_xworm
behavioral1/memory/1440-19-0x0000000000250000-0x000000000027C000-memory.dmp	family_xworm
behavioral1/memory/2100-153-0x0000000000970000-0x000000000099E000-memory.dmp	family_xworm
behavioral1/memory/2516-155-0x0000000001310000-0x0000000001338000-memory.dmp	family_xworm
behavioral1/memory/2512-189-0x0000000001F40000-0x0000000001F4A000-memory.dmp	family_xworm
behavioral1/memory/2672-248-0x00000000009A0000-0x00000000009CE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1320	powershell.exe
2912	powershell.exe
1960	powershell.exe
1096	powershell.exe
1308	powershell.exe
1304	powershell.exe
1932	powershell.exe
1056	powershell.exe
1696	powershell.exe
2564	powershell.exe
2656	powershell.exe
2592	powershell.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 10 IoCs

pid	Process
2728	OneDrive.exe
2788	msedge.exe
1440	Chrome Update.exe
2112	Xworm V5.6.exe
2100	msedge.exe
2516	OneDrive.exe
992	OneDrive.exe
688	msedge.exe
2676	OneDrive.exe
2672	msedge.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini	solitaire.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft Games\Solitaire\desktop.ini	solitaire.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
10	pastebin.com
11	pastebin.com
6	pastebin.com
7	pastebin.com
8	pastebin.com
9	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats	solitaire.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0"	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft	solitaire.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1936	schtasks.exe
2368	schtasks.exe
2240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	powershell.exe
2656	powershell.exe
1096	powershell.exe
2592	powershell.exe
1304	powershell.exe
1308	powershell.exe
1320	powershell.exe
1932	powershell.exe
2912	powershell.exe
1056	powershell.exe
1960	powershell.exe
1696	powershell.exe
2788	msedge.exe
1440	Chrome Update.exe
2728	OneDrive.exe
2728	OneDrive.exe
2728	OneDrive.exe
2728	OneDrive.exe
2728	OneDrive.exe
2728	OneDrive.exe
2728	OneDrive.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2728	OneDrive.exe
2728	OneDrive.exe
2728	OneDrive.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2728	OneDrive.exe
2728	OneDrive.exe
2728	OneDrive.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2728	OneDrive.exe
2728	OneDrive.exe
2728	OneDrive.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
1440	Chrome Update.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2728	OneDrive.exe
2728	OneDrive.exe
2728	OneDrive.exe
1440	Chrome Update.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2512	solitaire.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2728	OneDrive.exe
Token: SeDebugPrivilege	1440	Chrome Update.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2728	OneDrive.exe
Token: SeDebugPrivilege	1440	Chrome Update.exe
Token: SeDebugPrivilege	2100	msedge.exe
Token: SeDebugPrivilege	2516	OneDrive.exe
Token: 33	1728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1728	AUDIODG.EXE
Token: 33	1728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1728	AUDIODG.EXE
Token: SeDebugPrivilege	992	OneDrive.exe
Token: SeDebugPrivilege	688	msedge.exe
Token: SeDebugPrivilege	2676	OneDrive.exe
Token: SeDebugPrivilege	2672	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2788	msedge.exe
1440	Chrome Update.exe
2728	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2728	3004	Xworm V6.0.exe	30
PID 3004 wrote to memory of 2728	3004	Xworm V6.0.exe	30
PID 3004 wrote to memory of 2728	3004	Xworm V6.0.exe	30
PID 3004 wrote to memory of 2788	3004	Xworm V6.0.exe	31
PID 3004 wrote to memory of 2788	3004	Xworm V6.0.exe	31
PID 3004 wrote to memory of 2788	3004	Xworm V6.0.exe	31
PID 3004 wrote to memory of 1440	3004	Xworm V6.0.exe	32
PID 3004 wrote to memory of 1440	3004	Xworm V6.0.exe	32
PID 3004 wrote to memory of 1440	3004	Xworm V6.0.exe	32
PID 3004 wrote to memory of 2112	3004	Xworm V6.0.exe	33
PID 3004 wrote to memory of 2112	3004	Xworm V6.0.exe	33
PID 3004 wrote to memory of 2112	3004	Xworm V6.0.exe	33
PID 2728 wrote to memory of 2564	2728	OneDrive.exe	34
PID 2728 wrote to memory of 2564	2728	OneDrive.exe	34
PID 2728 wrote to memory of 2564	2728	OneDrive.exe	34
PID 2788 wrote to memory of 2656	2788	msedge.exe	36
PID 2788 wrote to memory of 2656	2788	msedge.exe	36
PID 2788 wrote to memory of 2656	2788	msedge.exe	36
PID 1440 wrote to memory of 1096	1440	Chrome Update.exe	38
PID 1440 wrote to memory of 1096	1440	Chrome Update.exe	38
PID 1440 wrote to memory of 1096	1440	Chrome Update.exe	38
PID 1440 wrote to memory of 2592	1440	Chrome Update.exe	40
PID 1440 wrote to memory of 2592	1440	Chrome Update.exe	40
PID 1440 wrote to memory of 2592	1440	Chrome Update.exe	40
PID 2788 wrote to memory of 1304	2788	msedge.exe	42
PID 2788 wrote to memory of 1304	2788	msedge.exe	42
PID 2788 wrote to memory of 1304	2788	msedge.exe	42
PID 2728 wrote to memory of 1308	2728	OneDrive.exe	43
PID 2728 wrote to memory of 1308	2728	OneDrive.exe	43
PID 2728 wrote to memory of 1308	2728	OneDrive.exe	43
PID 2728 wrote to memory of 1320	2728	OneDrive.exe	46
PID 2728 wrote to memory of 1320	2728	OneDrive.exe	46
PID 2728 wrote to memory of 1320	2728	OneDrive.exe	46
PID 1440 wrote to memory of 1932	1440	Chrome Update.exe	48
PID 1440 wrote to memory of 1932	1440	Chrome Update.exe	48
PID 1440 wrote to memory of 1932	1440	Chrome Update.exe	48
PID 2788 wrote to memory of 2912	2788	msedge.exe	50
PID 2788 wrote to memory of 2912	2788	msedge.exe	50
PID 2788 wrote to memory of 2912	2788	msedge.exe	50
PID 2728 wrote to memory of 1056	2728	OneDrive.exe	52
PID 2728 wrote to memory of 1056	2728	OneDrive.exe	52
PID 2728 wrote to memory of 1056	2728	OneDrive.exe	52
PID 1440 wrote to memory of 1960	1440	Chrome Update.exe	54
PID 1440 wrote to memory of 1960	1440	Chrome Update.exe	54
PID 1440 wrote to memory of 1960	1440	Chrome Update.exe	54
PID 2788 wrote to memory of 1696	2788	msedge.exe	56
PID 2788 wrote to memory of 1696	2788	msedge.exe	56
PID 2788 wrote to memory of 1696	2788	msedge.exe	56
PID 2728 wrote to memory of 1936	2728	OneDrive.exe	58
PID 2728 wrote to memory of 1936	2728	OneDrive.exe	58
PID 2728 wrote to memory of 1936	2728	OneDrive.exe	58
PID 1440 wrote to memory of 2368	1440	Chrome Update.exe	59
PID 1440 wrote to memory of 2368	1440	Chrome Update.exe	59
PID 1440 wrote to memory of 2368	1440	Chrome Update.exe	59
PID 2788 wrote to memory of 2240	2788	msedge.exe	62
PID 2788 wrote to memory of 2240	2788	msedge.exe	62
PID 2788 wrote to memory of 2240	2788	msedge.exe	62
PID 2112 wrote to memory of 1788	2112	Xworm V5.6.exe	64
PID 2112 wrote to memory of 1788	2112	Xworm V5.6.exe	64
PID 2112 wrote to memory of 1788	2112	Xworm V5.6.exe	64
PID 2576 wrote to memory of 2100	2576	taskeng.exe	67
PID 2576 wrote to memory of 2100	2576	taskeng.exe	67
PID 2576 wrote to memory of 2100	2576	taskeng.exe	67
PID 2576 wrote to memory of 2516	2576	taskeng.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Xworm V6.0.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V6.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1936
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2368
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2112 -s 732
    3⤵
    PID:1788

C:\Windows\system32\taskeng.exe
taskeng.exe {5786E623-282F-42F1-AF9C-7C66DDD26C58} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

C:\Program Files\Microsoft Games\solitaire\solitaire.exe
"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x530
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
24B

MD5
595417dced0ace5d676799bc330365f9

SHA1
e47dc90913bf5a17dc6e14e24a857e1fa68966ea

SHA256
5b67abcab10e1cd7126ce16b5e032d67b7d46eadad49810f9248d03add90d451

SHA512
427afa93819a6a901068ff2f4d31a30acf7de5ee6b1005adc448b88cd1898d5a54fdad197706867cc1df441bb9bd8289bd2306a1940bc5225b042cf3c7d698d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
72B

MD5
d5857f53fbc6e2b3be3ef1d77ddff56d

SHA1
94457f04fffbd84d7952226aaeeac51c22e94d9d

SHA256
a68dc20da4f6924cd37ea64d8e39d9fd5af7e99649c1c03f02470acc716061aa

SHA512
d2fb995ce6f7c08ca95a4590d310f8c68639fee32792a41bd3342d80c7baca207af2a1a96694039d66cd57c432eae80fdd0dc599ea538708553cf2729db5f19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
73B

MD5
69da0763d1bf5484e34fc7926c71c18d

SHA1
944a892cd762a081341495760267e462451ee947

SHA256
146bc762beec9905df94e623a7bd96238fd646430dc56e5762b804e77ae9a220

SHA512
565852541e77c6a0e460c5b62a620fd53ff5df2d35af1ba26ab28877c0be8622f9d80ac1daca2798977bb1e2382f9bd3eaf5ffe2f7cc5fb26741007de4795c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
74B

MD5
3af46d1cd96f39ae99ff45b5b96d4853

SHA1
ce14c93181511f026de861f25482e36ef0781465

SHA256
a40f283c84817c7d9f14613282ff017753625461c4af4738e1821fa5b9da5b83

SHA512
68a3b22e2ec596abbcfab5461c464eefe9a0ff08e40e78fdfeff17c7d208b48a34174080e587b72d93c35a24e6f21b86322132c0abf1665a965f182e85cd1d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
75B

MD5
a07624a5ceab67aae5c59c2d8e22d6cd

SHA1
fbad02e88a24652f11a04b73b217db4768d4b369

SHA256
682341b37b891c2fa5d77237be5e675a363f79f07dbd50cdebbd10eda4b8e3ed

SHA512
d97429be5e756200e0f02c260c24e4d1457b08855a360bea0003423312550ae9880d11cae136655ec6008ebe613bcd41fcb88684a36714d251ac11d3769d2427

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
76B

MD5
6798af6c2991dde37d02b234ab49ce1d

SHA1
6f24f4455d9f4d42ec48940d28ae69f057fe67a7

SHA256
0f70100e2143ca67db165b3a8d0a1f555cef24fee9db22680c1a6e568286de6d

SHA512
33e515065c60384cad3d58bbb66470f2aae484f9e86aa1427f7e78fcca8b07d7bef5cd747a31688dabfe913328d5ec05181a18a07465340088b1f493bda99187

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
77B

MD5
a48139c235fdbef1c0c9ba136821e668

SHA1
612cd2cb1adae82ad7148c70ea658c07922a4257

SHA256
6668312de85a721147f1bad6ad35221f4b5807e74d4e60b4b8881c1701fb0702

SHA512
5be3c4b7a0696e4c9e9dc2817d8111745f0ea6dc869e5977759f92be59d2523b25cb4971cb7698aa1e7ec2fcdfa1570f41fa52b37dafdd7f2a85fba33b96eff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
79B

MD5
accd3e0315cb2f7955c70956501ae62d

SHA1
5d617e09f37bda8ccc8487a458599838bd5938b6

SHA256
b128f47a71056ce1df119ce83a17591192b329e8ccdd7333d79a09018d3772da

SHA512
90e053aace996a9a2be444996837311f66f503c313c721ebd94fbad2f9a3beb45ff25585cc3df98e999daad8a1da66717a1268ae910c551efb667f559df205be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
80B

MD5
211a78d95da952d6babdf62243e07f50

SHA1
50b154d8abec596d00f96830bcb1406119dd4de2

SHA256
22e8c98690c5de35e95230887a59fe00cafa18145ea4d1b560f42bc5006e5035

SHA512
ad6b4fa1c01460b1dbbe27dd53eeb0690eb3b36f847d3687344e31dbf1b38110d8dcd2f2d86db7e8e404c93f3aed7bcb1ca12cc393fa616d0b3a58dc1cce7a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
81B

MD5
ed2c2d087fbb8e028f6dc6a9016f1d4c

SHA1
16250a8e091bbc7145044945713aea84b2cbc972

SHA256
d643f8026ab805a29628d71481af18adafea254d4890ac5e2d52cdcf72782e67

SHA512
81058a0624860efbf4a4284019f2ad4e62c7b94649f88fd4727b917d35a0dd9e23b05ec9376082fbfc1f635fd17a85d0fb41f67c03e0b0fad42afe80b190cd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
82B

MD5
fb10c51932016d59875b6a6d7e044413

SHA1
b03157c949d2de282c923859e6958e6d355b87a1

SHA256
5196cbec2dfdfad5792e9b79398191176630246b7fb8f03b4df4e01a3057a993

SHA512
8d9b9c1511d20b2d1e174692deda2ead08b06bf594f0477915b32e2b8f286794a6c1307954a68ba38aac31698e083aa8e50a876578b17aff51d7b9aa05d2d8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
83B

MD5
d4782602030a4bdff23a5eb69c5a74ee

SHA1
1ae6c364355098c1f70d3c30a154e07b9cce81e4

SHA256
ff5adb5ffef97706651ad4ff0f93c82d81e6164d44cd1dfe108550f8e58b85d3

SHA512
06a3875da6998902f7e8566b0a65e5098f25db330a827c86033dc9bbd12fad3f451da546e597d9c8ec3e73cd9cae4c42b3e872ff733f92b8d4229263ef6d4b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
84B

MD5
463702ed15ccac86f2d432a7881a85fb

SHA1
b65adf54bf34442c55c9c233da25c9052a182a7f

SHA256
f06007fc1ba9ff157271e850462201c1cc9386218bf7e06b671ac2a830375fc4

SHA512
bcc6adcaf2cb9f7d624370e95fe11f06b3ca337ee47a0ec7125847a7b6ce19c300494f368b81b5f64154eeb31260bb1a16b4bff405b40d61f3d65efd3ac760bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
85B

MD5
d5967f2b6774ebed9183983d22a04e84

SHA1
ee59dfd8994177ac5ea3c2a68abb2ff2bebd9b50

SHA256
9619b470bdded8b358064e28a7e721a3bca1ddc66a913394439d41ffb8219e39

SHA512
8ec7e495590e891a28d40f98c445d10213b3634cc0fa61b30179b305f8c944710aa1f9ede84c09c9f1892f74aeaa9d58851432de52a8462fd82aa44b83cbebd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
86B

MD5
c771cb66384567ae6fb08424a247f4f5

SHA1
45bbefa934456023c3ce19b14325c684b3fe7e8d

SHA256
37e9c4945b7f3bf7dd6a9b366f149413e2ff5b5c521d98446a105454ea502ffb

SHA512
f9b3f56a8a5252346c10b875e7ccd78be4a1f77129fdc129135f10f7a046622579eec5a91a8904a5bc80a66ed52cf85a4332e60c3d8d6f592074539a22dee7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
87B

MD5
27accce1837d619635d5974966062886

SHA1
ba7604266909bf6bdb5843255f3a4f61cca5d188

SHA256
2763151b7f0d48d359bc64727dcbbe0ab15a52d99749a9e101debb0092f2b057

SHA512
4d4a3f356464d4235baaa02bc441170c4aa036a93c52553b508ec42af4e64131fc5250aa2bf087a7a71ec040cfadf95e2d00534a4ef32645df4ed0560fb2b6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
88B

MD5
155a8081c05159435dd28d2787bb134c

SHA1
1f0b5d43c83362deaeef8fb9294601ec720db91c

SHA256
333b6aa5dcf364338be64b31adbd65a21d720b2fd4b0c5507d04189f3ee6534f

SHA512
1a41b625048a90badea2a8d1c1e9875976c29ed3a62947cc1fb1bfdff63e57d04c4a2ae79b16d9542fdeb5476814d3e5f2ec4a1928d176dbd4746605e308cef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
89B

MD5
f00ee591d8fc8f5404fe9cbaa3e2a543

SHA1
3c2f1829df641738e05f046aafd0e299bb90bbe0

SHA256
dd3afebb325c9572d7fc9e893ca2fb0633fd29e8d9f48b1a135b0abadda3a40d

SHA512
fc098ceed52b0c1020a2b5dba18b126a9e53566759d9ed084b39dd6bc0763c7a26142c50e9c3abf89d997a142c447752bd3969e0186fd94f6107cb2e0606890b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
90B

MD5
a5c944e7133989c4bad834c2cad7648b

SHA1
ff1c5ab7fed8a42b556ee880e38e185185f65c16

SHA256
ebf19f68ce1f0488e247201411f846c71fce69f0790a25e9a003b17c4f93e29e

SHA512
11d048716ebe848a91b32d5be28d16dfb566fc353e7135aa9c8eb222ff0f88050eb86a92858f07d4eed2417e58928cad41fef8cdad75cea1296e32a17d61d120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
91B

MD5
63063002513da4a519808e1491f0b2cf

SHA1
60897eef8d872d4f47bce2bc4b0cc3c1c751b30a

SHA256
60a21da0f3a91ab2ae45cab6900dbf75617a8aaeff9c7646e6a1c9bb2ee0e175

SHA512
caf5ecd772df894e9acc6809414f2ab86572374ec5b7144471918b6800f38dc9b74865228269baf2afc7e5dc42acdcdc96db8d6e758cf9e38535c2410172ef07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
92B

MD5
0376f8ce55cc5a6c231ffb96d8af5f0a

SHA1
a4fb9ab41e5639d8a57c263fbd3226faaeb10925

SHA256
eab6bd043090d22d9e51084950db85cb2e79a78d0ec5d12fc0abd5eab8c497de

SHA512
fd85d3214df29fd8ff685dba631a944839ac33ad8acab2e7e5eebe7900af81e0a28d5cd6d13c854b40e7703173cc7bced8bb355c9c60ce54ea1a43e109fe06d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
93B

MD5
b9405f513a810d17c2cc881383f7527c

SHA1
e4b0dae73fa1f07282f71501efeba07d1c43aff6

SHA256
d4bfc4891379e79204273d22086202efe4e3adaff499f616365f839bbafe638e

SHA512
95eb913c23e9dee1f64599e21c5e83ae835af242a75947f94a32501f32f1816f50e6db759468c73355e72a8c914780a73bfb92e92f44bb41b76c0f58399019e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
94B

MD5
8ca9df0c73af0b2326c575b905e2bdeb

SHA1
ebf5c0ac10e0ed37d8fc4fd015a6553d1d82be1c

SHA256
aa5554b12f5e01c58c09ef6b8173afbc5544ef46f256e931b2e9922535e8c0c3

SHA512
c4b8369faf5e4d578575d59bc6f12df758b7b135aaed203910662e09ea9631c6af636c8436d67be7ad265ef51a66f8a55d33329ba9d881731b6e25852584e860

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
95B

MD5
1d1ae1f8e51f49794eea2c86aab415fd

SHA1
b520b3619ffa486c3b0ddfe212ae4206c9daef5e

SHA256
58bc54d5453f86ff1c0a1926c60f96d79334c7027807e1b1f43b284d0117db3e

SHA512
d76bc4431c373ca34f10ca58bf059f4939a9406fcf4269853bdb305b84ad5724b817d6088b7be2ffe3a49e52cb574cad269195d9d98be25345050cfc30739bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
96B

MD5
208b865487b966de1dc61d3dc8c83cc6

SHA1
75a8866e5f2ae4c0951c5df613f1fe2fc9f537a3

SHA256
58ca353b97dbd6de63a66f4ec66aec8ab41e972c42754ca0fe2a405a846421bc

SHA512
3e5e2326e812338c86eebcd42b53fe2c61f6dc85cbdd3523b486a8313045b6e38112c189539cd152419a6144db8703dc3b73c3908acf5612b44c59b362c29556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
97B

MD5
3ab75fddac20f869c4954d0089d556f5

SHA1
44765c2d7e0cad83419a2cad6ce839a1c0e4f2ab

SHA256
4c0b64093023cddf78f0505fd441c16939cb4b12ff7ad0cf76fdb5002d09f120

SHA512
9dd58ed19f94ca9ea8439ef3c66c8dde3f4c226c2b4a0a16e53bddf9db6fc340403f404c55124ccfcb688d3457191dee825201b5f03a99d0791bb5903e4fb07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
98B

MD5
bacad5b9761e53b951bffe9d49cffef5

SHA1
854d797d09f9160726755e1730678096fc040f34

SHA256
a794ff483e27c42c8e37f6d853a5f303304b5b62cf5e8d865cda65a069c9f3ca

SHA512
e9032628aee208a47df62764f952032ee5c27b6cc795f3ae39c81d40d51bcabc833ac8f754d471b0b8448f43189a21938a94f823dd66ed3a379063f164f431fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
99B

MD5
0bcb18bd27bf8073a15ba3d736adc9d7

SHA1
c45802584e55e8eca86b99ee667b3d25fde0d4bf

SHA256
cca67fd049d442381398b2ce68aebaeb078dfbaefd4d46665e37d75933a032ea

SHA512
61df989448ed833fc787e26542442e6ff8dc640cb8b50b114957218b7d6974d99ca38d4cfe3e13ca8a671dc5d4a59d402d73af0baca238d02634dd39f542c8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
100B

MD5
5aac1025e5b1ebd731c1e918a6ea53db

SHA1
1a71a8bee98599878a8496977af7211a3ac4038e

SHA256
4bd7c49d9c81b8dcd269a773737a858b78d1dc5b1ee20d290bad9440a5202dcb

SHA512
319d6b5d113482093ac3eff5d40afa17784b64a1482dea34dfb755b6900cd729baf6ac75042972d4fa882f48da41ba8a3e25799a3c0ddfa7d4baee3aa1ecaf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
101B

MD5
a5b1c5cf2aaae799d627f6e2b705ac7f

SHA1
522fa9b5d010a60deea1f02b0772e2d60361d287

SHA256
0a191575d8576ee69edfe4f45ccc4a73ca991b4bf92895af084e3e2efe6b98d8

SHA512
2b4f2604a68cfd11cfe4235d4e5c518a609d563f52eed609639521bc598e9f6547f9968d96236dc24b7e275401412e48628f083b9bc300e6863300d67147a5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
102B

MD5
8ce93f0f7c5a08eb3dcd7323095c1cef

SHA1
cc02a85d233b453fb63c6ffac40785f8805b05f0

SHA256
0b42be08f8e1bbfcde47b0f0188f852b491615d6ae16498830b7fb068ed9dbbb

SHA512
45113e001b1dbb652062abab4615259ea0ec841ebb9f9f7c7afc022b1066c5abcdc89b0f80546cebebee97b465c3518c12934980cbc4187260eef47d721e527c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
108B

MD5
d3e709ae813c8cf7a1a244c60b7a6a78

SHA1
266f3bb0807183de5dbb69101aa5a35d668b895a

SHA256
9177370e0b512f0910bac9d7d550426bf16e443f57745c54af0289d921619659

SHA512
f884dfb3fb8c1b9694742aaf5a401c100edeeee81f792e609a826ee239cc2a46088c2d52a2a1fbaf6626e5a09f3ad0970316d6c8d004b43ddd0a3ace9f4078eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
114B

MD5
ce23287d6279ed5e914348a3dd1bd65e

SHA1
d97f457fd4d9bebf202f366d4370aaa8196d4b93

SHA256
7c5afc8fe3548cac12fa07cbaca30a7cadb4a44277967e7f383618275f04690a

SHA512
ec0c5124a7d0c11d376c002c58a85c728afe246e0aae988630450d6f0caee4c3a9d208c560fcecdf21d0132b6a0406d95ef99806221843ac2fe5b33e2536fa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f10a9f0cb90ec4d34195928768ece21c

SHA1
5e0e9284ab2abea930ef892513b97c84daf26bf2

SHA256
caf2caef23b401d76f0cdbcbd2bcfb5a59df627956c42aced13bf7b70dbc8928

SHA512
9f8020415ba730e034eaa1a9b72f34a2e37be79bbbe4c76b935e8f3dcdea0e4ebfdb3938a6decf40299cd590c8a9f3822ae4c6d5270197432cff57e1161b3da1

Download Submit
memory/1440-19-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/2100-153-0x0000000000970000-0x000000000099E000-memory.dmp

Filesize
184KB

Download
memory/2112-26-0x0000000001040000-0x0000000001F28000-memory.dmp

Filesize
14.9MB

Download
memory/2512-190-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-157-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-167-0x0000000002080000-0x000000000208A000-memory.dmp

Filesize
40KB

Download
memory/2512-166-0x0000000002080000-0x000000000208A000-memory.dmp

Filesize
40KB

Download
memory/2512-165-0x0000000002080000-0x000000000208A000-memory.dmp

Filesize
40KB

Download
memory/2512-188-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-189-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-192-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-191-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-160-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-193-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-205-0x0000000001F40000-0x0000000001F44000-memory.dmp

Filesize
16KB

Download
memory/2512-156-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-161-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-158-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2512-159-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/2516-155-0x0000000001310000-0x0000000001338000-memory.dmp

Filesize
160KB

Download
memory/2564-37-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2592-51-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2592-50-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2656-36-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2672-248-0x00000000009A0000-0x00000000009CE000-memory.dmp

Filesize
184KB

Download
memory/2728-106-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-22-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-18-0x0000000001180000-0x00000000011A8000-memory.dmp

Filesize
160KB

Download
memory/2788-15-0x0000000000AA0000-0x0000000000ACE000-memory.dmp

Filesize
184KB

Download
memory/3004-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x0000000000B10000-0x0000000001A90000-memory.dmp

Filesize
15.5MB

Download