xworm | 6d2cf58460eeebc417121afd3d5b0592b88b16f1b115e16aba32049437d05832

Analysis

max time kernel
57s
max time network
53s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VixenLoader.exe
Size

38.3MB
MD5

42660a451f750c72df213ed8b234da84
SHA1

57d610944313b20cec5918d8e4a482eebbe45beb
SHA256

6d2cf58460eeebc417121afd3d5b0592b88b16f1b115e16aba32049437d05832
SHA512

3843a449128f6be9ec4cfaee84c6c9c323b79bdfd22c9cf582c7f563c125db66fd12ae9324af197265e0da6faf30cb2a5a9e966c9343d9d098b0a8a38c655526
SSDEEP

786432:73skHahOcCzPA18A/Fk+SfyNqDOjM8VzG4j9rL5nUbVOtsa:zmhQ4iA/eVrCtzGoZ1Ug

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

play-treatments.gl.at.ply.gg:50330

Mutex

0JSF3VLcLKVr7CJP

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001873d-10.dat	family_xworm
behavioral1/memory/2680-11-0x00000000003B0000-0x00000000003C0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3040	powershell.exe
2880	powershell.exe
536	powershell.exe
564	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	System.exe

Executes dropped EXE 3 IoCs

pid	Process
2820	Registry.exe
2680	System.exe
2624	Stub.exe

Loads dropped DLL 4 IoCs

pid	Process
2696	VixenLoader.exe
2696	VixenLoader.exe
2820	Registry.exe
2624	Stub.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\ProgramData\\System.exe"	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VixenLoader.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3040	powershell.exe
2880	powershell.exe
536	powershell.exe
564	powershell.exe
2680	System.exe
2680	System.exe
2680	System.exe
2680	System.exe
2680	System.exe
2680	System.exe
2680	System.exe
2680	System.exe
2680	System.exe
2680	System.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	System.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	2680	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2680	System.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2820	2696	VixenLoader.exe	30
PID 2696 wrote to memory of 2820	2696	VixenLoader.exe	30
PID 2696 wrote to memory of 2820	2696	VixenLoader.exe	30
PID 2696 wrote to memory of 2820	2696	VixenLoader.exe	30
PID 2696 wrote to memory of 2680	2696	VixenLoader.exe	31
PID 2696 wrote to memory of 2680	2696	VixenLoader.exe	31
PID 2696 wrote to memory of 2680	2696	VixenLoader.exe	31
PID 2696 wrote to memory of 2680	2696	VixenLoader.exe	31
PID 2820 wrote to memory of 2624	2820	Registry.exe	32
PID 2820 wrote to memory of 2624	2820	Registry.exe	32
PID 2820 wrote to memory of 2624	2820	Registry.exe	32
PID 2680 wrote to memory of 3040	2680	System.exe	33
PID 2680 wrote to memory of 3040	2680	System.exe	33
PID 2680 wrote to memory of 3040	2680	System.exe	33
PID 2680 wrote to memory of 2880	2680	System.exe	35
PID 2680 wrote to memory of 2880	2680	System.exe	35
PID 2680 wrote to memory of 2880	2680	System.exe	35
PID 2680 wrote to memory of 536	2680	System.exe	37
PID 2680 wrote to memory of 536	2680	System.exe	37
PID 2680 wrote to memory of 536	2680	System.exe	37
PID 2680 wrote to memory of 564	2680	System.exe	39
PID 2680 wrote to memory of 564	2680	System.exe	39
PID 2680 wrote to memory of 564	2680	System.exe	39
PID 2680 wrote to memory of 2960	2680	System.exe	41
PID 2680 wrote to memory of 2960	2680	System.exe	41
PID 2680 wrote to memory of 2960	2680	System.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VixenLoader.exe
"C:\Users\Admin\AppData\Local\Temp\VixenLoader.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\Registry.exe
  "C:\Users\Admin\AppData\Local\Temp\Registry.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\onefile_2820_133787689193772000\Stub.exe
    C:\Users\Admin\AppData\Local\Temp\Registry.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2624
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2960

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
39KB

MD5
dda376d12dabb5271a3678e378fe5b11

SHA1
91711a77680345ef75c1ca6b0c5f46fc5afc9044

SHA256
f59efc57c51f6605eed29422e8c97c0d1098d6e920a9a89957625f08785160e1

SHA512
7166ad32241e4b7534cc619943369f8daf3daf8e85ff2f2ce96551ad712930bcca3db534470d435448280b342bb380a84c7d52619ccd4932ccc6b786e4ecc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2820_133787689193772000\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AQ8XMG91H9ENL0AIPYB7.temp

Filesize
7KB

MD5
cb908fa6096bc54b35d4f8392ab60bd4

SHA1
a58369ff8ef85b173e52747ec4feda9abef40a78

SHA256
2f7288363c0398381051b38b7b09ea23f1d72aa1fae456dcf1cfd03b2ffa4ea2

SHA512
1e7fe10e2f56647fe96bb7f1f6bc60dff6df002b60fcec28a5672fce71bd8469e2aa962989a3cb0df2d6070db811a1342a88c976305de237014423294a414711

Download Submit
C:\Users\Admin\Desktop\BlockDismount.aif

Filesize
371KB

MD5
8ec2bfaed598fdd47d14737281fa87af

SHA1
b23a137c448af4e2b9951c1c2ae2941eb5133089

SHA256
87d3aabd9c225f63bf0e5d867728e4b713736b6f3c7481d42415271fb2e34e57

SHA512
0d527618d06f062a5f1573c94e7b7520f1826b51687d44a92bfcbf4cad385d7fe35d9ef7c65a7e95d8d433a2e7d22aebab94cb13a6ec6fa793acd39d08b44fc2

Download Submit
C:\Users\Admin\Desktop\BlockTrace.ps1

Filesize
403KB

MD5
ebfb1ba7bcc887cb4406cac571ce6d77

SHA1
2cd2d1c7379c73d3ffb6f2603c4d5c5c3a5bf737

SHA256
0a79d1dda56a8ca26314ce317e823f35db086ba4f3aab9cc1891d7184ee87247

SHA512
28029d3ec85d12df97f8336bf4c2a5e3793f257c2e19c4c5b670510a9731f9530e045d5e50fdc2b46968bdceac29bc8596ec4b14e097ae1ff81ae69d525d6ddc

Download Submit
C:\Users\Admin\Desktop\ConfirmImport.ADT

Filesize
514KB

MD5
3ef72db04e3525ee03fa97dc836489c8

SHA1
485617dec1640b8d5bcab674acc38d42beb83118

SHA256
4a86862ca9fec563caae16737ae77ef2fc5ee530ea487e33e89aa89933edf0a8

SHA512
204f058f6487bb23220ea8be80d5520343143ad09c72cbb375e74fc7deec04481784563b0bde6d29963a1d90f089d1cab116c34af2c6fba01bbb25efed04c143

Download Submit
C:\Users\Admin\Desktop\ConvertToSearch.potx

Filesize
277KB

MD5
2d592e38b9abf986478f9d571ba5ad65

SHA1
ac984e92234f8b506a03b3a8beb7671268cc025e

SHA256
655ed9425c409802e3492d04d7ed9bd452da313e71c5531a2fe1bb8564d75281

SHA512
ce16c7abea32af94f712ecd15b2a08a492540575b120b50c5bf92c099d4cad2772699004e81a337f399174e739c07bbd318038e7ec8f425699c25c96277acd47

Download Submit
C:\Users\Admin\Desktop\CopyWait.raw

Filesize
498KB

MD5
d43df39b687ca4d5d6724307e73dcf18

SHA1
85411c903c7fd53be38de93d955e11ec0786100b

SHA256
f86a8fa211ec6aa6192fb04aae1f35b40e0aae5648b7200d89c4a67b613d0a00

SHA512
ebb4353705a545f731233ca1a1c590f15631165177f493e382f4b75d06af14434a119787b53a8e52ffa3c3492b4554d767159561e788bcbc458b7ae2b4a943fc

Download Submit
C:\Users\Admin\Desktop\EnterMerge.cab

Filesize
435KB

MD5
0c687e18d9ed32c6f31c98cc1514943a

SHA1
74e62a3bc69b0cde67d54b8fdca022c681e5e961

SHA256
bc5dcd6151fb212674819174bc93bdbb27dd9dc3e07533ac37a685e829e8d3c6

SHA512
b8e0544ba79f98dad4d77454a8983e9ce5d38748cb717f75432cc8b1a3353e1abf57ab1f9b82cc096e0122ab3e9b742fad941ca2c3249d9abfe264470aa48658

Download Submit
C:\Users\Admin\Desktop\FindRegister.xlsx

Filesize
10KB

MD5
c354e13e3212f5a081cde2d322b327b4

SHA1
79263bd7bd1aaf60d72ff7cb74a104dbca5251a4

SHA256
9651c33bd020dc45607f12991357b6b8baa6e1afe8749a77905a9f6d89991ed6

SHA512
75162d0b958b228ac91f06547ff2992762cdbed51bcb19bb0cf0ecf909a24abd2e01e68305529bcc3b8a81af096b39bbaf6d6834f9111defa7d8badebcb1f2ab

Download Submit
C:\Users\Admin\Desktop\FormatRequest.xlsx

Filesize
15KB

MD5
ef3089fd1455fc060c283bd085a8989e

SHA1
7ceae76dfd868957f2243938495fae67aa4178bf

SHA256
a9656e0aee1c7be8ff1e4f7f44d431ed43b2fc5b991302d1766680bf63eaaa7d

SHA512
2be8453c3dd97115701669688c261bdb463c7ed5cdda5e558e1f7da74e4e317007c95fccc3fec2b8e45ee0b3e28320f35fae667a43f5fa0a3059b5f678b88478

Download Submit
C:\Users\Admin\Desktop\GetReceive.eprtx

Filesize
261KB

MD5
a44b95f475166a175f47d8ff596f48c1

SHA1
6eb35421733032b9b4a49db60ae491fec63afdf3

SHA256
ee0bdd9973bb445b4cb74697d09231e8b3170e9a49b5930cff4e7b6c71fbf1dd

SHA512
d2075ea40d31d6df8c50831e36f45e7155b1e6dde3722c16cc5a624fdd6160feb327781c0f469bbeff41807ad66d21c844758474564cd1c037f29c5730b2b1e2

Download Submit
C:\Users\Admin\Desktop\MountSave.pps

Filesize
451KB

MD5
a87a9a8c4ed9196442c7d193f790f80c

SHA1
59bc1d3842b723549137098e4422c3a39947996d

SHA256
215d6370f2706a0fd1139325905fe561b3c122b664630b779c802bb58ac07231

SHA512
a3e8de62ffb016c32ce2d6b70db3d089bc51aa0b6cd094ce43a77249afff55aff946e8e914364cf0ce571bdbc7708aed1391d0adbba7d5511d1440f7329d34d1

Download Submit
C:\Users\Admin\Desktop\MoveReset.htm

Filesize
482KB

MD5
fc2a13c986c5708d05969a47ee1ff2fd

SHA1
55e7fb36553649e7ac3de5b17c5e973030710726

SHA256
2e59afc5215998a7a5ff21bcbe96f050739c5b51859c357dd38ce77ea86b8916

SHA512
3458966fdc9ddf981c1ffdb6f0a0e8f7e82e603f98a45483c45969af7b932f169d50749cf433bb8d922f6a5d5877732212ce0aea9e67a6f874c514f8471485c7

Download Submit
C:\Users\Admin\Desktop\ProtectMerge.ps1

Filesize
419KB

MD5
730ea8ccd446fb4891b30db51a195d57

SHA1
83f01895421f50fae56e59def9f07c96b7726819

SHA256
19ef49b5cb8d2bc93811728952556f1c81355c7df795904531ea4d3e88513fd8

SHA512
2b1a4f6713c4e9f2b2c91072a43a023f02d8a283dd7b29d6ad09531c724b80a77d43becb513ab54491e892d3e60c421ebcdc7eaec9b2f2dc335b7feca0987487

Download Submit
C:\Users\Admin\Desktop\PublishSplit.docx

Filesize
16KB

MD5
637b170e98ebaaf10cd904fce105c767

SHA1
8d5aa2a790cf9c1baf21815034a8a867d68bff20

SHA256
e4fb1516c68662c8dc66d701fe68cf2fada1bdf39b30e321dfc8eb4bb24aac47

SHA512
1caa5359a554d262d46a5da983fbeb54b3fd62df64b20b1c060fb87e72db82521d6b05c1e6516bf912615340792a6035c41dee310e45258109b0935ea79a2469

Download Submit
C:\Users\Admin\Desktop\PushReset.xps

Filesize
387KB

MD5
d5882f27a7ab003db9cf589a7393db4f

SHA1
928721cf9d719aafd36b033b90e65009f7d74ebb

SHA256
960652dd584aa113908d5a197288dde1064832d3802790da952dfa087897103b

SHA512
de6e02c819c215208f0bb6ac48a876b668e022f1692c199badd1d518c5ab50ce387c2143be2b6588b3ee3fc0e6bad2b6cb30f93367d935fe30662bace68422aa

Download Submit
C:\Users\Admin\Desktop\RestartUndo.vsw

Filesize
308KB

MD5
13b74ea902eb60ab150e87a0ebf27069

SHA1
f68ee1cd58f089c187ccb4abdd76bad78ccce15b

SHA256
e1473d4010cdf012da72b7f1802b55418ca5817a7307e053d1b4e00d956f29e6

SHA512
7bbb61043ea3580f75cadb0596fadf7814751742f7b5fd616e3272d34207812628da812ce558be5093cf0a461d4439b0b9cdba02ff275526aa54b2d6af35b132

Download Submit
C:\Users\Admin\Desktop\SelectMove.avi

Filesize
340KB

MD5
b2b889e4b815c54210d557a338c17ee3

SHA1
ae01b56f79af9e2af005b4c9c7310303210f0655

SHA256
f4546f3cab89fc36c8a8957473fca5c21f5045052375c2cde8194b36f618c500

SHA512
32e832db91217002746d46f48811c982c8e0b530659c5038447251428797eb6be19fd76875e6c8cc5fcd4dace5f15a1b634cbd93da7f156883c882fa2e60b15b

Download Submit
C:\Users\Admin\Desktop\SelectRepair.m3u

Filesize
292KB

MD5
ae065bfc680715f0d662a70d7944712c

SHA1
e0c327606586e3c02e862be6322ba2271a7be303

SHA256
f20cb7373b76dc681cb44f04cc5ede9b5ae1ce137026036b78e174447cf71fb8

SHA512
113bb9895cdedab87bf595ada1c94c3edb87281b29e0d93d302fa0a99ca7427c6d1f83deb5d8c0e7da3836e9fb84dcbbfad9b1e8fe4a79b5fa9f04ec05981818

Download Submit
C:\Users\Admin\Desktop\ShowUnblock.xlsx

Filesize
14KB

MD5
1808025eb464b3835ae5ab38623096a5

SHA1
751df70712d15ca75b30c76a174d77e4090d0084

SHA256
f8046754a0d58941ff7fbadcbf990a80f09a4f75b26a8431e709cbe5e1e74851

SHA512
5058b61c86130b3d25680a9f0a8ba24de8f5f4424447f37777875f5ccccbb5c0500b1808dec6d1611215ad0e3d7ad0bc7ab9583dbac160a0061055e9eba06c46

Download Submit
C:\Users\Admin\Desktop\StepUndo.search-ms

Filesize
229KB

MD5
66fbccbcb811858fc06d016c5db865a2

SHA1
0a1b34d08b220ec3542b5c424a65a3ae96f17f70

SHA256
2a85ccb528db162c9788851c5d6286e37d1df923cd17870f794d829ffaca606c

SHA512
bdb1f53059749f6932c845b7b0c11081f788c53f69ef484a11cc38c7eb846326acbbb8e028312162f667faaeb761c39a7b01832b62b1dfd015f8caebae609b5d

Download Submit
C:\Users\Admin\Desktop\UnregisterStep.ods

Filesize
245KB

MD5
86b03f0add033a513921c43931cf0d59

SHA1
57bd5d3fbd77995eeb733a91f69f9f2a0a1478e6

SHA256
e99cca04f17fb46f8b2665148a83bd54b071908b0c3705344054d9eb9d96d00c

SHA512
bb6d355e94dfb765fc9377060fef1c4b83e4013788e31f5c332223f77b360d052eef89522be6659abd7dc52a6ce2ec80297c26324cfc60af3d25702a2dee5279

Download Submit
C:\Users\Admin\Desktop\UseUnblock.vst

Filesize
356KB

MD5
3cf74427868293ec8c79ceb0da5bf670

SHA1
c4d2bf887980b39ddd5d0246b1fa59014b6d2a6c

SHA256
c3fb8ba80e27230928523f7524f5c2886c5eeabbbab3e7793760ff274d3a9ae2

SHA512
2d0f54e9f501fff8bcaa40fd6d3ed37e0b9c0088cd8ae4055ce99650b61e1bf74369944dd0e8bcc4d6847238ced2da23390596b66f665f7b1d1858453066686f

Download Submit
C:\Users\Admin\Desktop\WaitStart.vstx

Filesize
324KB

MD5
10ae8eb96bed5d0ae8e9437837d19bf1

SHA1
ff80d35cd02daf9e0caf40c71bdad3da6104478e

SHA256
e7ebe68187c818ab96dad3e1b07fe51e6e43038a5cc22ac1f2945ef8d2dfcd1d

SHA512
8d319abc572ccd0123071d04f638168e980bba595f43bf09ad8afadeabfa098a7091ff3b10374823e0c58e225b6f157b3bb473f30dcde0487d8053920516ffa5

Download Submit
C:\Users\Admin\Desktop\WatchAssert.odp

Filesize
466KB

MD5
894dd0c8446ba0d26d529fc28aee1d55

SHA1
70a995bd0536ed2b7be6847e0b1c42fd04f742e9

SHA256
2b05e73bf48baf6dc9ae6d2c4ebad75612aaaaa817bb7c42e227d88ba616d439

SHA512
03b058db4e6b5e2c1e4456385432823a8562a08787d4a1845fcd27466c0c482a2b5bafac81ccaff915e0cc10c3da53b3600e38a1a4ca0d1de36f79fb3ea1edf2

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk

Filesize
1KB

MD5
e5059748009b9541c073b14a9a27204c

SHA1
0b00ad05ac3d12aa680421d0f19b27e288eb1419

SHA256
433259d5f3fe4b1acb2720713055678b85406e2609c8eebc8b2802a633ce530e

SHA512
5f199e613b00df513cf84125ffa13aa6d979750184611782cb360cf848eebd431647425e3079b073000ad15c4ab4ae91515f89f82ed73bca2544fb045becc732

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
931B

MD5
6769cb98d1a77cea8849d407d4a17e01

SHA1
25d71866e3d784064acb82addc2cd9d6ccbc44ea

SHA256
ed0cee3ac33dc9d1dc4d9a418353edbcd670315ce6876611327677f2aeb8a327

SHA512
feaae7d57c85e6fb697b7d611e6f7fc19b580b4aa674ee329297394b8556aeed019ee2db18fccace351ad866020c28061b79e106d6d06e2c6300b340c7621012

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
bb838ad43807201b560e0794f98b83b0

SHA1
428591576784df9278f02b6b64199fee1ed53206

SHA256
e034d952a8ddb68c012694f1dd8044726609b4d874db2a3dee0e9aed08c03c5d

SHA512
af18eb7e959734fb90ea48b9ea4aac558c45451da9efba8ef07a2bc185a00e0834bf04640c403c13140cdca82da878769e473f6a766eb4bc43f9690c45fe5c43

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
878B

MD5
fa06dc9f0c06f7078af192aa8bc3729a

SHA1
f34b2197cd0d466899e1ea8fddf642568d038fef

SHA256
3c884522d453cfd2ca09db67d181131e5384d4e62e2f7846f45880bd2062db03

SHA512
6295213ec650ef02b6608d6c061760a051b2e765c588c3f58551556ab9c3ec67576bfd36e8b78eab4bc9576267a104bc749e6a1138e94bccfb12b0dd324cd8d5

Download Submit
\Users\Admin\AppData\Local\Temp\Registry.exe

Filesize
38.2MB

MD5
b4c97238cbd3eef2220646a06ad12d3d

SHA1
448cd7706447ec684ddbdfa86298ab7ebe2b5d37

SHA256
1b2e36cb8bece957248db97bae8a1ea60c606a968da4ec1b8ef7bd740a3d30ab

SHA512
d823a9c84e93946b139ba771c4ab9b9a46236689f4140712d6c122517660225e9cb927dd0be79d7e4920b5cf567daf124d67ae714a99952f26434a2b887bf8cc

Download Submit
memory/2680-11-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2880-58-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2880-57-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/3040-51-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/3040-50-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download