Overview

overview

10

Static

static

10

XClient..2.exe

windows7-x64

10

XClient..2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2025 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient..2.exe

  • Size

    38KB

  • MD5

    c9196dc6453467a8680afa368cb2c340

  • SHA1

    8dc19dfa55c638fb737b06bf3edaa04a6406e31f

  • SHA256

    dcd88d0f563c6164e4e55e706cb5516f957a38d08a9f91b9c1bc61586a2bd591

  • SHA512

    30b95c1f218cf918c64694a7c7bc10ee67d04ff7ced7f96592dd7e21231f35cabc976741bc1b7c639cffffb5dd7cd89f4b253487bb078e8d0c7826e04208d412

  • SSDEEP

    768:I4/CHDkUjn5fCja4sYxE7FWPA9pNGOMh0a4c:I4y4Ur5fzFJ9p4OMqZc

Score
10/10
stormkittyxwormdiscoveryevasionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

kit-austria.gl.at.ply.gg:59418

Mutex

KM83UkaVLVqybrWi

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 19 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 45 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 19 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient..2.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient..2.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3916
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:1196
    • C:\Windows\SYSTEM32\MsiExec.exe
      MsiExec.exe /X{2BB73336-4F69-4141-9797-E9BD6FE3980A}
      2⤵
      • Suspicious use of FindShellTrayWindow
      PID:4596
    • C:\Windows\SYSTEM32\MsiExec.exe
      MsiExec.exe /X{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}
      2⤵
        PID:2508
      • C:\Windows\SYSTEM32\MsiExec.exe
        MsiExec.exe /X{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}
        2⤵
          PID:1388
        • C:\Windows\SYSTEM32\MsiExec.exe
          MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
          2⤵
            PID:740
          • C:\Windows\SYSTEM32\MsiExec.exe
            MsiExec.exe /I{77924AE4-039E-4CA4-87B4-2F64180381F0}
            2⤵
            • Enumerates connected drives
            • Checks processor information in registry
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:3928
          • C:\Windows\SYSTEM32\MsiExec.exe
            MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
            2⤵
              PID:1908
            • C:\Windows\SYSTEM32\MsiExec.exe
              MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
              2⤵
              • Enumerates connected drives
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              PID:4280
            • C:\Windows\SYSTEM32\MsiExec.exe
              MsiExec.exe /X{37B8F9C7-03FB-3253-8781-2517C99D7C00}
              2⤵
                PID:1384
              • C:\Windows\SYSTEM32\MsiExec.exe
                MsiExec.exe /X{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}
                2⤵
                  PID:2452
                • C:\Windows\SYSTEM32\MsiExec.exe
                  MsiExec.exe /X{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}
                  2⤵
                    PID:4872
                  • C:\Windows\SYSTEM32\MsiExec.exe
                    MsiExec.exe /X{CB0836EC-B072-368D-82B2-D3470BF95707}
                    2⤵
                    • Enumerates connected drives
                    • Suspicious use of FindShellTrayWindow
                    PID:1548
                  • C:\Windows\SYSTEM32\MsiExec.exe
                    MsiExec.exe /X{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}
                    2⤵
                    • Enumerates connected drives
                    • Suspicious use of FindShellTrayWindow
                    PID:3336
                  • C:\Windows\SYSTEM32\MsiExec.exe
                    MsiExec.exe /I{662A0088-6FCD-45DD-9EA7-68674058AED5}
                    2⤵
                    • Enumerates connected drives
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:1732
                  • C:\Windows\SYSTEM32\MsiExec.exe
                    MsiExec.exe /I{BF08E976-B92E-4336-B56F-2171179476C4}
                    2⤵
                    • Enumerates connected drives
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:2752
                  • C:\Windows\SYSTEM32\MsiExec.exe
                    MsiExec.exe /X{E634F316-BEB6-4FB3-A612-F7102F576165}
                    2⤵
                    • Suspicious use of FindShellTrayWindow
                    PID:1900
                  • C:\Windows\SYSTEM32\MsiExec.exe
                    MsiExec.exe /X{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}
                    2⤵
                    • Suspicious use of FindShellTrayWindow
                    PID:5076
                  • C:\Windows\SYSTEM32\MsiExec.exe
                    MsiExec.exe /X{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}
                    2⤵
                    • Suspicious use of FindShellTrayWindow
                    PID:3536
                  • C:\Windows\SYSTEM32\MsiExec.exe
                    MsiExec.exe /X{90160000-008C-0000-1000-0000000FF1CE}
                    2⤵
                    • Suspicious use of FindShellTrayWindow
                    PID:3028
                  • C:\Windows\SYSTEM32\MsiExec.exe
                    MsiExec.exe /I{90160000-007E-0000-1000-0000000FF1CE}
                    2⤵
                    • Enumerates connected drives
                    • Suspicious use of FindShellTrayWindow
                    PID:1612
                  • C:\Windows\SYSTEM32\MsiExec.exe
                    MsiExec.exe /X{90160000-008C-0409-1000-0000000FF1CE}
                    2⤵
                      PID:1892
                    • C:\Windows\SYSTEM32\MsiExec.exe
                      MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
                      2⤵
                        PID:1760
                      • C:\Windows\SYSTEM32\MsiExec.exe
                        MsiExec.exe /X{9F51D16B-42E8-4A4A-8228-75045541A2AE}
                        2⤵
                          PID:4528
                        • C:\Windows\SYSTEM32\MsiExec.exe
                          MsiExec.exe /I{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}
                          2⤵
                          • Enumerates connected drives
                          • Suspicious use of FindShellTrayWindow
                          PID:1552
                        • C:\Windows\SYSTEM32\MsiExec.exe
                          MsiExec.exe /I{64A3A4F4-B792-11D6-A78A-00B0D0180381}
                          2⤵
                          • Enumerates connected drives
                          • Checks processor information in registry
                          • Suspicious use of FindShellTrayWindow
                          PID:4976
                        • C:\Windows\SYSTEM32\MsiExec.exe
                          MsiExec.exe /X{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}
                          2⤵
                            PID:2000
                          • C:\Windows\SYSTEM32\MsiExec.exe
                            MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
                            2⤵
                              PID:3624
                            • C:\Windows\SYSTEM32\MsiExec.exe
                              MsiExec.exe /X{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}
                              2⤵
                                PID:4468
                              • C:\Windows\SYSTEM32\MsiExec.exe
                                MsiExec.exe /X{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
                                2⤵
                                  PID:3628
                                • C:\Windows\SYSTEM32\MsiExec.exe
                                  MsiExec.exe /X{79043ED0-7ED1-4227-A5E5-04C5594D21F7}
                                  2⤵
                                    PID:1344
                                  • C:\Windows\SYSTEM32\MsiExec.exe
                                    MsiExec.exe /X{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
                                    2⤵
                                      PID:5080
                                    • C:\Windows\SYSTEM32\MsiExec.exe
                                      MsiExec.exe /I{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}
                                      2⤵
                                      • Enumerates connected drives
                                      • Suspicious use of FindShellTrayWindow
                                      PID:3172
                                    • C:\Windows\SYSTEM32\MsiExec.exe
                                      MsiExec.exe /X{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}
                                      2⤵
                                      • Suspicious use of FindShellTrayWindow
                                      PID:424
                                    • C:\Windows\SYSTEM32\MsiExec.exe
                                      MsiExec.exe /X{B175520C-86A2-35A7-8619-86DC379688B9}
                                      2⤵
                                      • Enumerates connected drives
                                      • Suspicious use of FindShellTrayWindow
                                      PID:720
                                    • C:\Windows\SYSTEM32\MsiExec.exe
                                      MsiExec.exe /X{7DAD0258-515C-3DD4-8964-BD714199E0F7}
                                      2⤵
                                      • Enumerates connected drives
                                      • Suspicious use of FindShellTrayWindow
                                      PID:1712
                                  • C:\Windows\system32\msiexec.exe
                                    C:\Windows\system32\msiexec.exe /V
                                    1⤵
                                    • Enumerates connected drives
                                    • Drops file in System32 directory
                                    • Drops file in Program Files directory
                                    • Drops file in Windows directory
                                    • Modifies Internet Explorer settings
                                    • Modifies data under HKEY_USERS
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:5116
                                    • C:\Windows\syswow64\MsiExec.exe
                                      C:\Windows\syswow64\MsiExec.exe -Embedding 92F3C22ED846A3A6384E163CB3715CEE C
                                      2⤵
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:800
                                    • C:\Windows\System32\MsiExec.exe
                                      C:\Windows\System32\MsiExec.exe -Embedding DE8FCC560F4FA7952E58DDF96D3B472D C
                                      2⤵
                                      • Loads dropped DLL
                                      PID:1204
                                    • C:\Windows\System32\MsiExec.exe
                                      C:\Windows\System32\MsiExec.exe -Embedding EDBE7C96842D365AEF5E458CA9E38FE6 C
                                      2⤵
                                      • Loads dropped DLL
                                      PID:4940
                                    • C:\Windows\System32\MsiExec.exe
                                      C:\Windows\System32\MsiExec.exe -Embedding 105A729268FC274CAC97D72EE3EADEE5
                                      2⤵
                                      • Loads dropped DLL
                                      PID:1584
                                    • C:\Windows\system32\srtasks.exe
                                      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                      2⤵
                                        PID:3440
                                      • C:\Windows\syswow64\MsiExec.exe
                                        C:\Windows\syswow64\MsiExec.exe -Embedding FA8B7901F25C2E3E4F626FE1C536FB84
                                        2⤵
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2864
                                      • C:\Windows\syswow64\MsiExec.exe
                                        C:\Windows\syswow64\MsiExec.exe -Embedding DCB226AF8991A0EC0C47F074D465E25A
                                        2⤵
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2472
                                      • C:\Windows\syswow64\MsiExec.exe
                                        C:\Windows\syswow64\MsiExec.exe -Embedding F93F096BEF1DCF1097B49759C4B7F9EB
                                        2⤵
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:3144
                                      • C:\Windows\syswow64\MsiExec.exe
                                        C:\Windows\syswow64\MsiExec.exe -Embedding 138410E0E06EF4E1387A0506307C8823
                                        2⤵
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:4764
                                      • C:\Windows\syswow64\MsiExec.exe
                                        C:\Windows\syswow64\MsiExec.exe -Embedding 471236600FD045977EC39EA32F143E24
                                        2⤵
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:4128
                                      • C:\Windows\System32\MsiExec.exe
                                        C:\Windows\System32\MsiExec.exe -Embedding E26B65D7E3B9C7CCD4536ECFA1C03C26
                                        2⤵
                                        • Loads dropped DLL
                                        PID:2780
                                      • C:\Windows\System32\MsiExec.exe
                                        C:\Windows\System32\MsiExec.exe -Embedding 93DCDFD39FA0B373BB73289887414EC9 E Global\MSI0000
                                        2⤵
                                        • Loads dropped DLL
                                        PID:3936
                                        • C:\Program Files\Common Files\Microsoft Shared\Source Engine\ose.exe
                                          "C:\Program Files\Common Files\Microsoft Shared\Source Engine\ose.exe" -standalone:temp
                                          3⤵
                                          • Executes dropped EXE
                                          PID:3956
                                          • C:\Windows\Temp\ose00000.exe
                                            "C:\Windows\Temp\ose00000.exe" -standalone
                                            4⤵
                                            • Executes dropped EXE
                                            PID:2508
                                    • C:\Windows\system32\vssvc.exe
                                      C:\Windows\system32\vssvc.exe
                                      1⤵
                                      • Checks SCSI registry key(s)
                                      PID:1056

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Reconnaissance

                                    Resource Development

                                    Initial Access

                                    Execution

                                    Persistence

                                    Boot or Logon Autostart Execution

                                    1
                                    T1547

                                    Registry Run Keys / Startup Folder

                                    1
                                    T1547.001

                                    Create or Modify System Process

                                    1
                                    T1543

                                    Windows Service

                                    1
                                    T1543.003

                                    Event Triggered Execution

                                    2
                                    T1546

                                    Component Object Model Hijacking

                                    1
                                    T1546.015

                                    Netsh Helper DLL

                                    1
                                    T1546.007

                                    Privilege Escalation

                                    Boot or Logon Autostart Execution

                                    1
                                    T1547

                                    Registry Run Keys / Startup Folder

                                    1
                                    T1547.001

                                    Create or Modify System Process

                                    1
                                    T1543

                                    Windows Service

                                    1
                                    T1543.003

                                    Event Triggered Execution

                                    2
                                    T1546

                                    Component Object Model Hijacking

                                    1
                                    T1546.015

                                    Netsh Helper DLL

                                    1
                                    T1546.007

                                    Defense Evasion

                                    Impair Defenses

                                    1
                                    T1562

                                    Disable or Modify System Firewall

                                    1
                                    T1562.004

                                    Modify Registry

                                    2
                                    T1112

                                    Credential Access

                                    Credentials from Password Stores

                                    1
                                    T1555

                                    Credentials from Web Browsers

                                    1
                                    T1555.003

                                    Unsecured Credentials

                                    1
                                    T1552

                                    Credentials In Files

                                    1
                                    T1552.001

                                    Discovery

                                    Browser Information Discovery

                                    1
                                    T1217

                                    Peripheral Device Discovery

                                    2
                                    T1120

                                    Query Registry

                                    5
                                    T1012

                                    System Information Discovery

                                    5
                                    T1082

                                    System Location Discovery

                                    1
                                    T1614

                                    System Language Discovery

                                    1
                                    T1614.001

                                    Lateral Movement

                                    Collection

                                    Data from Local System

                                    1
                                    T1005

                                    Command and Control

                                    Exfiltration

                                    Impact

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Config.Msi\e58dd8c.rbs
                                      Filesize

                                      3KB

                                      MD5

                                      a77356fbc7680d8a7d6e5977708ad196

                                      SHA1

                                      8e8980422f3a3b957b6b299ce4b7df7c84bc1f10

                                      SHA256

                                      989cfae6abd741da3b1c7ea7a1c752f4c161db6c1e14bdae222384188f9b5a51

                                      SHA512

                                      b854eec71f9606a1d2aff813e34469320a3be871aba16d309915f9861a9402710be6c6b302fff315054deda031ab4fcb32a450e3954c84bb49bc2aacfb30c49d

                                      Download Submit

                                    • C:\Config.Msi\e58dd8f.rbs
                                      Filesize

                                      3KB

                                      MD5

                                      8b3e1550f10bc3be82564924123c96c1

                                      SHA1

                                      6b717839f7580279f1b7731b2db2b43aa9ba5abf

                                      SHA256

                                      5a730bba22749e43d398dbe3661b203c3fbd3fa0f2ea33edbb2ee81983d5630d

                                      SHA512

                                      4bfac4a3963ec62a6d61d70d3532c62313611d9845c09521d51ceced1ae23749a9f0f9e0db1ca5f50dde0c7df38e2fa97859cb73444d41199e626782a30d5414

                                      Download Submit

                                    • C:\Config.Msi\e58dd92.rbs
                                      Filesize

                                      6KB

                                      MD5

                                      47cd1429ac6bab15bb11d5a553ed09ad

                                      SHA1

                                      0b6cc9c57b04814e6cd5dc8fe3a6bc4c151f7ec1

                                      SHA256

                                      f086dde66eb455bcb953d7d26756b13b0ee0d0a6505cc504f3e38a8025bd3021

                                      SHA512

                                      4010b0a58146d6a2638751356eebb9e0b733ca2caf2d7c1ed685ed1013ff554b11f4bd45dff1aedee707addd389d5cbf2998ea086545bc8fcf2105bbbef8d105

                                      Download Submit

                                    • C:\Config.Msi\e58dd9d.rbf
                                      Filesize

                                      3B

                                      MD5

                                      21438ef4b9ad4fc266b6129a2f60de29

                                      SHA1

                                      5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

                                      SHA256

                                      13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

                                      SHA512

                                      37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

                                      Download Submit

                                    • C:\Config.Msi\e58dda0.rbs
                                      Filesize

                                      3KB

                                      MD5

                                      b8e6aed8b68d2be1363f2bfe3faab1be

                                      SHA1

                                      939c31a978227d75452441eb29a33545bc41bd1f

                                      SHA256

                                      845521bc9c0663582e6ae67dec1416a2abb2defee49853b59f2256728eeb0d7e

                                      SHA512

                                      267041fc69e2963a61fe3620bf15a6b14cd098ab5cc05c478b624f5a7476677b1ab937e013454178db89111d96c1c1a8556cd653afd7da1f88518ce9fcf9b92c

                                      Download Submit

                                    • C:\Config.Msi\e58dda3.rbs
                                      Filesize

                                      3KB

                                      MD5

                                      78cccc82f06016023bc840bb2028adbe

                                      SHA1

                                      0dfb68d94703148ef093a04529fe87c57c267832

                                      SHA256

                                      5f3f6845e03e6b00fb36c63e8a46d8777a712e7fe201f6e076e0ac2dd41d558a

                                      SHA512

                                      5229d3645a240cc03860de39f4a0b969cf95e8bb803a02f21b290a86a528c0743c6fc146587f8ba503726d9b74d795df866b935db55ff758a6cafe0dfc5e0435

                                      Download Submit

                                    • C:\Config.Msi\e58dda6.rbs
                                      Filesize

                                      23KB

                                      MD5

                                      a0f292fe84451a7dcdeecde0354f150d

                                      SHA1

                                      2a5b1476057e8c8a47d1ffbaeaf4e91dc25c7c1c

                                      SHA256

                                      ad868c105135e1f01ff0bae6683f3a266b146ce3b3a1fc3e4eab81dabcf993f8

                                      SHA512

                                      98beef8de8db27f14d06301c3797d0ac5938f26bb3a076a3741bd71ddcc2c65129ae8bcbd6ca2994052acd1a09387d579b7fe9fed0efb6fe03e37177b81ea3dc

                                      Download Submit

                                    • C:\Config.Msi\e58ddb9.rbs
                                      Filesize

                                      9KB

                                      MD5

                                      0c565f1559199d6d034fb148162708fa

                                      SHA1

                                      6c7598bdf7bed4ecdfc8890cd5e6c58a4d02dbb5

                                      SHA256

                                      d698996ca6db4585ac23199d7e068c0a3a5763e60c71f1f54727ad14d6a18cf8

                                      SHA512

                                      3d20d6113c5c7f954bcacc51a44abbb87b1a6f6a39b299bd8f67ff034eabec7856af095f3c07db27f02aea9b07a2aa549a6283c8aa5644bac81f0da654c7a079

                                      Download Submit

                                    • C:\Config.Msi\e58ddbc.rbs
                                      Filesize

                                      15KB

                                      MD5

                                      e0157ada2c121d179cd994b7c440bd7c

                                      SHA1

                                      f9859ec0bad2c3fa176902f9d73142aca6899e1b

                                      SHA256

                                      3c2b73eae20503674d12e10b9bb8e75701a24450cf0b87b170660d9efd8c3cf0

                                      SHA512

                                      3e8eb12b82c0d3f3bd6cfe79424718473c69ca9bfb308e61254a4b5018edfdc50bf19273816ab9547628af65c4af2bde1e151774fa58d47962676dc5dc909618

                                      Download Submit

                                    • C:\Config.Msi\e58ddc4.rbs
                                      Filesize

                                      13KB

                                      MD5

                                      fa2653a6a59fd65db448f2b45e012567

                                      SHA1

                                      ff4174cccc5d4fe158d40e79777926f7edc9df31

                                      SHA256

                                      75fc114e67ea37d4dcd1c255c7061951a18e3f32091443529857a226fd3b0e44

                                      SHA512

                                      3f7649e2365d249d02ac9267ddcf23c6b59d386212cef1479c8d6bb9266357111ad13e67aae7f596bdfa57633c72182556fcabc86b8702caf73fe5dce74293e0

                                      Download Submit

                                    • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
                                      Filesize

                                      257KB

                                      MD5

                                      17dc54ade85613728a43f2d733527c5e

                                      SHA1

                                      6420a7744edb234f8cf989b7f261265baa381e94

                                      SHA256

                                      8c47f981e1a46a42a268f53ef1b1476555a54bed7077f7b13b1e562c4c9c049e

                                      SHA512

                                      632541e69c61398c3eb07ea7b8e7a21a6a765b592939f091bf8319cacbf7f294860e5f80c82e8e7ab29e2a20e67dd4d1e34171b2c5858d30ce9b9bcbe167ee43

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSI8d77f.LOG
                                      Filesize

                                      20KB

                                      MD5

                                      2c2f489c695ec630a96a233a79310f16

                                      SHA1

                                      0f82196dd0165d00a91cf1e4659eadaa72fbae63

                                      SHA256

                                      b8b3c66ce476598b254e76ee91dab0b527345d388044ffa60555ad4ef6c7863b

                                      SHA512

                                      7c4cb5933c6fda6170b9c97740a5a9c5cfdf717d618ed3b0e284e7e743718226b901b5750aaea52d7521df5614af6fb9bf4cbac280cd8fde76bee3ce704d19ab

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSI8d79e.LOG
                                      Filesize

                                      20KB

                                      MD5

                                      dc7ae3656accbdb747d9d6839502c25c

                                      SHA1

                                      b1e172e84fa5fb3cf9d4f79ad967ec69745493a0

                                      SHA256

                                      b5217773e2ab05ef917166f60b809dd932ada38dfbb127bb1d1293907ef2bbfc

                                      SHA512

                                      9c04d3c22bf8c93b9a200622d850a7d8117814996cfb02fe981abc177def96da66b75f08dfef4382e1e739585d296a58d6a4e89c68a8a514ae6449e0305358e5

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSI8d9b1.LOG
                                      Filesize

                                      20KB

                                      MD5

                                      cacc37614b8173131a97df9c9d10d58d

                                      SHA1

                                      41eb0981c2283fd75b480c45096dfa33435e4dd3

                                      SHA256

                                      2d5004d3ed75efc30ff2b3ff0ab7e766b5d5bcec1efc244c3fbb4b75da41a100

                                      SHA512

                                      11007f777a881c2a23d5acf5e0d9c51c7cf367d21096eb512bec631e08c300dde2eeb36e8fbb40a4057a4afb10d02bef58f5e85da5399228598bfe67ffce0e12

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSI8db48.LOG
                                      Filesize

                                      20KB

                                      MD5

                                      ed6eece37cc19a4f6dd8b916a0f64d59

                                      SHA1

                                      6a0ac45e6220c7ecd3d6360c97a4bc907199ca79

                                      SHA256

                                      e72965d29a0fe1332677323bfc24e5da8a5cf21b580ea5b0ecaeed9ae3ebaa6a

                                      SHA512

                                      5ca9c2bf0f9f0ca357baf356f22899b0f7419ea7e54b77bf08ef2278a3140b457bc452170550322c74c373d3c3b56e2abe6afe200ccf65b25639407e2d292539

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSI8de16.LOG
                                      Filesize

                                      2KB

                                      MD5

                                      2e53ca70848bedc68c8c42cd32073101

                                      SHA1

                                      c52ec7f2852fb4b2f3cb5f997d3347c235e68d95

                                      SHA256

                                      c030b6c75172df2b79ac92e6028044ebc7e18d6186b7dd28ce6ea272e7cebf55

                                      SHA512

                                      6a600af03889b77cdd04ab04444edadb91e9bf45c7bc5afcb4dfd2a5e3d2e3a1ce23017abd6c100b0fd4fa8d94f2bc788460427dee444f89a7cce36e6effd77e

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSI97601.LOG
                                      Filesize

                                      2KB

                                      MD5

                                      e52c356ab98f5819447148c01e5bfdb0

                                      SHA1

                                      a764011f1e19822907176238818009ab103c5a11

                                      SHA256

                                      cd26c8c36849d1768fac7bb6625d06f3078ad4ea435f3287a0db5ebaa214f6d9

                                      SHA512

                                      7177f1f616fe8a89c7b06466a85abfc4980a894a97eacf604db276c8e66b45cc587c1abe5c9f5496a95c95f9d30204c1872d2678e98577464b815550c07ae72a

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSI97749.LOG
                                      Filesize

                                      2KB

                                      MD5

                                      c9c9d01939f6b4042d7586c60e1e2e9a

                                      SHA1

                                      0b73fb31bf47e62a81b3013d5bce868e66c2b308

                                      SHA256

                                      46282d7f7c2e46b619397805ce55c78dcacb5b1fee71033541d81c182ff15d24

                                      SHA512

                                      4cb9d5095b16aefb4dfa0305c8c2cde78acc3610bfc79c37643636b76beb79b397239084a08265ed7b3dabd0e114d525169d238a961779cc0d8d8404fc6d7e14

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSIDA2E.tmp
                                      Filesize

                                      57KB

                                      MD5

                                      c23d4d5a87e08f8a822ad5a8dbd69592

                                      SHA1

                                      317df555bc309dace46ae5c5589bec53ea8f137e

                                      SHA256

                                      6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

                                      SHA512

                                      fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSIDA3E.tmp
                                      Filesize

                                      908KB

                                      MD5

                                      2c169c625b6f35aab52b5bf76abbc27e

                                      SHA1

                                      6e10678a100844c40e071f462dba80a3db0a3db9

                                      SHA256

                                      e6597b902da4734352ed9c65172118221708597e414b4b687cc29c71b0e3f55d

                                      SHA512

                                      fa9b12cb88c61b689a797d5f378f92bbb09e81b9aae8ad2fc8640229ea6908fc426bd6c8f9f60b4724e76cd517d205ba939bec106061f339121b7168558b229e

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSIDC71.tmp
                                      Filesize

                                      885KB

                                      MD5

                                      1f0af45ebb41a281e1842cf13ec0a936

                                      SHA1

                                      ed725de3bfb61f9614d76497ce88488925502977

                                      SHA256

                                      18c9929344a096d80a051b2513c1c91ca89ba22c9e8d24240faf1566767a9e66

                                      SHA512

                                      3c414d6ea6f929d9710ffb9a8dbfa737b36ded9b2cdf8260d6a8a9224ffb005e1dc090d331b9f69b9c7c8871570f437288fcc3c8b51dd619df9975d374085c8c

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSIDD6C.tmp
                                      Filesize

                                      418KB

                                      MD5

                                      67f23a38c85856e8a20e815c548cd424

                                      SHA1

                                      16e8959c52f983e83f688f4cce3487364b1ffd10

                                      SHA256

                                      f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

                                      SHA512

                                      41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\MSIDE29.tmp
                                      Filesize

                                      209KB

                                      MD5

                                      0e91605ee2395145d077adb643609085

                                      SHA1

                                      303263aa6889013ce889bd4ea0324acdf35f29f2

                                      SHA256

                                      5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

                                      SHA512

                                      3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\jusched.log
                                      Filesize

                                      165KB

                                      MD5

                                      0661a1c77a580a7a6343b443c3d0f1df

                                      SHA1

                                      70edc00b5abcf2eefa79b72eeea6197cedc76211

                                      SHA256

                                      fd7432c24a432c39052f8a5891edc5e9195416795ae9d6e88334385e1b98a086

                                      SHA512

                                      166dc5c3ab6f85200837386d5e5b6d8925600bf9596c991dcd4cfd6e58cfe6e6828df4129f2adb3c54c58d8151352bb0670d5593a42a086c0a0439069cf1a05d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\jusched.log
                                      Filesize

                                      167KB

                                      MD5

                                      02d1d55a74f50bbb5ce754f69fb90643

                                      SHA1

                                      a019823da0d5a60148349fe99d87885fd702d9ce

                                      SHA256

                                      5cad0e3527dfd75cff4461e1f44381dfb0f147fc41f77186ac0489d306d4c57f

                                      SHA512

                                      c76328e67d90eef480f3d195c54500ab2ddd23a38e58b99aca16dbc942bdc227ce650d4ebc824474bb9d229427ea2f97bda02097b0fec18fb4a3ce1ec9f588b8

                                      Download Submit

                                    • C:\Windows\Installer\MSI1F1E.tmp
                                      Filesize

                                      74KB

                                      MD5

                                      d557e10dd63535aae79b780fbf83961d

                                      SHA1

                                      67fdf4459fab259f61da7ddd342261243b916a94

                                      SHA256

                                      be2ead50c4cd94d33c7f1e7c00b47744cb4b4309dcb349236cdcd447265ecf4b

                                      SHA512

                                      ab7d5ec81a3e4367b51deac213da79f9b3a6f5be505f4900121b19bffee4366dabf9674753f6ea82e35a88080b85b1e0f2eca790630f879f850aa322e4068feb

                                      Download Submit

                                    • C:\Windows\Installer\MSI4CF6.tmp
                                      Filesize

                                      225KB

                                      MD5

                                      d711da8a6487aea301e05003f327879f

                                      SHA1

                                      548d3779ed3ab7309328f174bfb18d7768d27747

                                      SHA256

                                      3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

                                      SHA512

                                      c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

                                      Download Submit

                                    • C:\Windows\Installer\MSI4DB3.tmp
                                      Filesize

                                      133KB

                                      MD5

                                      4c243138e444ab4e21413acd69c6b6b5

                                      SHA1

                                      63204dfe68cf108a86c4cab22e2f890c939a5f76

                                      SHA256

                                      6438a95c3566eee0577548bdc828180616f21efd2e9143fb316e11d2a16ef7e5

                                      SHA512

                                      b285069fd0e1a48f4f2b447247ae184cbfec872182e7e31f88449158008dad13a62971f76515b3b5e9e6c600aa80d7694e2cba03f367396106ccbbb2c4ec5fe9

                                      Download Submit

                                    • C:\Windows\Installer\MSI7727.tmp
                                      Filesize

                                      68KB

                                      MD5

                                      54dde63178e5f043852e1c1b5cde0c4b

                                      SHA1

                                      a4b6b1d4e265bd2b2693fbd9e75a2fc35078e9bd

                                      SHA256

                                      f95a10c990529409e7abbc9b9ca64e87728dd75008161537d58117cbc0e80f9d

                                      SHA512

                                      995d33b9a1b4d25cd183925031cffa7a64e0a1bcd3eb65ae9b7e65e87033cd790be48cd927e6fa56e7c5e7e70f524dccc665beddb51c004101e3d4d9d7874b45

                                      Download Submit

                                    • C:\Windows\Installer\MSI9717.tmp
                                      Filesize

                                      19KB

                                      MD5

                                      9cadbfa797783ff9e7fc60301de9e1ff

                                      SHA1

                                      83bde6d6b75dfc88d3418ec1a2e935872b8864bb

                                      SHA256

                                      c1eda5c42be64cfc08408a276340c9082f424ec1a4e96e78f85e9f80d0634141

                                      SHA512

                                      095963d9e01d46dae7908e3de6f115d7a0eebb114a5ec6e4e9312dbc22ba5baa268f5acece328066c9456172e90a95e097a35b9ed61589ce9684762e38f1385b

                                      Download Submit

                                    • C:\Windows\Installer\MSIA2A3.tmp
                                      Filesize

                                      81KB

                                      MD5

                                      fccdc45ca17e5180b40efc28052bac39

                                      SHA1

                                      cecb5a7e8807e619956183897a64930ce56294d6

                                      SHA256

                                      4ab37b0f9c5fe3505e1ecfe0764aaa04838cf81f9e0a402425e057f7a251e621

                                      SHA512

                                      67a9cd2066155b35a4b11e7917c2b6dd1d39828bfbe2972b22eea79c1891fd142f50273dde0cbf0a500259fb468f7636db05131a70b3c54a143f945d037da1ce

                                      Download Submit

                                    • C:\Windows\Installer\MSICDCB.tmp
                                      Filesize

                                      536KB

                                      MD5

                                      f15ef95ebdb50557e7d56de123dfd88c

                                      SHA1

                                      cf4b735ab97d982c7596c18eb2ce0dd5e192235a

                                      SHA256

                                      4339887d03bbd8801bf6bf531e9445e9b2f165aeed71848f46a15a84ca1830ef

                                      SHA512

                                      ebf6f97a2dee732fd952d9ecb943fd476436540dfda1f742ca79a7723f8128872052bd9bd8c7a2e2a062381f0fc2e92cdb8cd93b788425b261a8c77cc5ed16ca

                                      Download Submit

                                    • C:\Windows\Installer\MSIE51D.tmp
                                      Filesize

                                      89KB

                                      MD5

                                      ee6243df5ea48d929da4790efeea45c9

                                      SHA1

                                      9c21d62d7ffca1c68e615eb57bcd5d4ad3d090db

                                      SHA256

                                      0503fcf7646daae6e5445d8c5f248384542d2eeab4c7d8ad3cd5a47759759a48

                                      SHA512

                                      283c6a7bf2bc0b3c2dced9ea7c763c71b6d68c57da6845985f8faaa9cb7649d945a3be2127bbc1e77be792f925e14cff191c9d6bdf821635d438f985feb7753f

                                      Download Submit

                                    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                      Filesize

                                      24.1MB

                                      MD5

                                      601328d5e965f4226a02281a4037f7ae

                                      SHA1

                                      f1d4293815ac1b720018cd4b2068a2826b74ecba

                                      SHA256

                                      63411f893ae92d1799c94b7df31a31ac43ac3c3dfc6c988b297f0664fc3ad6e9

                                      SHA512

                                      453ece815eb456a78dbf50437085385c0e37e7eb19cce8cde7e41bcbee7e2ace63ee05b5dfc6d2e3e0c7e1e9b80c4f0e04bb88783a45155cbd81502da96cc165

                                      Download Submit

                                    • \??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7685ff4f-8e44-4d92-aab1-21e1ede01479}_OnDiskSnapshotProp
                                      Filesize

                                      6KB

                                      MD5

                                      a74e2d2129561f9e2ad733ce76a2cdce

                                      SHA1

                                      e748a380d6d75b1bbbd9c85426312ebeead6bad3

                                      SHA256

                                      9955d8312925ebfe2340ddeed9987bfd6ac7616b26ed14207041c5a70caeee27

                                      SHA512

                                      c327c0aceb6a1e986a2e9a23117f2fd86d1981d2e43da18be6e665d58e58716f4b86417b62d6405f78e47f5bca216deef5f50fd32572ca0ee00dced665009fa5

                                      Download Submit

                                    • memory/3916-199-0x000000001C830000-0x000000001C852000-memory.dmp

                                      Filesize

                                      136KB

                                      Download

                                    • memory/3916-11-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/3916-9-0x000000001C590000-0x000000001C5C6000-memory.dmp

                                      Filesize

                                      216KB

                                      Download

                                    • memory/3916-8-0x0000000002620000-0x000000000262E000-memory.dmp

                                      Filesize

                                      56KB

                                      Download

                                    • memory/3916-160-0x000000001CEE0000-0x000000001D000000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/3916-7-0x00007FFCCF6B0000-0x00007FFCD0171000-memory.dmp

                                      Filesize

                                      10.8MB

                                      Download

                                    • memory/3916-6-0x00007FFCCF6B3000-0x00007FFCCF6B5000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/3916-5-0x00007FFCCF6B0000-0x00007FFCD0171000-memory.dmp

                                      Filesize

                                      10.8MB

                                      Download

                                    • memory/3916-12-0x000000001D000000-0x000000001D012000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/3916-13-0x000000001B000000-0x000000001B00A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/3916-0-0x00007FFCCF6B3000-0x00007FFCCF6B5000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/3916-1-0x0000000000460000-0x0000000000470000-memory.dmp

                                      Filesize

                                      64KB

                                      Download