xworm | 2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XwormLoader.exe
Size

293KB
MD5

67b572b8fed9bb8e91b26c6bd9fec2a3
SHA1

91dd3124155f24c31ba86c6ccd3a13b4d6f6ddab
SHA256

2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e
SHA512

6f7edc4c8438b5730cc2b118160266423cba857d9ca8ed0bb16bee40fc84f2e8a1f98b028e50ffaa4f8a3bf67c33da9abcd932bdc2d001b665ef030880f61357
SSDEEP

6144:6bs68FnNynbfZoOzbEWGSHVXWC8lCk1SHM70v9:6bs6anNi3bEWGSHdWCvFM70v9

Score

10^/10

xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:18194

soon-logical.gl.at.ply.gg:18194

Mutex

APoxCrOmNOvTLB4L

Attributes

Install_directory
%Userprofile%
install_file
chrome.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120ff-5.dat	family_xworm
behavioral1/memory/2888-7-0x0000000000800000-0x0000000000810000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2584	powershell.exe
2564	powershell.exe
2004	powershell.exe
2280	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk	start.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk	start.exe

Executes dropped EXE 64 IoCs

pid	Process
2888	start.exe
2632	start.exe
1944	start.exe
2928	start.exe
1008	start.exe
2136	start.exe
2368	start.exe
1572	start.exe
2376	start.exe
1036	start.exe
2796	start.exe
2728	start.exe
2652	start.exe
2992	start.exe
532	start.exe
2636	start.exe
2952	start.exe
2208	start.exe
1496	start.exe
2460	start.exe
1600	start.exe
2396	start.exe
2496	start.exe
2644	start.exe
2884	start.exe
2896	start.exe
2080	start.exe
2992	start.exe
2624	start.exe
980	start.exe
1108	start.exe
1596	start.exe
1748	start.exe
1000	start.exe
2492	start.exe
2336	start.exe
2720	start.exe
1036	start.exe
1256	start.exe
2168	start.exe
2504	start.exe
2240	start.exe
1812	start.exe
2420	start.exe
1200	start.exe
1040	start.exe
1596	start.exe
1748	start.exe
1336	start.exe
2824	start.exe
2904	start.exe
2516	start.exe
2760	start.exe
2356	start.exe
2168	start.exe
2408	start.exe
3056	start.exe
2952	start.exe
1708	start.exe
1932	start.exe
448	start.exe
348	start.exe
1988	start.exe
3024	start.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\chrome.exe"	start.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2584	powershell.exe
2564	powershell.exe
2004	powershell.exe
2280	powershell.exe
2888	start.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	start.exe
Token: SeDebugPrivilege	2632	start.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1944	start.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2888	start.exe
Token: SeDebugPrivilege	2928	start.exe
Token: SeDebugPrivilege	1008	start.exe
Token: SeDebugPrivilege	2136	start.exe
Token: SeDebugPrivilege	2368	start.exe
Token: SeDebugPrivilege	1572	start.exe
Token: SeDebugPrivilege	2376	start.exe
Token: SeDebugPrivilege	1036	start.exe
Token: SeDebugPrivilege	2796	start.exe
Token: SeDebugPrivilege	2728	start.exe
Token: SeDebugPrivilege	2652	start.exe
Token: SeDebugPrivilege	2992	start.exe
Token: SeDebugPrivilege	532	start.exe
Token: SeDebugPrivilege	2636	start.exe
Token: SeDebugPrivilege	2952	start.exe
Token: SeDebugPrivilege	2208	start.exe
Token: SeDebugPrivilege	1496	start.exe
Token: SeDebugPrivilege	2460	start.exe
Token: SeDebugPrivilege	1600	start.exe
Token: SeDebugPrivilege	2396	start.exe
Token: SeDebugPrivilege	2644	start.exe
Token: SeDebugPrivilege	2884	start.exe
Token: SeDebugPrivilege	2896	start.exe
Token: SeDebugPrivilege	2080	start.exe
Token: SeDebugPrivilege	2992	start.exe
Token: SeDebugPrivilege	2624	start.exe
Token: SeDebugPrivilege	980	start.exe
Token: SeDebugPrivilege	1108	start.exe
Token: SeDebugPrivilege	1596	start.exe
Token: SeDebugPrivilege	1748	start.exe
Token: SeDebugPrivilege	1000	start.exe
Token: SeDebugPrivilege	2492	start.exe
Token: SeDebugPrivilege	2336	start.exe
Token: SeDebugPrivilege	2720	start.exe
Token: SeDebugPrivilege	1036	start.exe
Token: SeDebugPrivilege	1256	start.exe
Token: SeDebugPrivilege	2168	start.exe
Token: SeDebugPrivilege	2504	start.exe
Token: SeDebugPrivilege	2240	start.exe
Token: SeDebugPrivilege	1812	start.exe
Token: SeDebugPrivilege	2420	start.exe
Token: SeDebugPrivilege	1200	start.exe
Token: SeDebugPrivilege	1040	start.exe
Token: SeDebugPrivilege	1596	start.exe
Token: SeDebugPrivilege	1748	start.exe
Token: SeDebugPrivilege	1336	start.exe
Token: SeDebugPrivilege	2824	start.exe
Token: SeDebugPrivilege	2904	start.exe
Token: SeDebugPrivilege	2516	start.exe
Token: SeDebugPrivilege	2760	start.exe
Token: SeDebugPrivilege	2356	start.exe
Token: SeDebugPrivilege	2168	start.exe
Token: SeDebugPrivilege	2408	start.exe
Token: SeDebugPrivilege	3056	start.exe
Token: SeDebugPrivilege	2952	start.exe
Token: SeDebugPrivilege	1708	start.exe
Token: SeDebugPrivilege	1932	start.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2888	start.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2888	2448	XwormLoader.exe	30
PID 2448 wrote to memory of 2888	2448	XwormLoader.exe	30
PID 2448 wrote to memory of 2888	2448	XwormLoader.exe	30
PID 2448 wrote to memory of 2704	2448	XwormLoader.exe	31
PID 2448 wrote to memory of 2704	2448	XwormLoader.exe	31
PID 2448 wrote to memory of 2704	2448	XwormLoader.exe	31
PID 2704 wrote to memory of 2632	2704	XwormLoader.exe	32
PID 2704 wrote to memory of 2632	2704	XwormLoader.exe	32
PID 2704 wrote to memory of 2632	2704	XwormLoader.exe	32
PID 2704 wrote to memory of 2980	2704	XwormLoader.exe	33
PID 2704 wrote to memory of 2980	2704	XwormLoader.exe	33
PID 2704 wrote to memory of 2980	2704	XwormLoader.exe	33
PID 2888 wrote to memory of 2584	2888	start.exe	34
PID 2888 wrote to memory of 2584	2888	start.exe	34
PID 2888 wrote to memory of 2584	2888	start.exe	34
PID 2888 wrote to memory of 2564	2888	start.exe	36
PID 2888 wrote to memory of 2564	2888	start.exe	36
PID 2888 wrote to memory of 2564	2888	start.exe	36
PID 2888 wrote to memory of 2004	2888	start.exe	38
PID 2888 wrote to memory of 2004	2888	start.exe	38
PID 2888 wrote to memory of 2004	2888	start.exe	38
PID 2980 wrote to memory of 1944	2980	XwormLoader.exe	40
PID 2980 wrote to memory of 1944	2980	XwormLoader.exe	40
PID 2980 wrote to memory of 1944	2980	XwormLoader.exe	40
PID 2980 wrote to memory of 2328	2980	XwormLoader.exe	41
PID 2980 wrote to memory of 2328	2980	XwormLoader.exe	41
PID 2980 wrote to memory of 2328	2980	XwormLoader.exe	41
PID 2888 wrote to memory of 2280	2888	start.exe	42
PID 2888 wrote to memory of 2280	2888	start.exe	42
PID 2888 wrote to memory of 2280	2888	start.exe	42
PID 2328 wrote to memory of 2928	2328	XwormLoader.exe	44
PID 2328 wrote to memory of 2928	2328	XwormLoader.exe	44
PID 2328 wrote to memory of 2928	2328	XwormLoader.exe	44
PID 2328 wrote to memory of 2668	2328	XwormLoader.exe	45
PID 2328 wrote to memory of 2668	2328	XwormLoader.exe	45
PID 2328 wrote to memory of 2668	2328	XwormLoader.exe	45
PID 2668 wrote to memory of 1008	2668	XwormLoader.exe	46
PID 2668 wrote to memory of 1008	2668	XwormLoader.exe	46
PID 2668 wrote to memory of 1008	2668	XwormLoader.exe	46
PID 2668 wrote to memory of 608	2668	XwormLoader.exe	47
PID 2668 wrote to memory of 608	2668	XwormLoader.exe	47
PID 2668 wrote to memory of 608	2668	XwormLoader.exe	47
PID 608 wrote to memory of 2136	608	XwormLoader.exe	48
PID 608 wrote to memory of 2136	608	XwormLoader.exe	48
PID 608 wrote to memory of 2136	608	XwormLoader.exe	48
PID 608 wrote to memory of 2116	608	XwormLoader.exe	49
PID 608 wrote to memory of 2116	608	XwormLoader.exe	49
PID 608 wrote to memory of 2116	608	XwormLoader.exe	49
PID 2116 wrote to memory of 2368	2116	XwormLoader.exe	50
PID 2116 wrote to memory of 2368	2116	XwormLoader.exe	50
PID 2116 wrote to memory of 2368	2116	XwormLoader.exe	50
PID 2116 wrote to memory of 2140	2116	XwormLoader.exe	51
PID 2116 wrote to memory of 2140	2116	XwormLoader.exe	51
PID 2116 wrote to memory of 2140	2116	XwormLoader.exe	51
PID 2140 wrote to memory of 1572	2140	XwormLoader.exe	53
PID 2140 wrote to memory of 1572	2140	XwormLoader.exe	53
PID 2140 wrote to memory of 1572	2140	XwormLoader.exe	53
PID 2140 wrote to memory of 1612	2140	XwormLoader.exe	54
PID 2140 wrote to memory of 1612	2140	XwormLoader.exe	54
PID 2140 wrote to memory of 1612	2140	XwormLoader.exe	54
PID 1612 wrote to memory of 2376	1612	XwormLoader.exe	55
PID 1612 wrote to memory of 2376	1612	XwormLoader.exe	55
PID 1612 wrote to memory of 2376	1612	XwormLoader.exe	55
PID 1612 wrote to memory of 1492	1612	XwormLoader.exe	56

C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\start.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\start.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'start.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\start.exe
      "C:\Users\Admin\AppData\Local\Temp\start.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
      "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
      - C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        10⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        11⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        12⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        13⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        14⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        15⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        16⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        17⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        18⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        19⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        20⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        21⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        22⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        23⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        24⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        24⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        25⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        26⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        27⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        28⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        29⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        30⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        31⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        32⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        33⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        34⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        35⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        36⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        37⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        38⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        39⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        40⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        41⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        42⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        43⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        44⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        45⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        46⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        47⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        48⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        49⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        50⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        51⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        52⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        53⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        54⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        55⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        56⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        57⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        58⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        59⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        60⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        61⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        62⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        62⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        63⤵
        Executes dropped EXE
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        63⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        64⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        64⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        65⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        65⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        66⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        66⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        67⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        67⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        68⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        68⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        69⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        69⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        70⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        70⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        71⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        71⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        72⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        72⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        73⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
        73⤵
        
        PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
39KB

MD5
51e4348a35c9b40b0136fa204442f9c2

SHA1
aea47a3a717ca9cce49966093def7d8f5a53709a

SHA256
a8047efe920772b13508683a7d80de379b0cf2dc40b39a9cd37f949de6a90479

SHA512
f15353f1b29ead57efe865935ef0cbd9efa2f0e81e47a92993279a59ea4174fde1e9bb2546c35deda6cfa641cfa0ecd58f8a2f6006f0589ce95553d7debfa3bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d575d64f122ea29bba8cf4287a9fa6a2

SHA1
42e4baaa6862ee8c997006cff3809cfc2d7dd831

SHA256
929ab6ff1f0974006bcb0c68ad9aea3e72756eae20d39406b2b4fb4efcd631d0

SHA512
e4882ad59d2a57428d19b257b882bb69d457bc9b9ac6e7d8e31620896f4a9a0f2bafe399d1e5dc9341d32c195ac59fa8e16aa3fc4c96e9b04014f01af4589207

Download Submit
memory/2448-1-0x00000000012A0000-0x00000000012F0000-memory.dmp

Filesize
320KB

Download
memory/2448-8-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2448-0-0x000007FEF5443000-0x000007FEF5444000-memory.dmp

Filesize
4KB

Download
memory/2564-21-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2564-22-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2584-15-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2584-14-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2888-7-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/2888-51-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/2888-68-0x00000000021B0000-0x00000000021BE000-memory.dmp

Filesize
56KB

Download