agenttesla | hxxps://gofile[.]io/d/x69MMf

Analysis

max time kernel
2700s
max time network
2645s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/x69MMf

Score

10^/10

agenttesla xworm agilenet keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

BaXr2Xq9g5HmIzal

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gsqocjik\gsqocjik.0.vb	family_xworm
C:\Users\Admin\Downloads\XClient.exe	family_xworm
C:\Users\Admin\Downloads\XClient.exe	family_xworm
behavioral1/memory/4496-1366-0x0000000000190000-0x00000000001A8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\Guna.UI2.dll	family_agenttesla
behavioral1/memory/4280-489-0x000001CA23450000-0x000001CA23644000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

XClient.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation XClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 2 IoCs

Processes:

XWormLoader 5.2 x64.exeXClient.exe

pid process

4280 XWormLoader 5.2 x64.exe
4496 XClient.exe
Loads dropped DLL 1 IoCs

Processes:

XWormLoader 5.2 x64.exe

pid process

4280 XWormLoader 5.2 x64.exe

pid	process
4280	XWormLoader 5.2 x64.exe
4496	XClient.exe

pid	process
4280	XWormLoader 5.2 x64.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWorm V5.2.exe	agile_net
behavioral1/memory/4280-471-0x000001CA23750000-0x000001CA24388000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

200 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
200	ip-api.com

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeXWormLoader 5.2 x64.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133559443728406926"	chrome.exe

Modifies registry class 46 IoCs

Processes:

XWormLoader 5.2 x64.exechrome.exemsedge.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{44830D07-D0F8-4B10-9449-A785B56D466A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	XWormLoader 5.2 x64.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

chrome.exechrome.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeXWormLoader 5.2 x64.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exeXClient.exe

pid	process
3520	chrome.exe
3520	chrome.exe
3084	chrome.exe
3084	chrome.exe
1612	msedge.exe
1612	msedge.exe
1540	msedge.exe
1540	msedge.exe
808	msedge.exe
808	msedge.exe
4492	identity_helper.exe
4492	identity_helper.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
436	powershell.exe
436	powershell.exe
436	powershell.exe
4188	powershell.exe
4188	powershell.exe
4188	powershell.exe
3668	powershell.exe
3668	powershell.exe
3668	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
4496	XClient.exe
4496	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

7zFM.exeXWormLoader 5.2 x64.exeXClient.exe

pid process

2020 7zFM.exe
4280 XWormLoader 5.2 x64.exe
4496 XClient.exe

pid	process
2020	7zFM.exe
4280	XWormLoader 5.2 x64.exe
4496	XClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

chrome.exemsedge.exe

pid	process
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zFM.exe

description	pid	process
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeRestorePrivilege	2020	7zFM.exe
Token: 35	2020	7zFM.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zFM.exe7zG.exeXWormLoader 5.2 x64.exe

pid	process
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
2020	7zFM.exe
840	7zG.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe
4280	XWormLoader 5.2 x64.exe

Suspicious use of SendNotifyMessage 57 IoCs

Processes:

chrome.exemsedge.exeXWormLoader 5.2 x64.exe

pid	process
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
4280	XWormLoader 5.2 x64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

XWormLoader 5.2 x64.exeXClient.exe

pid process

4280 XWormLoader 5.2 x64.exe
4496 XClient.exe

pid	process
4280	XWormLoader 5.2 x64.exe
4496	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3520 wrote to memory of 4708	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4708	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4236	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4504	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 4504	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe
PID 3520 wrote to memory of 3500	3520	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/x69MMf
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0a029758,0x7ffa0a029768,0x7ffa0a029778
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:2
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:8
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:8
2⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:1
2⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:1
2⤵
PID:556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4748 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:1
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:8
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4952 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:1
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:8
2⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:8
2⤵
PID:1296

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2812 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3720 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:1
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5496 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:1
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5172 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:1
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4044 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:1
2⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4080 --field-trial-handle=1864,i,12814933021407767438,11039293106912481105,131072 /prefetch:1
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2828

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm\" -spe -an -ai#7zMap21278:72:7zEvent17761
1⤵
- Suspicious use of FindShellTrayWindow
PID:840

C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gsqocjik\gsqocjik.cmdline"
2⤵
PID:1768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB124587E2EA4224B839CCCB24F9325D.TMP"
3⤵
PID:808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa123f46f8,0x7ffa123f4708,0x7ffa123f4718
2⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
2⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
2⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
2⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
2⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
2⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
2⤵
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3364 /prefetch:8
2⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3340 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
2⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
2⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
2⤵
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
2⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
2⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
2⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6016 /prefetch:8
2⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,8288140144768582078,3132687408780556290,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3652

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x304
1⤵
PID:3284

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XClient.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
Filesize
198KB

MD5
cda68ffa26095220a82ae0a7eaea5f57

SHA1
e892d887688790ddd8f0594607b539fc6baa9e40

SHA256
f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb

SHA512
84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3563cf3a5b45b55b_0
Filesize
280B

MD5
80cb909c8cd0429e0a92223ddd16f13d

SHA1
cec2c5150c526178875c62aeb7124fd47ef3947c

SHA256
fe5f9525dbdf89a1985a4c4bc39c5aa6c5ccc14f0cab9d5b1ba34fea18d5191f

SHA512
85fc15cc2d12be7787aea4fb8897cc5460fa52a7120606be019cd827d42de6fc797d71687d474244f8293972a93ca4c261676ac0fe949e799b230a5c010e00b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3a64c164d5261895_0
Filesize
328KB

MD5
cb9900ef24caebf848a4c0bdf5a22c9b

SHA1
03fc9305d11ad87642d5828c0d4b0942eaaf0d63

SHA256
001e0bbca06dad34470748fa5122b98767e4e18ffc8bde4a0e77e1330bbdeb02

SHA512
10253dddd2b91306f9784d8b309df2aad76eac7e018470f9980801f9ebfecc33bae7ca032537c8095bc94226af2913b503278027b218b47cf02b1ee5dd1ffb91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3cd27a14dc13afcb_0
Filesize
19KB

MD5
360d4ab480b7186319f431d0fa329d98

SHA1
984c7467536b3a16d622ffa7e2ef0289f15510a9

SHA256
c31ffc46ec07c6d550a9f2471668ae909c2f3a7716031ef6add34991c1a8a6c0

SHA512
6536e8ebf35d5c0aa17896dfd4574bff51bd6a864e38e12f95651b0d885a2d0c04d628ec2993250f2c5e2a1213945f53145fbba60029aac788398bba6c4fe27d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ba54061886c82dc2_0
Filesize
289B

MD5
e9604fa6a3e32a25797a161a8f1aef99

SHA1
12fe8ef30e009dfcf071ab6d89c5bdc5ec3be094

SHA256
47858f97b3234afac3c87f4899f4b7d75455a7ba39dbe89e752c52f36ec220c1

SHA512
5c83ce2e7806392c3437c81660f0af78751d5f5e94815fcbef8e3aaa72ee16391b3a87ad0d4c69e9c079f7b81c118762a2c620789183413bb259e7b7b0fbb35d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
72a37823bb338fb0f28029dfe00ff381

SHA1
fc93371ba16a3880d76c30ebe4f98c45460aaf6c

SHA256
c65b800eef1fd003bba0dfa929ed54abe97ae4e6927e59923ad2f6cde335c4e1

SHA512
c5cfa691d8416218bdfd17c1129ad8290f3c3fd6699859659d5a383ebf16cd4a47f01580f7277469cdd2586112df0f13c5a81d5d0d5b531e9ed435fe15aa3081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
c7db4f211fbae35943a44d5a17278ed3

SHA1
f170aaada456c9aa94493840ba17ba6d7ee95867

SHA256
2271bae63663825acd64b4b5f3d4f7445b1412705d745ae01eaf7ec2e1fc39ef

SHA512
951754c567b2536c85129758dd019469ace323cc1b301cb1cdeae96ed84267d03737813d453fe174c08ffb11b6018281f21d5e29992af613b5762cd9a9e889c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
a3bec2a0f6f92ed6ceece95d3fc83502

SHA1
dace740bee8bcf1d60f95dcc8d4494d6443bdb82

SHA256
a30edf1adb00c50dec9f38623d71f024754a06ec0662b21b86f075717bc74d4a

SHA512
b038b707b1750f87376ede7c57ee5caaa199ab83ba1e5e3d31dc936cb2a0a15200c42901e36f830250751d3694dc17eeb895ee76aea17c821ca90c739d1c05ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
57579828d0239a3b2662e92cc49df070

SHA1
a57f6f823634798bd174beff9e326fa4d720d695

SHA256
3913ec21e828194dad5000d1cca1789530dd8c6da551c842cf67a42b81aa7809

SHA512
e3cdc2ea605b51d55f73015850d46b549fb39c4ce53be9ebcb092ed632843d2f07d3f3c6b1202f39ab981bbdd072327ebe94de7775ec2233f588ace432e75e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
b879b6b3570f12a3b1e137bae4bb5617

SHA1
034aedf2f4fe915db1b18d8886ede5cef092c0a5

SHA256
7eef5951df1a1ebcad7e19735ef4212140b8e1b71f288a15faa5059269e16c05

SHA512
9ff2bed30d08a6597b93ca5e340ad9d174fc35c089fea997ee0d94f3c14d43c5d927bc6fce90b200b9bc39d486cc1cb87d55347cd06d77d61cb505d84ddd6046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
637784fa2936ad1d048bd2ae4fbe18f7

SHA1
db3862c07a5a8d0c3008828dfd356560f80c4f3f

SHA256
cea6a10c4cbaa763c5d646a4e3a02b36f35bfdcca9ef3680024336b31fd583fe

SHA512
13a09e47fdd58c21e971d88a0fb7ffcaf7fb816e5f57a281099288dc5e42de1bada2e35b15b12f26c36c297f7a5fadb206eece7fa7072d8dcacf521cba1d711a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
93275587aac51de9251851ee446867d5

SHA1
d63b49b8077fe31a94a38bd3c4240611d040dc7a

SHA256
ff8f67b978e148efe8b8b5d3ed48d3b942006fcbe3896d7ffec3e0f4333ce627

SHA512
1863e559ef349a4480780cf8aa688911e63d92ce88266b0aef61babc2252f9d495d434324c830ca465240b9a0c7d8cb7337879af6ec40dec52e19f5e05d3e4d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
c07c9dd399fba3e5565a3768ad90f086

SHA1
cb04565a9aead120b24bee0f5af2e1974faaef59

SHA256
57de3cc1082db80a29f6acfc997993ac1220094b0429ae9cf41e356f91b210a9

SHA512
cea1daafd391380f17946376a278bb3795be13846778bef8df091a20ca6e7dce7e69f34726334ab96f1d0c10c74620bdc841f85ec58aa068bebe414a8cbae389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
54421b02f996251fc726ab820bc2ad17

SHA1
e5f23fa58eec25c16dfe0739a1d30271836f88ae

SHA256
8cb27b7b9a3776596a49041d8847751a46e0c4ac752b11f8466f4b08bae83ce2

SHA512
b50b6ac4dadfd096c423238ca945d7053d6c59dec9868cd40c7624bbd6e28f45e9ae559e116594c51be8dfba82949e313ea83611d0b7705663cf3b2f88b07720

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
3801f69d46e39b27409d253533975eae

SHA1
de0348c89af31cc707c6f9377a46db3e8eba8722

SHA256
961693fad63fdb29106b1cbe9c3099943ec9353f8ceea2c37f66ef5ec9179357

SHA512
6c03691caf29c649df4fd62b7f4253f6aac3d251816eea4a7a356fa3296605d48754af0d57a204d2e1c3740146450015ff82a167493f515c132af4f8a7c05211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
0ecc3a281a4cb957f8d4cce941e796ec

SHA1
8108c21672cbc601f309c0a4ba594d1837d456de

SHA256
07650b48bed2ad6a5025d0fa68aba326dd0ddc0fad7b117368124f6005e94b44

SHA512
3516a953ed47291027156a4f6d936ef4cca4442890bf2ebbfa5ed9e4d30a8c231e019dee15bc2223665d264241dd8ca0be446b6f337a5109c469a27324220860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
6a4e94926d233af40e9958d51d83c636

SHA1
86c158fcb30c6ad8879e3c13d61570dc7519575e

SHA256
3e6cdbd07ea31e1e21e1150a92b65486378b4e3da09ac936c944ca7f0c35c6d9

SHA512
476b3de3a7fb7b9bf904666f85fb850e30e9cdc28630b859596eb3cb2ddcd740efb9833518372486c533f8a4e5a448735de066c11951e5dfe697a34a85ccb9e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
d3cc741ea34d70d24af71d2ba705b053

SHA1
fdc951e0ae3ab08da322c420af078f7fbcc6892f

SHA256
e7cb03fe8b96d92d1d4a03bdd89abd89e23e4e046183e8fdfe81fee44f674f4a

SHA512
11c7781321babf20913baa0094a0932c6d15897167c82136d7f89db76b214234e79f3f9a889f5bdd6d6a70ceeb3788c4bc5e94c0971f8c144d0aba5c13f617de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4d28bc7ff9292e479f2db700bb34fb96

SHA1
922da2adf990c1146bd6f56e8f516ff96d11924f

SHA256
1d43d492acad77c3a201e77c2768c1961645ec466641f59707ea2be27aff44ec

SHA512
2fb7b6016d5f89fcae031c8289f1fcc935691387c9e39e3fb8b24d7466d62aa8953ffd7723ea8141900ef07ef2d665a86c957a482121381a6ff4755725f57fc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
48294ed106aff5a8901b74b349f87c04

SHA1
d1975ce5138d5f34b05477422f00055b5c66cea6

SHA256
f607bb3f62e30a041c1f6115ec90565c2fb8194758a1c6eedb00646fa9a0bfd7

SHA512
9487f9d9acd5108e67b7ef7f5a75110fc0fe308df7c00cee2a0ad1fd3a88e81baaaaac19765edfde5873419eb7a117eff1a6353b726e65dde2838aa48535b896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
264ccd6b78a7b2cd5a1cc97c7b6a6465

SHA1
d1473b7256a54158da82a964a949b6814df6eec7

SHA256
69658d1969315ced177cffea98e2ddcf1519b5ccf74badaaf5aed31af87037ea

SHA512
c69eedb55d99414283cc9f2fcb0c3821722f3dfb81a3918c248430b15eb6ef630618c46e0e114d352f25d872dc41b98bc8fc0da2b426f142bb44becb197725b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d4c51c36dcb9a6c2dbbee2ee07429ef2

SHA1
3b2ba1786ef786d6ef258f33bf3853fa6843f730

SHA256
8e0e199059a24ed460f9b6b1b65a25dee6feb06262e96b54ffcb10b81713fe52

SHA512
9d764ee97c7bd36748317a4b018c93a366a5dc0adc6a482714bd343b286d9c871a77b4f2415f70d0e35b039aa91fc39f1b08a730f89c7218481926f738f36a24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
253KB

MD5
132b5d9cb5946dd23b899805df772225

SHA1
e7cec9fe4bf417e0564ce99644f49b3096743cb6

SHA256
a7d03d75d83bee96435ccfb889c1bad88076644fb474b838690f8d58dba9a3c4

SHA512
b5ccc9462935b853c154e56c89f8a0c33839baa90fcc2ab7b31e723a69b1b69426b8b6cfbff57b6f0ee102e91c1d071a4f366554de0f1c57ec2b49a1ff01cf6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
253KB

MD5
451230f9297c84c92474f5f2522ca201

SHA1
028d4232bee8ad1a7ab4b805aeb7d59ef82f9d27

SHA256
bb904591d141356c43379e2ae4564bc6ddc9cf30a58d786960a3fe031576a9b0

SHA512
3bc2c7e16a5e7cca2d73a09ee3a375f480336daa4bc842a8f8a648bf95bfac3cf5a01f8e6c5e90ab759c6f5bc96e1afe88d49d9dee206d5816b5a06c741a8203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
253KB

MD5
9ab36a546bca3dcf135057f86178389c

SHA1
91c9966ae0e991e0daf3427fb5eeee2ffae476da

SHA256
2948a87b024723603ca99da80b93757ad0e2f739145cce8212e877a69f9b0e54

SHA512
336b2bda277890abcad93e89e5e63ce0c6228e72dce07dbf002918d8b3726455479020ab961d7b98f2ff6cd6a9d7e1379bd0bafa9694d510d7ebd70ae12d466e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
110KB

MD5
dbd00173ba380f01f9cde997f9b4b5f5

SHA1
299ee131a48eb0d078ee588416ab13a23747fed1

SHA256
de7fb0cd634e38b895c64dd44b188cb7eccc76ab42f607db44a987956312ab0e

SHA512
4efecfeede6ee65f964b4478a2e0f06f944a64ff6a2ac853f6859a6358610ea081afc96e34a96d5ed45f6e60db1dc8f7dac0dc1898f5134bc3a8333938c1dcdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d89d.TMP
Filesize
97KB

MD5
e23fd32dca098e57aa1d2258103d28bd

SHA1
6d776bcb5e891884e3ad0cce2ccc09fa9f6db229

SHA256
117ed7b7e5468494701c72558be8d02cf759ee7f8659af92e02c27565e0a667d

SHA512
de687387935898d56d6fb776ce493ac89b194dccec466fcc1bb6e956d9907f90c6b16803c293dbcf7bafd36e4186238545a8ed627e02f94d600751642c3fb0e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
34KB

MD5
3060ac80130d23555fadf4515e40ff70

SHA1
3cfc80c3d60d120a06b9ed55f3e8e51fd8859d9e

SHA256
d910d04b57829fd461019430e1d095960a5c0c5b377533c084430be5cb7b6186

SHA512
b1f1a86324c9e34b7eaa1b28badbe3ee4fdc1ff8707451f0f05e6e2abe78d308993f00817f42aa901ce800cbc7507ec0bc8b2a747cb36b96b5b12b40eb1ae7aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
1.1MB

MD5
2d21a8d9db851866c6027b830ac737f1

SHA1
859824d423a9e61510c3767330f8f457eed41598

SHA256
c35991447bbbc072db4c275cd94135b49ed780e40499a27e1bc6ef2abf978107

SHA512
77b58079f9cfa9aee4fe266bac4ed660a31659566ffa01012be19122e300d7f618876b7edb2ec0c77648af4e8d6be781fda472407b32bc9d172dbe1a45c00b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
45e07f76802812384ebedbc954893c40

SHA1
db40a449b8f816c38ff41b092741473947314015

SHA256
b639d1ef8948b5fd20dacaf3bc8e34a6fef18b4b5e1b686c80077041c7113e3c

SHA512
6be8706ec188b0cd98020c7c16dd88d6a4c7fea0ce773e9cfb059c30e8ec34ac65f7ef3d94a1cac94ef3eb7f469e815c84a236c6777c912319432ad51226c01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
e2464f6f12be767b0ccf62cc472a6b8f

SHA1
faa8b966290f048cd8efe9b7b373a2b9ae8ed0c0

SHA256
851c668d7d324f9dffcf48c7f91b86a9a1cfbdaa3d51a2073b24414f08281783

SHA512
90737191fe99843b3674960f84b0cdb03e4616fcb77a7c6b4ee93f02a1997d35993bd1bf075b0d537475c0c43f303fb88b1c9f2ecbb50aa3cb70238ded6a3475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
948195144fd80f5c0de147abc38fdea9

SHA1
44dcab920f471e4d0bfd64b29a5c319f66988767

SHA256
5587c8b812f788aca0d29373a8a93791bb05fcff1b457c9cd380f09a81caf7ea

SHA512
54d9ab31a43c35d6ca3c24266146e884115acfec9f809c636b5f90f69e84c8b4641206da1ab84c06960aec571521245a6096ee39fa0e660339c86ff99e6e0caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5ed7f4d0cc5cc0ddbafbda72284c211c

SHA1
653d8de7bae441f44c8f7b2dc674c3a9fd25a319

SHA256
0f0ea953b80710aa66638c0e1b6045666ffdf629605658fbcba9f804bbee3157

SHA512
ece59e1a0cd3ac8e19c3060f56ee6e0af7eac5ad58b8580f6086e40c62afb2c999d92d4a09f84327be69cc480e8422162ae25c255ba9fc319400263a34dd820a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
022d91d645ee87c37d87c546b0558b53

SHA1
fe4f40b2b20efeb8561d1b54c28687fec94ff8d0

SHA256
9069c1487e35797297a4377c2e3a8a0433dcff69b0f05d20c74c959f742b1060

SHA512
7b7bb665a18fcb3b0227465de1cfaa1a8aefad366d3f6c5c764e38113a0e13541f011429012a9f4fc956bb52f988b3cc09623450d178f16e81fe3d4b7bdd368c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1e3e746efbab1fa579919615c11413b9

SHA1
912d90a9a84ff344cf3139540a276b56eef9100e

SHA256
2205569c370d2625bb1b188e3a79511cd66eb12188406608e96a87f64a13421b

SHA512
0a5c621bab4be1305b03f2181032c95352bdb2a74aab85b7de1b67e0c1c54a55386c19a19e3a375c99642923d174a0b2072f2ab23218507a97031e091ceb9664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
fec16471e427927a9d37099c2c81b0a4

SHA1
c4abd5fb77416a7d010aa03ae12cb57ef3c32f9f

SHA256
ce85d0f878b5d2965bc6b61568fd3224dc5e976240f8c34b110cccb522d00793

SHA512
f7231293d4390954e24e814678052a420c68b45c0a7cc080349ee1361eead720e8cd72e6b263a7c771449675f24a8861d9a432f22e7ccd823c0228a3a59009fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
12ecb128959259d86f36f39de0c0e386

SHA1
aaaf3390d637c9ac2ad9374c0f857a1469a79c66

SHA256
f2016dfdba9ce9d3f1229553f2d300d49638c6e4037caf7c8ca78dfe022d7149

SHA512
034d2b8375469155bcaa7ae3145b7726845b13b39559f3745e270e7e0f2b3c79bb45776b05b8b73dfb310c0c3cb2f2bc55e38db2d6cebd4d8f27a1d8fa21822b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
534B

MD5
c23f92761402e64cd33942283547e11b

SHA1
2b4664f0e59ba4c689d7b2d5ff2598a17bb9e1ee

SHA256
a5833964e7b601102f8cc891a540310f674d5efd6c2d282b9e3a9a4c475d3446

SHA512
5de26b57108a7945a699caddac31624028a22b51d80fdfcfa0170a8a00df41bf3385e1cfdfc572694c6cdf6fdeb790715806a23c1ec178efabcad76a719c5c23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
869B

MD5
3899e567407c05c2b5f78185f6500e11

SHA1
7078f41ccecd2f404d0fe67f388e6dbe2dd1bea4

SHA256
0efc8416d5f5af4cdcbc7b18a19c0f861b694c54fcc54e6f2e5fecb78d9dab96

SHA512
4478ca3d40c74c0b9210e6ac7acf26ea9f7c511438d76985dcd5bbd7aaa759d51552337dcd379b58fb16dafa7fa3aca49319e48b3860f6f77f1208d2684cee64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c44b1.TMP
Filesize
371B

MD5
ed7c53e637466947ada50b8ab7a54b38

SHA1
5289854ead4af6cea73e5b50cffd8cba3faec287

SHA256
ea6ea33f91fd186d803ada9c102170e000625383fa18f889574b03053cc4cc2d

SHA512
ebf4bb9f17d2f0d8d9f46a683fd23e1108e22b94bf974ccbbf4179de8263d0e7e2d8b2be7e584e6023772e5ff2b7435594ff3f290281f4b92476e71b74c8ce78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
89dde9375ea3ed11b6a6333c9fe9ad41

SHA1
1c532ec234d2a185fb7a41c58cbb3e796975fb43

SHA256
72a30a29a616b11d3a47a73f4946508b2671b75cfc1199e3a3cd340b5af8484a

SHA512
68e5c0a9748e28eee996cf9c276aeb74c4e2e704ef7f9c29e23f0ccc8bc40a225d163a9e3e093b23e1f85f84c8f68b43e50e71ec84461e5c94363f2df9c7ba65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
34764f14d34b53f825f47381c82a8ef3

SHA1
f0fddb29e1c2e2095f7a014589339853a2f13461

SHA256
c4236ea2f5d802da7e4fe900d0bfc7ffdbc7179d39e9fef1c35055e52aa0b180

SHA512
df9ff0c865f5b9f57c91fa6e95bb4d5146b02c2090ec9972f6b3d08d20a831247a7dfa4361f2db9e104a4045c439ffd2698045ef6288e3714c0dcbd029a1764b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6FF3.tmp
Filesize
1KB

MD5
bf054a103fd874827f897b81568eaaa6

SHA1
26586b51615e744b6bfbf6f93ea91c747023410c

SHA256
bb2f096548acd4fa60c9da8f7f33a9703936c26dafe6f8b593df8b25bcf6faa4

SHA512
9bf7812390595dbc17aed21656d54e924132f3b9b3aba82011031da658fa735887e8e381d369cf74b3235b3bff87f16273586cc05fb5c35ca153f0bb6c9bef39

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll
Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4smrn34e.gzu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsqocjik\gsqocjik.0.vb
Filesize
77KB

MD5
6a94f6bc5514e6500048c1549fae0ecf

SHA1
60a5a24961cf0aee6c46143ab02404217abfa5e8

SHA256
260dacb88279c2b0f82eba7435b2e5f70b5a6918ac4c5cfbbb879267aa45dafe

SHA512
552ce52a1b3e73bd21c259ad4222d89217e2d5a02c76d1575e56182359465c2a25474cd53eb5a52417c7e7395a7449a871043001cced16eae9187e3f689d26f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsqocjik\gsqocjik.cmdline
Filesize
292B

MD5
80fe6abda9b7a7f44c8179b5492216fd

SHA1
069d0eef80608387d08e9e8ef063083dbbe674c1

SHA256
a25a790bab9ed09dec099fdf9444017d0cf12d0c2d2a41af1a30bd4938ae0597

SHA512
9c0bc9d7c961fe09849d2e4046f58f7201211acc8e4f81142aa3a18ad126fddba40fa7e18202636a75c5322ccdd18555e1bcf80a9c7e1b1876c588d94f5548a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAB124587E2EA4224B839CCCB24F9325D.TMP
Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Downloads\XClient.exe
Filesize
40KB

MD5
7f84d13e80c6824bdcf926575b4cbdf2

SHA1
53e2facb23c0e38ef44c05fc2da78ca6ebf253a3

SHA256
727fdb0234cb3298519170af4504d9563aad22dfbdeb012c41d5400e863b993e

SHA512
87f10e9e20ec0021529618f7ec4a367f30f1b6ccda4602eab5c2f55163268c7d7bd3cb12aba6372646c3f92045ec61155468ef7f93bf674f3cc79fb8d50e0977

Download Submit
C:\Users\Admin\Downloads\XClient.exe
Filesize
69KB

MD5
81991c828d7f442752c21c2d1359c1f9

SHA1
26a49f7a54be26be82687904aa945ef42070b561

SHA256
d88b48432f127434235fafcafe3987eae087cdc656b9fdd54e7547462f64390e

SHA512
ebc4d72005d47d76ef024db410e0676ee484455c408ed3d18c631a5389a7352e97ea5c7e47a392b1d8782721e1a08856633e7ea5429beadc98d839254df8f8ce

Download Submit
C:\Users\Admin\Downloads\XWorm.rar
Filesize
31.5MB

MD5
6da70bf26573e64f3e1d15e388737089

SHA1
074ea18ed6ea60f0215281c3eb52ce0d8991e6fd

SHA256
88fc55c13ff6c6b0323636747fb6b0211882633b919d991dd312908069730dfe

SHA512
a5d4e28ef2dd60b1eb233809c9b7219d6c88dd8e9bf05e601b0c29f2b17c2b15b78e2682b50cbe5c591effbc99e22aedca9688b3feb4e8a8297312ead10de3c8

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.1\Icons\icon (15).ico
Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\GeoIP.dat
Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\Guna.UI2.dll
Filesize
1.3MB

MD5
2d8b26f37e910419389f5726ec98fc4e

SHA1
6418fa6f9583312908f14e0a249ca752c5d905e7

SHA256
ad2f814591ff20319b05ce5bed80d64a53b8bb4379cf9e35fa346a6ddf97516c

SHA512
8c745c8a414c11da561c00d363fc4505a66e80bf8b806de2ec6e8fbea63a03d61c71c9bd741a0322b2b895347339e454ad76ef96f91abe3638f500cdb88427d3

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\Mono.Cecil.dll
Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\MonoMod.Backports.dll
Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\MonoMod.Core.dll
Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\MonoMod.ILHelpers.dll
Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\MonoMod.Utils.dll
Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\RVGLib.dll
Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\SimpleObfuscator.dll
Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\Sounds\Intro.wav
Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWorm V5.2.exe
Filesize
5.3MB

MD5
b67b4bdcc683713acc769a033c3a8c13

SHA1
dcc370de9747db64692b19ddcca584e2db87a421

SHA256
c5fa913c60f2422d79a7de291d18cba7cc6c2c9541cf2481434cfc66b96813d9

SHA512
c884ff29d1b1e199d8728d4e7e99f5fec3506ef9d56ad25c9621b428ec2eabbf789aa920ee8d5fc60215b015ca1718e92a779fc172643256b74c145e3f273de1

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWorm V5.2.exe.Config
Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe
Filesize
109KB

MD5
f3b2ec58b71ba6793adcc2729e2140b1

SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2

SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe.config
Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
\??\pipe\crashpad_3520_KIHNXTLKECEYYMIB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/436-1379-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/436-1385-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/436-1384-0x000001B043E60000-0x000001B043FCA000-memory.dmp

Filesize
1.4MB

Download
memory/436-1380-0x000001B0439A0000-0x000001B0439B0000-memory.dmp

Filesize
64KB

Download
memory/436-1381-0x000001B0439A0000-0x000001B0439B0000-memory.dmp

Filesize
64KB

Download
memory/436-1369-0x000001B043950000-0x000001B043972000-memory.dmp

Filesize
136KB

Download
memory/3668-1415-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/3668-1414-0x000001ABC49E0000-0x000001ABC4B4A000-memory.dmp

Filesize
1.4MB

Download
memory/3668-1412-0x000001ABC4580000-0x000001ABC4590000-memory.dmp

Filesize
64KB

Download
memory/3668-1411-0x000001ABC4580000-0x000001ABC4590000-memory.dmp

Filesize
64KB

Download
memory/3668-1410-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/4188-1400-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/4188-1399-0x0000026127D10000-0x0000026127E7A000-memory.dmp

Filesize
1.4MB

Download
memory/4188-1397-0x00000261279B0000-0x00000261279C0000-memory.dmp

Filesize
64KB

Download
memory/4188-1396-0x00000261279B0000-0x00000261279C0000-memory.dmp

Filesize
64KB

Download
memory/4188-1395-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/4280-480-0x00007FF9F1508000-0x00007FF9F1509000-memory.dmp

Filesize
4KB

Download
memory/4280-472-0x00007FF9F0BF7000-0x00007FF9F0BF8000-memory.dmp

Filesize
4KB

Download
memory/4280-1330-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-1308-0x00007FF9F560D000-0x00007FF9F560E000-memory.dmp

Filesize
4KB

Download
memory/4280-499-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-1345-0x000001CA2F760000-0x000001CA2F8C8000-memory.dmp

Filesize
1.4MB

Download
memory/4280-498-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-497-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-496-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-495-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-494-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/4280-493-0x00007FF9F5614000-0x00007FF9F5615000-memory.dmp

Filesize
4KB

Download
memory/4280-1362-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-1363-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-492-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-443-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/4280-445-0x000001CA22800000-0x000001CA22842000-memory.dmp

Filesize
264KB

Download
memory/4280-1444-0x000001CA2FBC0000-0x000001CA2FC72000-memory.dmp

Filesize
712KB

Download
memory/4280-491-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-490-0x00007FF9F55FD000-0x00007FF9F55FE000-memory.dmp

Filesize
4KB

Download
memory/4280-489-0x000001CA23450000-0x000001CA23644000-memory.dmp

Filesize
2.0MB

Download
memory/4280-487-0x000001CA24B90000-0x000001CA2577C000-memory.dmp

Filesize
11.9MB

Download
memory/4280-481-0x00007FF9F1509000-0x00007FF9F150A000-memory.dmp

Filesize
4KB

Download
memory/4280-1331-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-471-0x000001CA23750000-0x000001CA24388000-memory.dmp

Filesize
12.2MB

Download
memory/4280-469-0x000001CA229B0000-0x000001CA229CA000-memory.dmp

Filesize
104KB

Download
memory/4280-468-0x000001CA22AD0000-0x000001CA22B0C000-memory.dmp

Filesize
240KB

Download
memory/4280-466-0x000001CA08840000-0x000001CA08846000-memory.dmp

Filesize
24KB

Download
memory/4280-465-0x000001CA08810000-0x000001CA08816000-memory.dmp

Filesize
24KB

Download
memory/4280-455-0x000001CA08820000-0x000001CA08830000-memory.dmp

Filesize
64KB

Download
memory/4280-454-0x000001CA22A70000-0x000001CA22AC6000-memory.dmp

Filesize
344KB

Download
memory/4280-452-0x000001CA22A10000-0x000001CA22A6E000-memory.dmp

Filesize
376KB

Download
memory/4280-450-0x000001CA08870000-0x000001CA08876000-memory.dmp

Filesize
24KB

Download
memory/4280-449-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/4280-447-0x000001CA22980000-0x000001CA229A8000-memory.dmp

Filesize
160KB

Download
memory/4280-1443-0x000001CA28420000-0x000001CA284A2000-memory.dmp

Filesize
520KB

Download
memory/4280-1442-0x000001CA2F8D0000-0x000001CA2FBB2000-memory.dmp

Filesize
2.9MB

Download
memory/4280-1441-0x000001CA28210000-0x000001CA2823C000-memory.dmp

Filesize
176KB

Download
memory/4496-1437-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/4496-1440-0x000000001AF30000-0x000000001AF40000-memory.dmp

Filesize
64KB

Download
memory/4496-1368-0x000000001AF30000-0x000000001AF40000-memory.dmp

Filesize
64KB

Download
memory/4496-1367-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/4496-1366-0x0000000000190000-0x00000000001A8000-memory.dmp

Filesize
96KB

Download
memory/4692-1429-0x0000022E7E5F0000-0x0000022E7E75A000-memory.dmp

Filesize
1.4MB

Download
memory/4692-1430-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download
memory/4692-1427-0x0000022E7DD80000-0x0000022E7DD90000-memory.dmp

Filesize
64KB

Download
memory/4692-1417-0x0000022E7DD80000-0x0000022E7DD90000-memory.dmp

Filesize
64KB

Download
memory/4692-1416-0x00007FF9F67D0000-0x00007FF9F7291000-memory.dmp

Filesize
10.8MB

Download