Analysis
-
max time kernel
127s -
max time network
130s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-04-2024 09:13
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
xworm
5.0
testarosa.duckdns.org:7110
Rg1w8TcZ1AXGhMnB
-
Install_directory
%ProgramData%
-
install_file
WindowsDefender.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe family_xworm behavioral1/memory/3540-672-0x0000000000DD0000-0x0000000000DF2000-memory.dmp family_xworm -
Executes dropped EXE 4 IoCs
Processes:
XWorm V5.0.exeXWormLoader.exeWindowsDefender.exeXWormLoader.exepid process 756 XWorm V5.0.exe 3540 XWormLoader.exe 1360 WindowsDefender.exe 1140 XWormLoader.exe -
Loads dropped DLL 1 IoCs
Processes:
XWorm V5.0.exepid process 756 XWorm V5.0.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe agile_net behavioral1/memory/756-639-0x000001D189F30000-0x000001D18A9A2000-memory.dmp agile_net -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 ip-api.com -
Drops file in System32 directory 2 IoCs
Processes:
lodctr.exedescription ioc process File created C:\Windows\system32\perfc009.dat lodctr.exe File created C:\Windows\system32\perfh009.dat lodctr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 3 IoCs
Processes:
msedge.exe7zFM.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 5 IoCs
Processes:
7zFM.exemsedge.exe7zFM.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\7zO0D8A97C8\XWormLoader.exe:Zone.Identifier 7zFM.exe File opened for modification C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zO4887D108\Fixer.bat:Zone.Identifier 7zFM.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
XWormLoader.exepid process 3540 XWormLoader.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe7zFM.exepowershell.exepowershell.exepowershell.exepowershell.exe7zFM.exemsedge.exepid process 4916 msedge.exe 4916 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1384 msedge.exe 1384 msedge.exe 4164 identity_helper.exe 4164 identity_helper.exe 4008 msedge.exe 4008 msedge.exe 2180 7zFM.exe 2180 7zFM.exe 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe 4248 powershell.exe 4248 powershell.exe 4248 powershell.exe 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe 1144 powershell.exe 1144 powershell.exe 1144 powershell.exe 2180 7zFM.exe 2180 7zFM.exe 2256 7zFM.exe 2256 7zFM.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
7zFM.exe7zFM.exepid process 2180 7zFM.exe 2256 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
Processes:
msedge.exepid process 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
7zFM.exeXWorm V5.0.exeXWormLoader.exepowershell.exepowershell.exepowershell.exepowershell.exeWindowsDefender.exe7zFM.exeXWormLoader.exedescription pid process Token: SeRestorePrivilege 2180 7zFM.exe Token: 35 2180 7zFM.exe Token: SeSecurityPrivilege 2180 7zFM.exe Token: SeDebugPrivilege 756 XWorm V5.0.exe Token: SeSecurityPrivilege 2180 7zFM.exe Token: SeDebugPrivilege 3540 XWormLoader.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 4248 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 3540 XWormLoader.exe Token: SeSecurityPrivilege 2180 7zFM.exe Token: SeDebugPrivilege 1360 WindowsDefender.exe Token: SeRestorePrivilege 2256 7zFM.exe Token: 35 2256 7zFM.exe Token: SeSecurityPrivilege 2256 7zFM.exe Token: SeSecurityPrivilege 2256 7zFM.exe Token: SeDebugPrivilege 1140 XWormLoader.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exe7zFM.exe7zFM.exepid process 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 2180 7zFM.exe 2180 7zFM.exe 2180 7zFM.exe 2180 7zFM.exe 2256 7zFM.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
msedge.exeOpenWith.exepid process 1152 msedge.exe 1152 msedge.exe 4248 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1152 wrote to memory of 4236 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 4236 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 332 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 4916 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 4916 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe PID 1152 wrote to memory of 1960 1152 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.upload.ee/download/15657107/813ac1d2bfa81d7f177e/XWorm-V5.0.rar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb44513cb8,0x7ffb44513cc8,0x7ffb44513cd82⤵PID:4236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:22⤵PID:332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:82⤵PID:1960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:5032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:4376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵PID:4240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵PID:1460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵PID:1464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵PID:1712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵PID:1220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:12⤵PID:2412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:12⤵PID:4644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:4912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵PID:5112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:12⤵PID:3824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:12⤵PID:4352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:12⤵PID:1436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:12⤵PID:844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:12⤵PID:2252
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:12⤵PID:3116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵PID:400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:12⤵PID:3536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4008 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:756 -
C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:3540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"4⤵
- Creates scheduled task(s)
PID:2068 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO4887D108\Fixer.bat" "3⤵PID:1476
-
C:\Windows\system32\lodctr.exelodctr /r4⤵
- Drops file in System32 directory
PID:3652 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1332 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3044
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2000
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"1⤵
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\7zO0D8A97C8\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\7zO0D8A97C8\XWormLoader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
152B
MD5ec7568123e3bee98a389e115698dffeb
SHA11542627dbcbaf7d93fcadb771191f18c2248238c
SHA2565b5e61fe004e83477411dd2b6194e90591d36f2f145cc3b4faa20cf7ae266a75
SHA5124a53fbbd7281a1a391f0040f6ff5515cedf6e1f97f2dae4ab495b4f76eb4f929dcda6b347f9bf7f66a899330f8897e1ed117314945d1de27b035cc170fa447d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5410aeff345df7fc1748b91533d63d0e0
SHA1d30e6d1a73c7aadd5ff379fea94440e65008ad9c
SHA256b537049ee17df9da1dd7c785b38786048a6ca59f6d294fa7b686dd96beaa40a0
SHA512291f9e118056c2552375498bcadb99f27219c907eadda7ae30959227ad2f3f7af8617fcdccc9b570537ed1d6cc08c5416bebfa88b08c489e87d452fae9af888d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_best.aliexpress.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
3KB
MD52361f466e6964a68ea9e19022006d19f
SHA1c5b0af293d126e7c0e522e4a8cfd833682abc90d
SHA2563aa4271257075e5b6ac81d42eedf9d14def64f0307e72b9d0da945c574a59028
SHA5127ca49753c067750c48b9a1e6fda84a0a751a2e11784aa626f4a69a0d6e9534dc8eb768f88d957456d0448e457b438d676a939301be27f797c65d65360c584742
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD57045e999e68d5e16e4114d222e492230
SHA14446c4e07ff3bdf94a9f240ba2942ba508e1fc0d
SHA256a1639a59c7e5cb68e850a8d0f5393d9bee7e7c8bccdce87719e36ccd57a76927
SHA512fd304b0046dbac47df777585b81031be3ec6b80a976297f1e9c4bda16e2f00d2391e026587cb40b60daa625e777cc3bb50a473b4214642b1910ddbc508adfd74
-
Filesize
6KB
MD5b3c71ac75e9813f5c8de22f30dd1030c
SHA11c6ec0caab3cb023cae958ee2c130f11d7345dd5
SHA256a3c87e3e86cce79010752cce53f811bfd78f598086006678521acb2ddd645b1f
SHA512f16d494cd3cf8a76ac0b58bd48c78bbd168c51e4bd7c7ea7bc1314b9fd0c44c4b4b87ce208396b8141b742baa4ea6e65baf24efaa9745560b43cde7a3072ff6b
-
Filesize
7KB
MD58bf8b9b76943ce1011ab20254ce5fd7d
SHA19fbc5ee67b424f84ddd5970639c8efcd18ac0b92
SHA25672e8d0e90349a24eb596007b720be366f577be881d30192ce75c8705c6914a15
SHA512edcb0b3e18adec08a28bff51e8b3f2b132ba862a0c9e5bb8181a2423a3fa8c038e0c0c3d3c3aeb126e7cf2e34de8433a77ffa95c3c0e418b6d09997d8b63d39b
-
Filesize
7KB
MD5f7e77c15d64adfe9b92ccd86c0f5608d
SHA11fe3f03b059f2d24f75c51d5e407f7c5cd977627
SHA2562e94661c02ca24a061cff054b312a6be7416a447d592e16feda9fc4f245db562
SHA51232f5d9a12fbfef9a9370faa67d8fbe09d3f2b191a3dcffc8392413a020829beb14879b0f3efdb49fcc34adbc4a60b12f6cf60469333b8b1d610ab12971872160
-
Filesize
25KB
MD50ba15f72ffb0a37243558588d3e78221
SHA1814bdfffd723f7de9f8d6d6a0bc8d85a9f275cc0
SHA2563d0223e1f8bb35870db41872cfbbe467f65bf9a1208dcb4d4ad874e250ccc10a
SHA51202b168ef9cc226a08955092173c3745a55b28faa438b8152acb90d3bc1d9f433de7d8341def8b452db1986392a59cabc7c69689ad00825c58371ca78021183be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize240B
MD51c67c18f8db855bbccd39309196f8199
SHA1e20fc5546867d7ac2165ae2c7cec62e7b9d1553d
SHA25604355cadb52c956aeb28131911eb81e4214f0002a3f557ab5413285815feb815
SHA512eab9672877296a7f4a2882e94cd765511af39bc8600c619a7b3403c3beab492021913ff5ec5d08b605149075f18ca51492724f63c716e07c28b8d1a44db38897
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b2c5.TMP
Filesize48B
MD56187aea8dea8c451a0c78ce5a9c6f286
SHA151caf1505cbc54a77c5803fc616e71766156d730
SHA25606d93d0d630115ba9edfc820e63fc2feda04d4dd6a555a84b5403602f6b80314
SHA512a98c16b118e45bed8038fd84d6e74a9f8079e475274fe5371b02a70d9bd2002358c21a53fc8169b41db717373c27ade88f0fc0223c25d9b18343a2127e8e06db
-
Filesize
3KB
MD5b9b9ef3f134923bc067a000a7ec3e4ba
SHA183618c94a08ff1de58b61150f61ac7b24d9370bb
SHA256aab47ff008b2e9b50807cdcbc12e99132c08510192b4279a68ae6d9062a574ce
SHA5127081e5b264f6ac93317488bc97b719c9b742cbcfef4afc00ce3d473bcd3080757d58b4f2371f7dc1dd2ffec142a97282f50f6820a1fd757ce5c5daf599e492f0
-
Filesize
2KB
MD522c37d6194310d043f883d9f823480fe
SHA18d1208b2db287714c9132077f046024ac85e5b53
SHA256dc633d7b1e0fa47bd6823f52b7902d8eff6dd2ab3d81ff52982b4a2803fefc37
SHA5122f1c423d663b07ed8083f21ed68c0603d1d09bd5231ffa8e9311f8ada6caab75707f7f722ef599f25df3ffbd7962c65f48d865dec6d1ba331904649c648e3eae
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD533bbd0324ead328b48cc93ff53943dd1
SHA107284d6598d0d5200dd3bde7f2a06b281284d2de
SHA2562616f2075c17255e4b3104cc08770a69ef61c8ddddba2bdc1da9a3292a5929a3
SHA512718dc581ffeb9dc05f4857afc66164bddd5be38a04984ae5317d19724ddd0204529df36898011a922157f3fecf41de05b10abe3ce79508966471dcc63d705fb7
-
Filesize
10KB
MD5fe34d465b786776fba2e3b60e8384a8c
SHA161c6df45d9f4ccbe237ea4046499ab954ddb7959
SHA256b8c4a52dd8857fdabaf71a5a835962e3a5eb3a84fb683056a57ad8a0a6299b93
SHA51237bf3f2520ef3842782020b6c809a38c2251e7e453a7180a5ac91d23adaeb5f04e25a318bc6251beddf985485dd31c9d7d2ea356c00d9f34f0b642a8236b61ff
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD5781da0576417bf414dc558e5a315e2be
SHA1215451c1e370be595f1c389f587efeaa93108b4c
SHA25641a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA51224e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737
-
Filesize
944B
MD5e07eea85a8893f23fb814cf4b3ed974c
SHA18a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA25683387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA5129d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df
-
Filesize
111KB
MD59158e38c3bacd6cc50e4355783fead8b
SHA1c30c982c2d061e4bd8b5e0e3f89693b3939a0833
SHA2561f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda
SHA51298683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd
-
Filesize
10.4MB
MD5227494b22a4ee99f48a269c362fd5f19
SHA1d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9
SHA2567471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2
SHA51271070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0
-
Filesize
196B
MD5a2e495f1719d91e2b9cec930ec6a457c
SHA12a730b7705adc4305769dc267afa426604abd788
SHA2568913694049d59706ff287e282b6c4493938728de16225b97d7ec6d355a261a02
SHA5126038d4931670d22e594f769e53e4d2c0e6a0811fe957e4db3224dea950baf9d5f4f8b0e6deb8188685e4dec8fdb70d1cfcc7983c9cb79e3b4677f64f7ba91175
-
Filesize
122B
MD52dabc46ce85aaff29f22cd74ec074f86
SHA1208ae3e48d67b94cc8be7bbfd9341d373fa8a730
SHA256a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55
SHA5126a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3
-
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
Filesize112KB
MD5a239b7cac8be034a23e7e231d3bcc6df
SHA1ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
28.8MB
MD5f778fc725ed79c15d3ad889e7a33bea8
SHA16dfce5a46e080fb2436b09a5ed68b98b4c28c17d
SHA256c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa
SHA512ecb5365ae67963d1d246851a852fda53d7ed100e99377d340124b432a3d502044d4ae3abf2e67f7b1224dd08e42e45906d173fcf0e667ec1f052102a4196745a
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
39KB
MD5d7d7fd6e4781222b87731bd7cefd6288
SHA159f857b4a34b48189b9550082c7ce5546ec7592a
SHA2568e5fcb1cd62a5ebcd23e2a7d6bd8086875e006bdb6f42472d0dfb1591c86e34f
SHA512a8fa248991e37c1b5b5a05624e05b35a600528070253a56a4225a2e0db806442eb2401339786e3a86c150b9032834e90c6e29b88161465d964241a09a780d1fe
-
Filesize
310KB
MD51ad05e460c6fbb5f7b96e059a4ab6cef
SHA11c3e4e455fa0630aaa78a1d19537d5ff787960cf
SHA2560ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71
SHA512c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e