adwind | 215d09d1793ed0f9da71484b97fb12b7d40b0fc0cb5f509e037ed721760c9d96

Resubmissions

21-06-2024 18:05

240621-wpjyxssgrq 3

19-05-2024 19:58

240519-ypxk5afa97 10

19-05-2024 19:48

240519-yjgygseh3x 1

19-05-2024 19:17

240519-xzbkzade91 10

Analysis

max time kernel
1785s
max time network
1790s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

httpsgofile.iodntQlho.txt
Size

26B
MD5

beb4937bff161601f6e59c168205d2da
SHA1

c26f4c5c7334eb6184d08adbacbb8fb6a8653ab4
SHA256

215d09d1793ed0f9da71484b97fb12b7d40b0fc0cb5f509e037ed721760c9d96
SHA512

16ab09407a5af59545ef8defb651b13572987bbcfb4fd87fef2de24d977ab3c6e8b7d83e83cb8247fae050724ecea880637b57b2dcc6164279207478b35f4eb5

Score

10^/10

adwind agenttesla agilenet discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Class file contains resources related to AdWind 1 IoCs

Processes:

resource yara_rule

sample family_adwind4

resource	yara_rule
sample	family_adwind4

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2816-2799-0x000001F079580000-0x000001F079774000-memory.dmp	family_agenttesla

Executes dropped EXE 4 IoCs

Processes:

java.exeXWorm V5.2.exeXWormLoader 5.2 x64.exeXWormLoader 5.2 x64.exe

pid process

2080 java.exe
2816 XWorm V5.2.exe
2844 XWormLoader 5.2 x64.exe
3448 XWormLoader 5.2 x64.exe

Loads dropped DLL 64 IoCs

Processes:

java.exe

pid	process
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe
2080	java.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1124 icacls.exe

pid	process
1124	icacls.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2816-2791-0x000001F05C4C0000-0x000001F05D0F8000-memory.dmp	agile_net
behavioral1/memory/2844-2855-0x0000018EA8660000-0x0000018EA9298000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1716146908360.tmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1716146920648.tmp"	reg.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

126 checkip.amazonaws.com
127 checkip.amazonaws.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
126	checkip.amazonaws.com
127	checkip.amazonaws.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

XWormLoader 5.2 x64.exemsedge.exeXWorm V5.2.exeXWormLoader 5.2 x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1748 ipconfig.exe
2124 ipconfig.exe

pid	process
1748	ipconfig.exe
2124	ipconfig.exe

Modifies registry class 64 IoCs

Processes:

XWormLoader 5.2 x64.exemsedge.exemsedge.exejava.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	java.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	java.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	java.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Downloads"	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	java.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	java.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000100000002000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	java.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	java.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2024 NOTEPAD.EXE

pid	process
2024	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exetaskmgr.exe

pid	process
2376	msedge.exe
2376	msedge.exe
2636	msedge.exe
2636	msedge.exe
632	identity_helper.exe
632	identity_helper.exe
5628	msedge.exe
5628	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

7zFM.exetaskmgr.exejava.exeXWormLoader 5.2 x64.exemsedge.exe

pid process

5944 7zFM.exe
3896 taskmgr.exe
2080 java.exe
3448 XWormLoader 5.2 x64.exe
4492 msedge.exe

pid	process
5944	7zFM.exe
3896	taskmgr.exe
2080	java.exe
3448	XWormLoader 5.2 x64.exe
4492	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exe

pid	process
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

7zFM.exe7zG.exetaskmgr.exe7zG.exeXWorm V5.2.exeXWormLoader 5.2 x64.exeXWormLoader 5.2 x64.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	5944	7zFM.exe
Token: 35	5944	7zFM.exe
Token: SeSecurityPrivilege	5944	7zFM.exe
Token: SeRestorePrivilege	5468	7zG.exe
Token: 35	5468	7zG.exe
Token: SeSecurityPrivilege	5468	7zG.exe
Token: SeSecurityPrivilege	5468	7zG.exe
Token: SeDebugPrivilege	3896	taskmgr.exe
Token: SeSystemProfilePrivilege	3896	taskmgr.exe
Token: SeCreateGlobalPrivilege	3896	taskmgr.exe
Token: SeRestorePrivilege	5280	7zG.exe
Token: 35	5280	7zG.exe
Token: SeSecurityPrivilege	5280	7zG.exe
Token: SeSecurityPrivilege	5280	7zG.exe
Token: SeDebugPrivilege	2816	XWorm V5.2.exe
Token: SeDebugPrivilege	2844	XWormLoader 5.2 x64.exe
Token: 33	3896	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3896	taskmgr.exe
Token: SeDebugPrivilege	3448	XWormLoader 5.2 x64.exe
Token: 33	4468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4468	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zFM.exe7zG.exetaskmgr.exe

pid	process
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
5944	7zFM.exe
5944	7zFM.exe
5468	7zG.exe
3896	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe
3896	taskmgr.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

java.exejavaw.exejavaw.exeXWormLoader 5.2 x64.exemsedge.exemsedge.exe

pid	process
2080	java.exe
2080	java.exe
2080	java.exe
5836	javaw.exe
5836	javaw.exe
5836	javaw.exe
5836	javaw.exe
4548	javaw.exe
4548	javaw.exe
4548	javaw.exe
4548	javaw.exe
3448	XWormLoader 5.2 x64.exe
3448	XWormLoader 5.2 x64.exe
3448	XWormLoader 5.2 x64.exe
4492	msedge.exe
1428	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2636 wrote to memory of 3196	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3196	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 4604	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 2376	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 2376	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe
PID 2636 wrote to memory of 3552	2636	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2168 attrib.exe
5716 attrib.exe

pid	process
2168	attrib.exe
5716	attrib.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\httpsgofile.iodntQlho.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeea0f46f8,0x7ffeea0f4708,0x7ffeea0f4718
2⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
2⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
2⤵
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
2⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
2⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
2⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
2⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
2⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
2⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
2⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
2⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
2⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
2⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
2⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
2⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6092 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:5480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
2⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
2⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
2⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3244 /prefetch:8
2⤵
PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6504 /prefetch:8
2⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
2⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
2⤵
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
2⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:8
2⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2744 /prefetch:1
2⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
2⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,653830095412800681,8670910576630945133,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5776 /prefetch:8
2⤵
PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5832

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\SorillusRAT.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5944

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SorillusRAT\" -ad -an -ai#7zMap31715:84:7zEvent26827
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\SorillusRAT\Sorillus\start.bat" "
1⤵
PID:5136

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe
jre1.8.0_361\bin\java.exe -jar -noverify Sorillus.jar
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:1124

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3896

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4104

C:\Windows\system32\ipconfig.exe
ipconfig
2⤵
- Gathers network information
PID:1748

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Celex.exe.jar"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5836

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716146908360.tmp
2⤵
- Views/modifies file attributes
PID:5716

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716146908360.tmp" /f"
2⤵
PID:5476

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716146908360.tmp" /f
3⤵
- Adds Run key to start application
PID:5504

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Celex.exe.jar"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716146920648.tmp
2⤵
- Views/modifies file attributes
PID:2168

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716146920648.tmp" /f"
2⤵
PID:4472

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716146920648.tmp" /f
3⤵
- Adds Run key to start application
PID:1680

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap5034:88:7zEvent11706
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5280

C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeea0f46f8,0x7ffeea0f4708,0x7ffeea0f4718
3⤵
PID:3268

C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2hj5soyu\2hj5soyu.cmdline"
2⤵
PID:5160

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AFF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8612FAA2A253486796B0648FC91197E2.TMP"
3⤵
PID:3252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2992

C:\Windows\system32\ipconfig.exe
ipconfig
2⤵
- Gathers network information
PID:2124

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Scripting

T1064

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\70d345ff0bfad49b.timestamp
Filesize
75B

MD5
2daac55e15cf74042ad20779857471fe

SHA1
22ca7233498d1a04c5a2ab76d5fef1af965215a3

SHA256
1230cf63c9b20dfa257675345edd626a09fc733a085ce25fc9072286c08b1f8e

SHA512
d0830011bf642764c34f113704d462d78de54ce0a9aad9b7ddf2517c4728091c1c98dd53704602f0d7aa9a7dcc1a488752a21bd0a16feb12ae5bd6fd4c86dee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
2.5MB

MD5
fa480bead3b1aea24794f4e93cf08197

SHA1
857f766c91694368b4d9fd4d056dbd829fb73e49

SHA256
8f4f98377bc2c0b101fb1ab70f4d82e4c7c634bcc641f33809f238fcacffef2f

SHA512
f9e27a505704c425fe48ab542fe3d2648fed6ee50bd27cea73d96d148b42d7d533f78548e34694eb4756c44f96cf35596cefcec9b3345d03b219a81c7cc78037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
5eabb4589ec1289c027257bdf2d74c48

SHA1
f0f3c4503b2ccd145e8574f587eb33975a7ceadf

SHA256
4ffe2b4f970fe29d9f97b1c25898764bf7ff4d9d3fc297eccb0516697374b432

SHA512
c380689b26ba9b9702d91a66533b8bf24e9d2e02ee7c44452c4bca5f0595e1dc3ddbd0123dc08b1a1cbc5b8a01901366b1517f3ba9f4cf528ec58e05a592d109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
fcc7f6ef3e045dd0888b5dfcd28aeabf

SHA1
f67feca13f67b51a63b67809b324f6b186583518

SHA256
aa3ccd67382b242321c76b6bf12f5234afabc1ba937143702dd02b43bb8b2700

SHA512
37e201b1e003a55776609dc3f8cd97f213b7ce08f3c0909d773dc8c36113328725fa7dda1b16fbc6e9b224b6a4e7fb48ff084f603d4aa508c556e4b064a25a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
69d7eb09e6bd5b50514dd362cbd087e7

SHA1
25e6528c5e5d07d6d6c3492e976208f6a9c7dd11

SHA256
477b893618e8561491ffca441d25ec0737123956ca6f65122ca5dfdb0af8680d

SHA512
57255289d42b41686a5e9e3fe6fec5cba43724adac418cc37f53403fb688ced9769967f91f92a9ac53a67cd638321718382d5c8f93705e5a15019e292ff61aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
3fa12c658cf942703a6624c4cb24ec0a

SHA1
d1a0917eae43b8b344b9c7dcd096a67c114d53e3

SHA256
88bd7c588fe320e2d6f943a2f1958c2ca74b67725bae54761a62c8b501f34b03

SHA512
8092c49503834ea01c8e6a21e1e1dbd2aa4bcefb84b7905f51399fea6f04db908025f5a82e9cd4566cbc55bfa5eadf715b38c9025522ca755f467c8c5ba6c534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
757B

MD5
fc4893edc929b69f31939a74c66e4239

SHA1
4ca18d2064716875bbaddea2e6007db034945f73

SHA256
a489b123217d27bf4f7516ff090f51e1ab47e083d667951ae35e1305b60832d2

SHA512
060d426899d820f22c0ac19a3e61367a6f1d87ce6b4564969d5cc185d68d54452d2d0f0760bbed9e0e07bf2a273032f0817e45a81a6db3a87d3004ffef383c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
82b3aae382e261f620a314cb2a9abfa2

SHA1
1f492004491c5514788de4b586bc07ac4e8ebce7

SHA256
0426b2485ad4e62280dc7f010d0a8e10890c4a341eb15ac1fc851ef1c2fd9736

SHA512
68a9d70afd5f346cf20fa2e02371da63e7d65ccd2f0f0c6255540e8a9a4c2bd4a6e3b54d5b1a5df9471558c6d384a32843bf0ef90d342b52e409b7e09241a6d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a53217970519865115da01edbb39c6ee

SHA1
78afab296f6edf5b59aece72e491be8abd56514f

SHA256
15411acda37df67f16f987df7ddb8c1bebbcc281638f43871f30e69761524adb

SHA512
11eafa52ab13998117a1cfd5d214e7f3960be9169e902453ecbbb3432580ead57ea2b2db99261363819cc5c6fe4c56e2ad5fe71e2cb6d51aed3234964748367b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
cbe65cf892708e3f75031fe6aa52b215

SHA1
8bc19729d7f2ac1c9a947c705e8778cddabb2371

SHA256
dd02eaf501a5272318316a13857189345103e4ba2afcce09617cbdcab1d0bd53

SHA512
93bcf97745757db17a2c1496989659ff06e5c743ca83f656a950b8d79faaecf256894a60ece9694d4a370a0f4270da2b6477e5e38f552dc95d6966f5a19ae205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
05af7b293178fbaa400eec1dada28e9d

SHA1
ef3bc2694cc4d3393846f93170c31fa8976ba4d7

SHA256
f1ac04f56752691a4feef7afba19745c133837133d338bcfcb528dda2971b196

SHA512
7b79316dc4bbce8173255dc9949a9fd5e2674c653d8e7c0442a6a247838728064f2b8835d822006b39a41f1d1e591816eae5602cdfa22c5d6d4d2fa609d35a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
3726dafa7e706d36b03b1b29268a2ff4

SHA1
df20b9faab268e936b71dda72fe9e78248463eab

SHA256
867c057952dfb669e0d3bec3c4820d8a1ebeda5b85183e9ae28622b20c0d2b54

SHA512
a95ee7b544068dcc857d8cfe9961b9d74413e52db7de7c634a85f15ca7ab22654c96504289fe6cfbb60924bec97e3795e7c2429df70ea686d459b7d61c291075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
a771f6ef8fb6ad357677be569c616c34

SHA1
98cc72cfafed2b42cbf36d43688fa2f3a179bc26

SHA256
d7e56fef9a644fb72026a361986344f01cd1db3af5135f1910afc4aaa5a86122

SHA512
b482d9d54dc3ee3130a913dfce975f883359e55f583621bae937d8799362d497621faba5483dc0c1a687d941cd25681e590868504ebc6150099c5664d85705a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
5c3d317e623301b41ed3373d54821aa3

SHA1
e631985dac1eb6d524b5c4e1dd8a73c3a91f879d

SHA256
8dcc788d63246b2e9ad3113eaaafc80cf1fe1293551bee9df2444708bbec42e0

SHA512
bd17c58aafe9e33a83d3e0e64249b127797bbc475d5bb798a5313341ca9cbdf0a15f1612725356dc9e1ef0f42eec19e4d08aa613b2ca2a898c2b3a56db422725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
872B

MD5
e98083a1c4b69e85d15e05e8e7cdae55

SHA1
6d110a4f0391ca3dfc1fac60bb5c30a0270f8465

SHA256
9a950b9775a953b86426a2deb00e7aa176c79d42ac053e9cb9585f22c03c4ae2

SHA512
f0024ea286e71325bae9c61e55bc81f926863fb962e0d15c1980ed04954397c53263ec36b7a17fd0c38c3aba6c0d4ef44e4d2f8ba1311f9b5a95eb180ae82b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3ee0fe24dba5e899123fdec0047b9b5b

SHA1
6cc92e85872d4688086b01974768fed50eb4aee5

SHA256
bd25af59e8e946ddb6acf968d1dca5d21667594c97dbaa6266ee5318558a9d70

SHA512
7fb9f29bfd13754bf9c0b8b76d887375dbca960a3d5cf11a9a41b461bbbfb8a3e011f41316e3a68728dfd776f54b942d7921de8c2ab72afe1c70b1c7f2a61b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5cd74f321c61d6238eca076880e2a961

SHA1
ac1bd5dc551bcc2f643ce4d9657d9377846b9fc7

SHA256
9d06bae1f1f5b52fc9e439000589476b21186c7e780ca68470aa505ee9a843ad

SHA512
1ab6cf74b33273a8b990510258063ceb41c038fdb372cc704cb4bb3f368262764d7bb67821177f0bc2c2b96518eb3559bcdece80c4269440f68b7f40f67a80aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
db68db98011d43cf9741ba1300648c1b

SHA1
e9f1f674c907c6232ba655abd77fb53fc95a8377

SHA256
1e4ee1f8e2e708780b9f74aba902ba77b9f68179996e4f0bf6ba2a2f987768a1

SHA512
c5e5a4d22e50b9d810acac69a65da242aff0d2828192f7c729c97467a72cd46378ad6fc9e345cf6657b4747066f8bb341b343c9743f43b351274639a82630524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
99e46152439be05108859d0878d59650

SHA1
7616d9909db7ce1bb1fca745fb1b06dfd19d8ec6

SHA256
0eed9848c9e29c4ab35517bee5212eeb9dabeca2d276a713337bae5738262d41

SHA512
2893cc5ef8cbb481af2e9c18ddefd1065aec9da942da3537cab4ecd946dee34eb8194beafd20bf58acb8b3e275e7fa2b24f79321407cba8bc92740b9640184fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0b0a56b73021ce05d2df6ee2d6e28130

SHA1
29f2d51788d879c05bf0510c7eb85ade18f2c7c6

SHA256
6def432bdab6d48d984158e612642c8aa8fbe1f835546c681a8065039c6a5e86

SHA512
613dde010a30d197882b05974b15959b4878d3e103407683df38d8257dab7d7789c0e08ec4b071fe255bc8dad3e95a6975a00c2d2b90e7fb23ae324344849deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5e3660.TMP
Filesize
370B

MD5
5da0d7a88b717edf6daf931d049b44a4

SHA1
d359a72b697b7620e60163f4306ff2ad7bfba008

SHA256
2160f8521c1bb84ed88c9a3f69a66388f8c1adb9f765f16d87c18f789b409c97

SHA512
c264ae260f22974ccf2436a0662dc714ca716a644465b65ed5f23d9dacc8073f7c6b1053ca28520aa2798c84bf496244bd1705b5baf97d34fa237c16b83e3436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
77ce0225c819cff1a7c4a2010c87721e

SHA1
8af14b896358d225b22d94caa8df683105cfa9ac

SHA256
5857f32896ba992d95bb5235566053290f622ac68642627ed4066d26feee28a0

SHA512
91e212d15167751d609a299ffa2b8b01d9643142911f42aabd45ada65a85a5a961bd85703b272777553caefbe9575cce1797e28e30bbafc1ee0a62b0884de650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
62d5e82b1a1ab3d2724d9a0733bc475c

SHA1
7b2fdf55600e0fa430c2734851284a3933010f71

SHA256
a4003894006414d3a6f28f0c595d484fe5d1e89c224c902feae38fa92a76b587

SHA512
397d55aa451e1e6f5bf09d4e427a28b52d8323b85f1666e1485127b243512d8662689884e03aa3465a2bd7c480a93d667e7c9346b9bdb9215265aab8c1ba766e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
afd408833d9eb424aa96c59a9750a689

SHA1
d8f6dfc857c2a0f123c9c87609d62d80cf9bd346

SHA256
f53ddf94a0f9ce54f8c9adf8b082e0bcd174bdac4bcf3dfe57578caff047e7c9

SHA512
350259274d2b6222d18fd1279920553b50728db9659cf031bd311bc8a9bc21d24405631730fbb63225aa94edd563ad6a47b829c7736b9f6810216634bd933c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2aba4d524841b7f2590c9506ae126ff4

SHA1
5a1762448982a61a3c909c16420fac0793b1526a

SHA256
bcdf41ef5fbd8720ffec63ef1f3e0c220b040386599a5b07765df31c35a10c14

SHA512
6a0cda9f02d3950fd26cc74f5aa516985154941f6f1a90fc8c84e07a2ffeb45510205fac5d26c3225fbbf000747cf455c5d2c1aa84ffd48efe3b485072c801b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c56285aef3c3756d79117c798300297e

SHA1
86f1bcaeb539e9b37ef6e921a613ba884b57cde1

SHA256
152c8f7287a8f6ffb058c2740e3efa5e618d397d61fff2eaedaba822ae8c22b7

SHA512
784b7df1a4f6b716dba2de421f052c26fc5034e55d0374d6a6eb16b505b2d36f45e3291cbac9846c822d01ada4631960812e36db276363a4754bab35dd8b8997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
659b2d57117aafd52a6acfdd10f5b4fe

SHA1
34c37991960e6ea3487f4fcd6384a83f3984497a

SHA256
d9778a3160f089531cecebae6c0e337ed998abbe9f9c81d70ebfb134c6cd30b9

SHA512
0cd00f2c818d3d4cdd191db5fe28b30575fe8ab75a7dc08e60c1158ccba326d41d46cc849583f3323cd6d5a9afcfa6c8185032f52b00306989d3cf059977617a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
e06a2285e9189331cf406921da64ccb1

SHA1
911ee668c14e08d76e526f784e624d6234262ca3

SHA256
8f0dc11763576a0920b2a2d57e27828fea5fb865b5a3d763f71331948fd4e5d5

SHA512
dd0b7c92b24a724a02b20f2a000dcb1b11e0c214bb3ef31e31a7e8fb428d0b45ce5869024b3a8169cd129c3c0708f3a203468cc7d5761be0929c67662f6e81a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
31fda221c6dcaaa5fa4602c38311b5fc

SHA1
95cf9d9297b138ac6517d629a3104108763b395c

SHA256
789369717edb0a8202c8d7c41dcfd4a278f05c5d58e00c7989f1b0bc2d46900a

SHA512
ddbdc8be1172710a70972429bd896a9673f52f1743f630ab0f35573c4eed6dadef344d44072946fd778b2fbea6a6bd63ebbf3b4bcd4f045149821e79a58fe776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a35e222abed4298128361db73fc66fe7

SHA1
7acadce0c21d6682d15dcc79cad96a454a3784b6

SHA256
5aff48e6edf4b4f38b0174c099ba37e8bdfdee429e055ea7d26f925da83b8ed0

SHA512
45fdac99c3b86cf845ade0485b3b1758fbc6c185bb7533f88a7808f0861294ca81b60815f585e9f8a9675c4d7bd38b33fa89dce577e79c6515026458cb3ba48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll
Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716146920648.tmp
Filesize
3.3MB

MD5
ce13a85d6e9dd92da53ec1132b082b3a

SHA1
eac23d6fc01fd6815b6eb75df12c6915ec0c2d4f

SHA256
6b67f083f4cb0edb6f680a0732d7ea6f8398f4a5ba86d5179e3252e2af277d16

SHA512
261a5a592acf1552284447e621edef7c4aea9b6482d4008cbb216a7e739ed405f2ec1fbb210a54091af919cd8e6b7a10c293cbb08b9a9ce365a658c8edc36acd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\Sorillus.jar
Filesize
10.1MB

MD5
f9119b4bbb55ce59f43113c71cd177f8

SHA1
1605b453fa74091f92f51691a3dd378c1b67f3fa

SHA256
3eb57cd3c204ba1741e4500ef2566f524b10f4da23b3831f0855abcea0987649

SHA512
b166ce950e2c2bd2f23fe9063656ffd31da66dbd699419a71479d52654bf4113bddd8f51392577470a6f1342cc7546f5474d0765a209ff3b01ae65074d04a650

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-1-0.dll
Filesize
11KB

MD5
919e653868a3d9f0c9865941573025df

SHA1
eff2d4ff97e2b8d7ed0e456cb53b74199118a2e2

SHA256
2afbfa1d77969d0f4cee4547870355498d5c1da81d241e09556d0bd1d6230f8c

SHA512
6aec9d7767eb82ebc893ebd97d499debff8da130817b6bb4bcb5eb5de1b074898f87db4f6c48b50052d4f8a027b3a707cad9d7ed5837a6dd9b53642b8a168932

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-2-0.dll
Filesize
11KB

MD5
7676560d0e9bc1ee9502d2f920d2892f

SHA1
4a7a7a99900e41ff8a359ca85949acd828ddb068

SHA256
00942431c2d3193061c7f4dc340e8446bfdbf792a7489f60349299dff689c2f9

SHA512
f1e8db9ad44cd1aa991b9ed0e000c58978eb60b3b7d9908b6eb78e8146e9e12590b0014fc4a97bc490ffe378c0bf59a6e02109bfd8a01c3b6d0d653a5b612d15

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-datetime-l1-1-0.dll
Filesize
11KB

MD5
ac51e3459e8fce2a646a6ad4a2e220b9

SHA1
60cf810b7ad8f460d0b8783ce5e5bbcd61c82f1a

SHA256
77577f35d3a61217ea70f21398e178f8749455689db52a2b35a85f9b54c79638

SHA512
6239240d4f4fa64fc771370fb25a16269f91a59a81a99a6a021b8f57ca93d6bb3b3fcecc8dede0ef7914652a2c85d84d774f13a4143536a3f986487a776a2eae

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-debug-l1-1-0.dll
Filesize
11KB

MD5
b0e0678ddc403effc7cdc69ae6d641fb

SHA1
c1a4ce4ded47740d3518cd1ff9e9ce277d959335

SHA256
45e48320abe6e3c6079f3f6b84636920a367989a88f9ba6847f88c210d972cf1

SHA512
2badf761a0614d09a60d0abb6289ebcbfa3bf69425640eb8494571afd569c8695ae20130aac0e1025e8739d76a9bff2efc9b4358b49efe162b2773be9c3e2ad4

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
11KB

MD5
94788729c9e7b9c888f4e323a27ab548

SHA1
b0ba0c4cf1d8b2b94532aa1880310f28e87756ec

SHA256
accdd7455fb6d02fe298b987ad412e00d0b8e6f5fb10b52826367e7358ae1187

SHA512
ab65495b1d0dd261f2669e04dc18a8da8f837b9ac622fc69fde271ff5e6aa958b1544edd8988f017d3dd83454756812c927a7702b1ed71247e506530a11f21c6

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l1-1-0.dll
Filesize
14KB

MD5
580d9ea2308fc2d2d2054a79ea63227c

SHA1
04b3f21cbba6d59a61cd839ae3192ea111856f65

SHA256
7cb0396229c3da434482a5ef929d3a2c392791712242c9693f06baa78948ef66

SHA512
97c1d3f4f9add03f21c6b3517e1d88d1bf9a8733d7bdca1aecba9e238d58ff35780c4d865461cc7cd29e9480b3b3b60864abb664dcdc6f691383d0b281c33369

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l1-2-0.dll
Filesize
11KB

MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.dll
Filesize
163KB

MD5
db081a9968bb0c37a57725cdb66a0c7b

SHA1
d5fed172d82111d1f3bcb46ab3bd8b412f3ee003

SHA256
5b9b01f1ec06ad559285201cf0907e1c31473f6fb91aa09813dd8f076f94afe3

SHA512
8a3717be2bdc1d2e628a069a61ac5b504467c52c7b52496c14050cd0fbc3e1023c791ca8b5c3270579e1cc725a8a0cff62c427dc1c25c2ec74725d1dacc621d5

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe
Filesize
273KB

MD5
47b34557cbf069e0ad9807305cb5c36a

SHA1
58abfbefc486427175b15e69e8e8f4e346318c34

SHA256
cabcfcf1aebf926bbe03b2aded9e7bbb57f4e10600578a6f2acafbf83b7423d4

SHA512
f9354ec19c3bad2a3a9e95211a306e54ebe559127d8ae660ce75c88839afd558821a0a858366db8820517cb12f7fe0056bb5c09199c1fe1a9083e299b02a148d

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\msvcp140.dll
Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\server\jvm.dll
Filesize
8.2MB

MD5
a5b5e313919826735b73731252a2bc2e

SHA1
090054f0aeeaaac570130ef5a03c26970cdb050c

SHA256
86765f3558ffbb2cf28fb683ee17c288967e636b5cb4fe0422ade39591f6abf4

SHA512
2e0199624f91f9c952ea4fb81a01096febe8dde6fba85f66e7978c98ba749da3cd53cb6d986260e357c19a1d3b5411d6716548ef57e31ec75d55f4d3a3420c3f

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\vcruntime140.dll
Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\verify.dll
Filesize
54KB

MD5
c15088054d639475e51b88251369c226

SHA1
8849a9ee53e6bc7d1618103b674a6f481b72f3aa

SHA256
a7e7890ec2e238b3108fe2d9b4796898b2fff30ce07957f60689975d7460098c

SHA512
81ae70caf0304c63adadc3437e592ea9540db59ac7bd7417b769b5702a2aa012bec79aab8ce01187ebbd78555b7824fc4434a113dd9be5b667ce693b293122c4

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\zip.dll
Filesize
84KB

MD5
7c7a8adce66eeb67a96ca617c8286d72

SHA1
da1f100637f0b94aaea4e3999ef96a32a63bfc2b

SHA256
d15be64cc05ae14db69b5a3558cd57767eda91e708c74d3dccdc4958c42cb5d9

SHA512
00d3c1145b8c8ea246f456000c2fcfe1e978d148ad69ddabdf9e5f332db4e44025211916c6452b5030f8326d523d6e72de8aebd9e41d83afccb8713e88782f31

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\amd64\jvm.cfg
Filesize
634B

MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\charsets.jar
Filesize
2.9MB

MD5
82ade56ed7fa67287198802746ee6045

SHA1
2c5ad0a04bd0fae259cf29af346379284c684d42

SHA256
c89895405e63110d69bb37178f0650bf2a4a489ab9e98da613464c61c475b58c

SHA512
cd3c2180e185d1fce354ede366845668ab165ad0ebf7fd9cd9fbb3723ab64c3515c30e772e1577a747468e530d677c7955b41528d39e6d3c8c988b11604e470d

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\ext\jfxrt.jar
Filesize
17.4MB

MD5
671df034c39d335d5e9de4da7cf70e97

SHA1
184aa46308c1af192f119b6cae48c6a567175592

SHA256
0fb07fad0f05706dcdb487ef3fa8adfc97e1a47792ee9cb7af359c77a9393542

SHA512
7512b351ef1429bb722318c415cbcd5459dc86678b11634e3dd8e83394e59a48551a817842d73107546ffdfe05eb06f7ab4ce6a853ce266f3503885d4517a8ed

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\ext\meta-index
Filesize
1KB

MD5
005faac2118450bfcd46ae414da5f0e5

SHA1
9f5c887e0505e1bb06bd1fc7975a3219709d061d

SHA256
f0bce718f8d2b38247ce0ac814a1470c826602f4251d86369c2359ff60676bd8

SHA512
8b618c74b359ab3c9d3c8a4864f8e48fe4054514a396352a829a84c9b843a2028c6c31eb53e857e03c803294e05f69c5bf586e261312264e7607b2efd14f78a9

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\images\cursors\win32_LinkNoDrop32x32.gif
Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\jce.jar
Filesize
119KB

MD5
1f4d4fc6b33c30c5782c66b80d92c4f9

SHA1
194df32fb23b470dae4929605d18abd041c743c6

SHA256
81b8de0e148ed3601cf5f1bdf2787c5b15213d842bc537af9ede9635d692b904

SHA512
dfde7e03fc106b785887f2a409b3528c5862663f188c95f6a95c739bdfcc8c6205c03b739de1b259e9a8a0360aa4e10e8d4bce1a57445797a214160b8d98a085

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\jfr.jar
Filesize
559KB

MD5
18c5aec1e008f781bf74707662920000

SHA1
c29c11cda5b867b68cba1fa7cb331d54a66b3f56

SHA256
e9eab8ec4712142a3ed9ac833d853e144043699c1712986736f3667a9267c11b

SHA512
9988b510d7e036ef41673edd8e38e2f72b695741da3ef63678b808b5e10a76951d016e27cdd23857de0ed0f3b44be8f7fb3a141021b543f104f2a214e53ca74d

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\jsse.jar
Filesize
1.7MB

MD5
f095a5ac04775e1093d54822460cc5a7

SHA1
2e0f0ec528c41b437126c506a91fe1ad5e699865

SHA256
784b8df88387ee27383d6db4e184b169a21cb4b8bcb0d8395a7b1ac2b128108a

SHA512
c0b5ca94ead3dffd33e19a2d757b2b653867b4f539a143ef17baeef1015c3845aba4f0666ef1d0c7ce02d156ce826b9c324c8159983a71d19d60415d60e25d36

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\meta-index
Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\resources.jar
Filesize
3.4MB

MD5
0fdcdf2b521c8ffba3fcae32a684358e

SHA1
45a3ae43334b1a0f46d76599d3926c40fa790965

SHA256
2189d10490922562be379da742eedc5e77cac61a6d2a484a3ed4693965dfe290

SHA512
1a1489faa7903bc24d4cc3fbd0ee80e79602a39ea9530f10075a52460e6100c807dbafb17e4b1a7997c23cbe3906808291be7718e6525a79a295e1ddc8ed9eda

Download Submit
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\start.bat
Filesize
60B

MD5
b7e19bf7ee3ff739bb7977b9b9655c44

SHA1
8d0c93c1a8640ba323ef3005f84658d6ef2fcb8d

SHA256
bbff9e1199f9720bd6f14697d367aefe2f296da6865ec739e9acfa0790d973b0

SHA512
d754a41f895e708c7086029a33421f2e87282339b55654062a26eeb9ea0ceda6dbdd6ae7a26589f6289a9547ae3c21c816e39b357da2ee5877fef1e48331300b

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.1\Icons\icon (15).ico
Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe.config
Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\Sorillus\.tmp\+JXF2679071292346755608.tmp
Filesize
43KB

MD5
731484623dfcbf11c948feea896b83c8

SHA1
464d1c30e20128907d6f6d667a48a3213ac4df83

SHA256
a4d9acdd8e2bb188c832059a86636b4b26118d5965f0c08debd2b62c0d63c9a5

SHA512
5dacfce6e70eff4141f107cd47c0c50068205485a9977fe60933238e750de8a46acaf99eed8dd08d70de2266360315db6b247e8e943fa276023c5360be81e794

Download Submit
C:\Users\Admin\Sorillus\.tmp\+JXF3790428857200786426.tmp
Filesize
217KB

MD5
1bf71be111189e76987a4bb9b3115cb7

SHA1
40442c189568184b6e6c27a25d69f14d91b65039

SHA256
cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424

SHA512
cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

Download Submit
C:\Users\Admin\Sorillus\.tmp\+JXF5019489218488616842.tmp
Filesize
163KB

MD5
881e150ab929e26d1f812c4342c15a7c

SHA1
18788c5d630fa695f9283f6393bfa541b2031508

SHA256
c576c50642271bcdbfffed04f92dc8d6a981daf300914d0a20c8a5a5a57015c7

SHA512
af18febdf3e0d5fc8111e6335bd8cc4fc8dd944910db8a4f3ebae284e3d1064eb793a25588007e3d1cee24051e11cf3328951a3f708375856d54176a53701b49

Download Submit
C:\Users\Admin\Sorillus\.tmp\+JXF6813249912731640021.tmp
Filesize
164KB

MD5
8a36205bd9b83e03af0591a004bc97f4

SHA1
56c5c0d38bde4c1f1549dda43db37b09c608aad3

SHA256
4e147ab64b9fdf6d89d01f6b8c3ca0b3cddc59d608a8e2218f9a2504b5c98e14

SHA512
e96b43b0ca3fd7775d75a702f44cd1b0dfd325e1db317f7cba84efdf572571fe7594068f9132a937251aab8bd1f68783213677d4953aca197195fbe5db1f90d7

Download Submit
C:\Users\Admin\Sorillus\.tmp\+JXF7146019636170851818.tmp
Filesize
52KB

MD5
de2d73ffb31b036a481049751970e2ca

SHA1
5c26b381aa54a3336729cbaf4281620e03c34873

SHA256
5afafd11dad40cc06023a6a5c1a6793b1cb55720314a18d4352879d6214b014e

SHA512
f19bda9d9f355dab1ae3846c5e3a6535e59c529d0efe6204dd54000f3e088cf94099a1ccab94c0fadf7631385b94ca8c667f76c0556066ea49f06b2ac1479adb

Download Submit
C:\Users\Admin\Sorillus\.tmp\+JXF7205692237188711368.tmp
Filesize
212KB

MD5
629a55a7e793da068dc580d184cc0e31

SHA1
3564ed0b5363df5cf277c16e0c6bedc5a682217f

SHA256
e64e508b2aa2880f907e470c4550980ec4c0694d103a43f36150ac3f93189bee

SHA512
6c24c71bee7370939df8085fa70f1298cfa9be6d1b9567e2a12b9bb92872a45547cbabcf14a5d93a6d86cd77165eb262ba8530b988bf2c989fadb255c943df9b

Download Submit
C:\Users\Admin\Sorillus\.tmp\button.css9213279943481128537.tmp
Filesize
758B

MD5
bb7dbd6c54d0fd9ca50ee8de70939b64

SHA1
47e1721d8eac9b6a7217ef344c10cc7881aebfb8

SHA256
912e4053f404a73cb93525235d34612b6d596c20feb5fbb931efa43500354677

SHA512
9f8648024bb4975a5a606f4c9f10ffc4ae03a7abe5439950d6a30a2651b49a4835ea325108187ad4b29d2af939b9934d4e5fc94924fb466ac7d99d6a15d1767a

Download Submit
C:\Users\Admin\Sorillus\.tmp\clients.css282123002033402443.tmp
Filesize
124B

MD5
73170a0b32597f7f2394efda2fb0052c

SHA1
23b2b34660feedcfae760096debd44515c4fb580

SHA256
8bab80ef1af4a46664abf487b23a3cb3ba2fd083fc06b820089cbd9644a20b78

SHA512
ddc9e89df5a345c5d8d3b392aa9671c86afc2cb8ec0885430eab286ee1420ca11dc565e1afc482957564b2a5456d48a59d6a1a7e6ecff92f56abc8366fbc0719

Download Submit
C:\Users\Admin\Sorillus\.tmp\combo_box.css21994561355821977.tmp
Filesize
1KB

MD5
498754e23ddb8c5c3e3c9bf609b47577

SHA1
0b8826598e76767a0de26f978b1e6f3b6458e974

SHA256
f326907999d1a0f5676e49194a6f9111ae1212d3f59224c600e9863735369a85

SHA512
917d4579a22f6338a458dec1751a091f38b6dc0e052c5697ea0b2acb4ac84ba014408ca80ffe11de003d7f0641296404b4dcfeef742a910013796cb232bc79e5

Download Submit
C:\Users\Admin\Sorillus\.tmp\context_menu.css1240181730839811080.tmp
Filesize
661B

MD5
9a641e818171bbe24fe925f7af4e81dd

SHA1
7efbc11a1ac887cd5da9d4e8256a54af3bb8ba05

SHA256
92d1fa57a3d1a0d518a57a9e74e0e7d0122866d6ca7681aa630853647ede86c6

SHA512
dbf3aecfefb6b7fbe5f121534a37ddf806edd6c46ac618bdcfeaf0e9649745c1e8a15962d0d83b81fff4f802391d09ba2a01796c1285f375ac1a980c767320ad

Download Submit
C:\Users\Admin\Sorillus\.tmp\dark.css8809843794987549903.tmp
Filesize
3KB

MD5
59ff8dbc93f35f28ab482f133ac28293

SHA1
63e3f7a9ecca25be8564bc055b4a7a156f8430ff

SHA256
16f48ee307c4bf3f7beaea583a5a9adc8e633034b98b704163ea7e76737cabe9

SHA512
b0affc3055aeb16b8230be685f18cb9208df76522bb9fe2525d4abc329fb60c9dbf1f9642462b7495a0e7139a36349e1b2650495b78a6e38b13d70990a4c7fc6

Download Submit
C:\Users\Admin\Sorillus\.tmp\dashboard.css1621686255711373173.tmp
Filesize
190B

MD5
6c80cc46e79e122ffd3548fe8cb29b2c

SHA1
84b5047e39ba1bdbfa6d371baef4ef303a8fc7c3

SHA256
1489a290e7427c90c84ca7b77cd2d80df3dd9d8bcd522696ff94b60e5a03954b

SHA512
cdb642b4368cd300c77bf7ab49474108a0f53abaca1247709ef0b9932b9e79e88c6a3db64bae9183d9af8433dd73e058582729be92358eaa5a9538cf0dbb4404

Download Submit
C:\Users\Admin\Sorillus\.tmp\general.css2452566495717239148.tmp
Filesize
1KB

MD5
2e6f17893706cf54aeed01df5172aa3b

SHA1
e142252ab755e3e7da39b265bbb418bee00dac48

SHA256
b80d51557d8d16bca4302e3f7f0d8e6850e835d4778ee80ecff0e98de049ffb0

SHA512
2795d9e0de7471f2a9402f0b8160830e2903e3899a6ba4f48a0af11f41539903b7cac11d954558406e3386988a05db9a32c11441e0b7495a38cc2c9383b22858

Download Submit
C:\Users\Admin\Sorillus\.tmp\info_knob.css2045118106384643443.tmp
Filesize
584B

MD5
79122aabd3cbe4a40d204664b184d2b5

SHA1
3de2e92fea2cd2f710dd242d636498f2e80c371b

SHA256
63eb798090a41d9f58d00d68714a14bc283ae2b6f0aaea40f9f1f212fe56d9ab

SHA512
d24e64770469e3766b9e32f2d1ca35a16ba94a9a68647cdfb41733f6b07cb1fac03d44b3645fff41609543fbc952cdd645e268a04b84dd41a242c3b47bdbbcec

Download Submit
C:\Users\Admin\Sorillus\.tmp\module_item.css1806421097589660592.tmp
Filesize
155B

MD5
6b881a7f9e3dfa945c707f5388a976ab

SHA1
a95220bfabd553eda78e2ccd57f1984084720488

SHA256
f09f35867470f9fb7d3b9c4f98c4b02fe893fb83ce23c4211b0a688efb4137bb

SHA512
60f0de77da07b9c2496e320aa22523a44cf6e4f74b2574c8db7e5b47172b80e054596a405b37db4650e5baebcdb5ad42c4454decdef27315139fce9dcc422eff

Download Submit
C:\Users\Admin\Sorillus\.tmp\modules.css7092334409761565266.tmp
Filesize
583B

MD5
97f37ea9c78c33b054aef67214b2f157

SHA1
54c3955afb12f7df173a2206aa4f483a6e2db742

SHA256
5682f1b4f1f5e439c268fbaf2aa6ec2060e282c43fe97e9a2daebb4ddc56e843

SHA512
69ddceb534346bbecacf9855375f8769bd07ac6f53d0d5902390471e0b264edd129f608e7eb8830beff8baed6a94cf8008931a442e19ddbf9e85c357a5fc3c59

Download Submit
C:\Users\Admin\Sorillus\.tmp\progress_bar.css2250492402822674956.tmp
Filesize
253B

MD5
55063ed0226b8722a56d961c19936680

SHA1
37576cccf4418aa74092bec3bfebd5213aada034

SHA256
3fdffdea523c0d65fd7f261e7e135ad8475b6fb4355e3d007a3088594a154cfd

SHA512
ba3402c7ea2e340870211af824bd2b40cedf64831fa2487f2c76d6bf2347dfdbef03e656399a7b2e34a68828479b9e6a23a456bb3fb101056d0b5277b078a881

Download Submit
C:\Users\Admin\Sorillus\.tmp\resize.css2519286454651206398.tmp
Filesize
565B

MD5
cbd1a58315ffe28f325613b67496f04c

SHA1
404a64a68e24b44074c398478b85bb7b0236e913

SHA256
40918c842e036dc4c02dc143d4cf5090be7c01dd7810b94f21e72a2d58954fb2

SHA512
b0fd85aa76109b50cd1160b29614c0887e7eb30352264366c62fb4026c98b43990e90bb1482f7b970e78bf5911233a52be05eafa5b4fb1a9a7ccab9610f76a26

Download Submit
C:\Users\Admin\Sorillus\.tmp\scroll_pane.css6816697589315064245.tmp
Filesize
1KB

MD5
7a2bf0762025328cf652d44dbff7bcba

SHA1
0f5bf001f4e63ac1abd8a9bd3b89da48d8a915dc

SHA256
f89a8d102323d68933531a1d44c5b2a504498af437b37f8ae510d4de91c786c3

SHA512
caa5fba5d135dd8bdc1b6b883c5a73ec380eb60417196ea773176b063fc1af1f1968712b4e160d2ec654c46f2aa1ec994f1aef69c4185008dd58246dde575c93

Download Submit
C:\Users\Admin\Sorillus\.tmp\settings.css1993037522455021784.tmp
Filesize
460B

MD5
7c842af9762445abec623edecc8af664

SHA1
d633637714f6b053d2d2777d3063b313d0f40e70

SHA256
18c424d92001074e8cfe33eb7b1f9d3f8e2c17c4cb126bb49c113489058e8490

SHA512
2485c6cbf31edfe276198ef4bc871fee440c9e47560ddb8600f3728c1e36b72ae71b0d6f7566ce0bcc08d7a8b426c8d43943d324b24769becac676ab0159626a

Download Submit
C:\Users\Admin\Sorillus\.tmp\side_bar.css8817469551331493863.tmp
Filesize
770B

MD5
27415b7527613fca0681c4b9c43a3cfa

SHA1
a3bd2dd871815e4c5dca8bb96034d3abb58570f3

SHA256
8a33cefb03597bba4e46900861d93a0606e6c83c818f6f3ce5cbf84fbc0a0d4b

SHA512
7c6f4b7ec96968ad5c362475066ba8d6a8da4ee1e5a0c0956e9418714ef15e8058f2432c8bcaa89b48b5dfef04d0550133f4e454d08061cce0f22a87ed30d392

Download Submit
C:\Users\Admin\Sorillus\.tmp\slider.css1321831470170523706.tmp
Filesize
201B

MD5
7adbedfc83159cd9cb13a1d3950742cd

SHA1
bc38ce1bcbc47f5d8aaf53eb98b315cf7f4240a0

SHA256
d1a98a6648f650be0ed95df7118c8ddbcef07b898b3147ce66bd55d159dab8c8

SHA512
3932dcb3853a5fb190a7e1c55f0dab223d52a1d9180691d81a3a72e5948071f4c4684bc4a326b0de5de8388e4a74f59fa49979ceaeab39bc63305c96dfe6fee4

Download Submit
C:\Users\Admin\Sorillus\.tmp\split_pane.css6365030190219434952.tmp
Filesize
222B

MD5
e669c059e8c01018839674f28f184a46

SHA1
9756f5c15867b873ec5b95d2200dd243e65fbd26

SHA256
123d0f52e2fe8c239c63060df6c5a3bf4ea116f1d0a60bbfe8a287774114c40d

SHA512
9b21f3cffd379d9b3fb38f245e7987644086393aa5f4753b516a79c239037f282be79f870bcc8ac982ba6be6f33fbde1be713c5fe60b57f47004757a23441458

Download Submit
C:\Users\Admin\Sorillus\.tmp\table_view.css452831153434453780.tmp
Filesize
2KB

MD5
84d669ad2d89c6f4843bc3df8f611975

SHA1
1f5e315e70c2e5b28709b14741c2414e8eba7554

SHA256
43ab12f15a8792c28c993b85f5d9cc6e6375df36ee41bdb08161a9d31c5579e5

SHA512
6c9911117b9a39d984fc7b530166a64f65bd6ccd66f888b5b7f43f5316f04aabf5b265bfcf18eb60a67ca00722f0652f37526758ce5729300bb0176dfc455994

Download Submit
C:\Users\Admin\Sorillus\.tmp\text_area.css1792954596328519989.tmp
Filesize
1KB

MD5
4f0dfebf3681ac371c7aff5e7d0e0f91

SHA1
b576e22209e35d2e734452996402fa25da49b3a0

SHA256
3f27f2ac750e68f82402f83b0f9c8a448fcb3676f41832496107c76d83751ced

SHA512
6e992661d1494a503864ad343bca1ab425a1c72ec9e0a5686c86d7cf35e8be9f7352e7653070b24c0fe5460164f3e0d9fcfe4190154b4eb99c2b8258db623a3e

Download Submit
C:\Users\Admin\Sorillus\.tmp\text_field.css5465554121963393412.tmp
Filesize
399B

MD5
17a05544ad9f31393304af623d5ece60

SHA1
f28016a478b2f42a0a4c8e8e21f7fe7965df21b5

SHA256
39143bded6438ce26214b97c56fb648f5dfa71f24b4902281788ca62d4f4c7e6

SHA512
9ec244a5ad7f1ea620b144a18cef70d8fc45463a7bafc7bdff59c29586141f77eb324e13000855af49d629a5492649e9a4377539074e997877d458e67d1ff1ca

Download Submit
C:\Users\Admin\Sorillus\.tmp\tooltip.css2480505113000084515.tmp
Filesize
409B

MD5
1f5ce20df9cb96221ab047d62eec2faf

SHA1
313652f0a06cd0f2d5490a8a58b16fabab5fa8b0

SHA256
e0dbab93951a7529fb7e078f958c854ee5faa9097229aa73762396e9a64faeca

SHA512
2cfe638c93bd7b92072d59405b685831bd21bd7ef30dc04cb1cc5df2f88d62b6e09fa9733ffc50d605411d3b32622f98b3a4f9b1209525357bc7501a4a94a783

Download Submit
\??\pipe\LOCAL\crashpad_2636_WVKRMJHDAAQOWLCY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2080-824-0x000001458D3D0000-0x000001458D3D1000-memory.dmp

Filesize
4KB

Download
memory/2080-845-0x000001458D3D0000-0x000001458D3D1000-memory.dmp

Filesize
4KB

Download
memory/2080-930-0x000001458D3D0000-0x000001458D3D1000-memory.dmp

Filesize
4KB

Download
memory/2080-1119-0x000001458D3D0000-0x000001458D3D1000-memory.dmp

Filesize
4KB

Download
memory/2816-2799-0x000001F079580000-0x000001F079774000-memory.dmp

Filesize
2.0MB

Download
memory/2816-2791-0x000001F05C4C0000-0x000001F05D0F8000-memory.dmp

Filesize
12.2MB

Download
memory/2816-2798-0x000001F078690000-0x000001F07927C000-memory.dmp

Filesize
11.9MB

Download
memory/2844-2851-0x0000018E8D690000-0x0000018E8D696000-memory.dmp

Filesize
24KB

Download
memory/2844-2848-0x0000018E8D860000-0x0000018E8D866000-memory.dmp

Filesize
24KB

Download
memory/2844-2849-0x0000018EA78E0000-0x0000018EA793E000-memory.dmp

Filesize
376KB

Download
memory/2844-2850-0x0000018EA7940000-0x0000018EA7996000-memory.dmp

Filesize
344KB

Download
memory/2844-2845-0x0000000000E30000-0x0000000000E50000-memory.dmp

Filesize
128KB

Download
memory/2844-2852-0x0000018E8D6A0000-0x0000018E8D6A6000-memory.dmp

Filesize
24KB

Download
memory/2844-2853-0x0000018EA79A0000-0x0000018EA79DC000-memory.dmp

Filesize
240KB

Download
memory/2844-2854-0x0000018EA7880000-0x0000018EA789A000-memory.dmp

Filesize
104KB

Download
memory/2844-2855-0x0000018EA8660000-0x0000018EA9298000-memory.dmp

Filesize
12.2MB

Download
memory/2844-2847-0x0000018EA7850000-0x0000018EA7878000-memory.dmp

Filesize
160KB

Download
memory/2844-2846-0x0000018E8EEA0000-0x0000018E8EEE2000-memory.dmp

Filesize
264KB

Download
memory/3448-2910-0x000001E97D100000-0x000001E97D268000-memory.dmp

Filesize
1.4MB

Download
memory/3448-2886-0x0000000000E30000-0x0000000000E50000-memory.dmp

Filesize
128KB

Download
memory/3448-2888-0x000001E951980000-0x000001E951986000-memory.dmp

Filesize
24KB

Download
memory/3448-2887-0x000001E951970000-0x000001E951976000-memory.dmp

Filesize
24KB

Download
memory/3896-1168-0x000001D716050000-0x000001D716051000-memory.dmp

Filesize
4KB

Download
memory/3896-1173-0x000001D716050000-0x000001D716051000-memory.dmp

Filesize
4KB

Download
memory/3896-1178-0x000001D716050000-0x000001D716051000-memory.dmp

Filesize
4KB

Download
memory/3896-1167-0x000001D716050000-0x000001D716051000-memory.dmp

Filesize
4KB

Download
memory/3896-1177-0x000001D716050000-0x000001D716051000-memory.dmp

Filesize
4KB

Download
memory/3896-1166-0x000001D716050000-0x000001D716051000-memory.dmp

Filesize
4KB

Download
memory/3896-1176-0x000001D716050000-0x000001D716051000-memory.dmp

Filesize
4KB

Download
memory/3896-1175-0x000001D716050000-0x000001D716051000-memory.dmp

Filesize
4KB

Download
memory/3896-1174-0x000001D716050000-0x000001D716051000-memory.dmp

Filesize
4KB

Download
memory/3896-1172-0x000001D716050000-0x000001D716051000-memory.dmp

Filesize
4KB

Download