agenttesla | hxxps://github[.]com/DeathDealerSoftware/XWorm-V5[.]3/releases

Analysis

max time kernel
1200s
max time network
1163s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/DeathDealerSoftware/XWorm-V5.3/releases

Score

10^/10

agenttesla xenarmor xworm agilenet collection evasion execution keylogger password rat recovery spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/5956-2177-0x000000001D1C0000-0x000000001D1CE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5956-2088-0x0000000000C70000-0x0000000000C8A000-memory.dmp	family_xworm

XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5132-1972-0x00000247CB3A0000-0x00000247CB594000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4980 powershell.exe
3776 powershell.exe
4740 powershell.exe
6080 powershell.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

pid	process
4980	powershell.exe
3776	powershell.exe
4740	powershell.exe
6080	powershell.exe

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 8 IoCs

Processes:

dotNetFx45_Full_setup.exeSetup.exedotNetFx40_Full_x86_x64.exeSetup.exeXWorm V5.2.exeXWormLoader 5.2 x64.exeXClient.exeAll-In-One.exe

pid	process
5384	dotNetFx45_Full_setup.exe
5464	Setup.exe
2400	dotNetFx40_Full_x86_x64.exe
3340	Setup.exe
5132	XWorm V5.2.exe
1416	XWormLoader 5.2 x64.exe
5956	XClient.exe
5244	All-In-One.exe

Loads dropped DLL 13 IoCs

Processes:

Setup.exeSetup.exeXWorm V5.2.exeXWormLoader 5.2 x64.exeAll-In-One.exe

pid	process
5464	Setup.exe
5464	Setup.exe
5464	Setup.exe
5464	Setup.exe
5464	Setup.exe
3340	Setup.exe
3340	Setup.exe
3340	Setup.exe
3340	Setup.exe
3340	Setup.exe
5132	XWorm V5.2.exe
1416	XWormLoader 5.2 x64.exe
5244	All-In-One.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/5132-1964-0x00000247ADFE0000-0x00000247AEDBE000-memory.dmp	agile_net
behavioral1/memory/1416-2064-0x0000021DEA320000-0x0000021DEB0FE000-memory.dmp	agile_net

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll	upx
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll	upx
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll	upx
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll	upx
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

All-In-One.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	All-In-One.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

261 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
261	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeXWorm V5.2.exeXWormLoader 5.2 x64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe

Modifies registry class 28 IoCs

Processes:

XWormLoader 5.2 x64.exemsedge.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{28F77206-62E6-460D-8533-591EB39FEF3D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	XWormLoader 5.2 x64.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 622326.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 14563.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

XClient.exe

pid process

5956 XClient.exe

pid	process
5956	XClient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeSetup.exemsedge.exemsedge.exeSetup.exeXWormLoader 5.2 x64.exepowershell.exe

pid	process
4460	msedge.exe
4460	msedge.exe
3088	msedge.exe
3088	msedge.exe
4740	identity_helper.exe
4740	identity_helper.exe
5796	msedge.exe
5796	msedge.exe
6048	msedge.exe
6048	msedge.exe
5136	msedge.exe
5136	msedge.exe
5464	Setup.exe
5464	Setup.exe
5464	Setup.exe
5464	Setup.exe
5464	Setup.exe
5464	Setup.exe
5464	Setup.exe
5464	Setup.exe
6064	msedge.exe
6064	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
3340	Setup.exe
3340	Setup.exe
3340	Setup.exe
3340	Setup.exe
3340	Setup.exe
3340	Setup.exe
3340	Setup.exe
3340	Setup.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
4980	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

XWormLoader 5.2 x64.exetaskmgr.exe

pid process

1416 XWormLoader 5.2 x64.exe
4396 taskmgr.exe

pid	process
1416	XWormLoader 5.2 x64.exe
4396	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

Processes:

msedge.exe

pid	process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

7zG.exeXWorm V5.2.exeXWormLoader 5.2 x64.exeAUDIODG.EXEXClient.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exeAll-In-One.exe

description	pid	process
Token: SeRestorePrivilege	4164	7zG.exe
Token: 35	4164	7zG.exe
Token: SeSecurityPrivilege	4164	7zG.exe
Token: SeSecurityPrivilege	4164	7zG.exe
Token: SeDebugPrivilege	5132	XWorm V5.2.exe
Token: SeDebugPrivilege	1416	XWormLoader 5.2 x64.exe
Token: 33	448	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	448	AUDIODG.EXE
Token: SeDebugPrivilege	5956	XClient.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	6080	powershell.exe
Token: SeDebugPrivilege	5956	XClient.exe
Token: SeDebugPrivilege	4396	taskmgr.exe
Token: SeSystemProfilePrivilege	4396	taskmgr.exe
Token: SeCreateGlobalPrivilege	4396	taskmgr.exe
Token: SeDebugPrivilege	5244	All-In-One.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exeXWormLoader 5.2 x64.exetaskmgr.exe

pid	process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
1416	XWormLoader 5.2 x64.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

dotNetFx45_Full_setup.exedotNetFx40_Full_x86_x64.exeXWormLoader 5.2 x64.exeXClient.exeAll-In-One.exe

pid	process
5384	dotNetFx45_Full_setup.exe
2400	dotNetFx40_Full_x86_x64.exe
1416	XWormLoader 5.2 x64.exe
1416	XWormLoader 5.2 x64.exe
5956	XClient.exe
1416	XWormLoader 5.2 x64.exe
5244	All-In-One.exe
5244	All-In-One.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3088 wrote to memory of 3164	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 3164	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1828	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 4460	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 4460	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe
PID 3088 wrote to memory of 1876	3088	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/DeathDealerSoftware/XWorm-V5.3/releases
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff76e346f8,0x7fff76e34708,0x7fff76e34718
2⤵
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
2⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
2⤵
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
2⤵
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
2⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
2⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5436 /prefetch:8
2⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
2⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
2⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
2⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
2⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6212 /prefetch:8
2⤵
PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6112 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
2⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
2⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
2⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
2⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
2⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
2⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
2⤵
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
2⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
2⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
2⤵
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
2⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
2⤵
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
2⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4008 /prefetch:8
2⤵
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5136

C:\Users\Admin\Downloads\dotNetFx45_Full_setup.exe
"C:\Users\Admin\Downloads\dotNetFx45_Full_setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5384

C:\33b97d96c02a93ac99db7a79\Setup.exe
C:\33b97d96c02a93ac99db7a79\\Setup.exe /x86 /x64 /web
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
2⤵
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
2⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
2⤵
PID:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
2⤵
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
2⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7324 /prefetch:8
2⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7448 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6064

C:\Users\Admin\Downloads\dotNetFx40_Full_x86_x64.exe
"C:\Users\Admin\Downloads\dotNetFx40_Full_x86_x64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2400

F:\1fc6037083aa1edd44c22c3249546aca\Setup.exe
F:\1fc6037083aa1edd44c22c3249546aca\\Setup.exe /x86 /x64
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7484 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
2⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
2⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:5652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
2⤵
PID:6000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
2⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14594316144106492601,10471946859691478698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1
2⤵
PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6108

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap23492:108:7zEvent12031
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.2.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff76e346f8,0x7fff76e34708,0x7fff76e34718
3⤵
PID:4768

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qrrfmqeq\qrrfmqeq.cmdline"
2⤵
PID:3508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6171.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc392DAD301128410C87AB53B7D8BCA6D.TMP"
3⤵
PID:5792

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4344

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XClient.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://exmple.com/
2⤵
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff76e346f8,0x7fff76e34708,0x7fff76e34718
3⤵
PID:5600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json
2⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
All-In-One.exe OutPut.json
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5244

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\33b97d96c02a93ac99db7a79\1025\LocalizedData.xml
Filesize
49KB

MD5
d84db0827e0f455f607ef501108557d0

SHA1
d275924654f617ddaf01b032cf0bf26374fc6cd5

SHA256
a8d9fd3c7ebb7fee5adb3cafe6190131cebfcbeff7f0046a428c243f78eac559

SHA512
1b08115a4ea03217ce7a4d365899bd311a60490b7271db209d1e5979a612d95c853be33d895570e0fb0414ab16eb8fd822fe4e3396019a9edd0d0c7ff9e57232

Download Submit
C:\33b97d96c02a93ac99db7a79\1028\LocalizedData.xml
Filesize
41KB

MD5
ff41100cc12e45a327d670652f0d6b87

SHA1
cb53d671cb66d28b6eb7247a1a0c70a114d07e6b

SHA256
ef3de7ab3d80a4d2865b9e191d2311112b4870103d383ae21882f251bbde7f0a

SHA512
f8a2f8db5957a43aa82bd7d193b2ff2a151bba6a9d0ad2d39e120909a0f8939123b389ebb4244a417f9e4d8e46629c49ac193c320231cb614253612af45281a8

Download Submit
C:\33b97d96c02a93ac99db7a79\1029\LocalizedData.xml
Filesize
53KB

MD5
51130f3479df72fe12b05a7aba1891d3

SHA1
fbaf9c0269d532a3ce00d725cd40772bc0ad8f09

SHA256
8845d0f0fadfdf51b540d389bbb0a8a9655cf65055e55dcd54fa655576dd70a1

SHA512
b641e22b81babbde85a6f324851d35f47bd769fc0cff74911010ae620cf682f9c7bc4d946d2f80a46a9851f3cc912625991c8a3876f1d958ea4d49d8791d1815

Download Submit
C:\33b97d96c02a93ac99db7a79\1030\LocalizedData.xml
Filesize
52KB

MD5
53aa67d27c43a35c6f61552ee9865f55

SHA1
504035de2fe6432d54bc69f0d126516f363e1905

SHA256
5d08b297b867179d8d2ec861dbf7e1dfdb283573430a55644e134ee39083157a

SHA512
7a284076f6f204e5be41eab3c3abb1983fbbc21669130cc7e6961a7b858f30caf83fbcb2ef44cfe712341ab664347df29d58b650f004608b015e61e4f5d4f47b

Download Submit
C:\33b97d96c02a93ac99db7a79\1031\LocalizedData.xml
Filesize
55KB

MD5
f8e3a846d4aca062413094f1d953075e

SHA1
09f2aa5b5ef693051862965c7c1063d31623f433

SHA256
5a929328125673d922e7f969769b003f5cb6942daa92818a384d50ac755174c2

SHA512
95fead89ac87c700615deef0b5c75aa818172cb387fb5e7178d0a96adb4a60abe86c3793f1174ad27b3a12fe29a371682a032d83d2c63f50a223e37a9d5fc7c6

Download Submit
C:\33b97d96c02a93ac99db7a79\1032\LocalizedData.xml
Filesize
56KB

MD5
8ecac4ca4cc3405929b06872e3f78e99

SHA1
805250d3aa16183dc2801558172633f718a839c4

SHA256
b9e9740a1f29eeaf213e1e0e01f189b6be1d8d44a2ab6df746eebe9cb772f588

SHA512
6f681c35a38a822f4747d6d2bcacefc49a07c9ca28a6b8eed38b8d760327419b5b469698bed37366c2480a4f118d4d36c6ae0f3c645f185e39a90ff26e749062

Download Submit
C:\33b97d96c02a93ac99db7a79\1033\LocalizedData.xml
Filesize
51KB

MD5
24fde6338ea1a937945c3feb0b7b2281

SHA1
6b8b437cd3692207e891e205c246f64e3d81fdd5

SHA256
63d37577f760339ed4e40dc699308b25217ce678ce0be50c5f9ce540bb08e0a7

SHA512
9a51c7057de4f2ec607bb9820999c676c01c9baf49524011bb5669225d80154119757e8eb92d1952832a6cb20ea0e7da192b4b9ddf813fa4c2780200b3d7ba67

Download Submit
C:\33b97d96c02a93ac99db7a79\1035\LocalizedData.xml
Filesize
52KB

MD5
de5ccb392face873eae6abc827d2d3a7

SHA1
50eab784e31d1462a6e760f39751e7e238ba46a2

SHA256
6638228cb95fc08eebc9026a2978d5c68852255571941a3828d9948251ca087d

SHA512
b615a69b49404d97ce0459412fbd53415dfbc1792ed95c1f1bd30f963790f3f219e028f559706e8b197ce0223a2c2d9f2e1cac7e3b50372ebef0d050100c6d10

Download Submit
C:\33b97d96c02a93ac99db7a79\1036\LocalizedData.xml
Filesize
55KB

MD5
75bf2db655ca2442ae41495e158149c9

SHA1
514a48371362dfa2033ba99ecab80727f7e4b0ee

SHA256
1938c4ffedfbb7fea0636238abb7f8a8db53db62537437ff1ec0e12dca2abfab

SHA512
1b697d0621f47bb66d45ae85183a02ec78dd2b6458ef2b0897d5bbbd2892e15eaf90384bc351800b5d00cb0c3682db234fac2a75214d8ade4748fc100b1c85b2

Download Submit
C:\33b97d96c02a93ac99db7a79\1037\LocalizedData.xml
Filesize
48KB

MD5
94f3480d829cee3470d2ba1046f2f613

SHA1
9a8ffc781afb5f087b39abe82c11e20d3e08b4f3

SHA256
eceb759e0f06e5d4f30bc8a982f099c6c268cff4a1459222da794d639c74f97f

SHA512
436d52da9c6c853616cf088c83b55032e491d6d76eeca0bf0cb40b7a84383a1fcffcb8ac0793cdea6af04d02acf5c1654d6b9461506ee704d95a9469581e8eaf

Download Submit
C:\33b97d96c02a93ac99db7a79\1038\LocalizedData.xml
Filesize
54KB

MD5
818e35b3eb2e23785decef4e58d74433

SHA1
41b43d0b3f81a3a294aa941279a96f0764761547

SHA256
3d8b2c8079cf8117340a8fc363dceb9be102d6eb1a72881b0c43e1e4b934303e

SHA512
98ae09da1be0ebe609d0e11d868258ab322cdc631e3105296c8ce243d821b415f3c487cbb4cd366bb4bdb7f0f9447a25836e53320b424a9ff817cac728ff4ae2

Download Submit
C:\33b97d96c02a93ac99db7a79\1040\LocalizedData.xml
Filesize
53KB

MD5
5e805353cb010fc22f51c1f15b8bcaa1

SHA1
9360f229aee4fed6897d4f9f239072aa22d6da9e

SHA256
02b83ebd2689e22668a5ee55a213091fdc090dfee42c0be9386f530d48af8950

SHA512
275d7c7c952a352417fe896c5be07f5a4c50ff51569cb04ab615cda6a880a8e83f651c87f226a1eb79d8286f777488bfaac2636a1a2057cf5db83037b3e1214f

Download Submit
C:\33b97d96c02a93ac99db7a79\1041\LocalizedData.xml
Filesize
45KB

MD5
5ab13768b6c897eff96e35f91b834d25

SHA1
54f04c73a57a409e4c1fe317a825ee2ed4ddcd10

SHA256
87b5ce86b0134ea82215dcf04ffbf7f5c8a570f814f82b4c7ba6106195924c6b

SHA512
ee98f34723a1593ef12589ea9657f8d9a3c9dc8a3fb5eed6f8bb026c6656a3ca6fec8243745ed7fbf406019b6e2b42762c1ee74d26c0f70cc9da272291fe680f

Download Submit
C:\33b97d96c02a93ac99db7a79\1042\LocalizedData.xml
Filesize
44KB

MD5
ad25367f86144f29946df3b3866e7dbe

SHA1
cc8470dbe0bfe9394742d639d9caeec961a27928

SHA256
90d0885f929059358fe76e61b560b3d188abbe7c041babefc82038f6faebb7eb

SHA512
66a343d1405e377bf2d303b0ec896814a46248c05dfe61a2c3167ed1c915964f7f57b335bd7fae324461e65e5ee6bc2384eff28f71c4325eb3c4f89611659afb

Download Submit
C:\33b97d96c02a93ac99db7a79\1043\LocalizedData.xml
Filesize
53KB

MD5
898d2a1a5fac4d1a028aa11e0ed9f9b4

SHA1
343795fbc1bbf1b0982dc9e70501721433fba892

SHA256
73130da9b103f1812ca69cfffdf5750e74b0228cd40e0325a7f14e799aaf21a3

SHA512
fac3fd81d803c1029df6a3cd93060c950b0ba399fe074d438c4867d55468e7de9aa77bbd7b51fe866f6849684408c853d70956e94de39d4f61019825028a25e4

Download Submit
C:\33b97d96c02a93ac99db7a79\1044\LocalizedData.xml
Filesize
53KB

MD5
a459afdbe20f5d4c904d3e3700ee9191

SHA1
22570b1de34c11796390057537269145a2c63438

SHA256
0ac4bcf5cee39ad42070e34393303ffe3ef27e71c8d9522f3dc01e12f93dda03

SHA512
b01536c774121ba9fe25014bb802b45449ba46529af8ad59f3ff93e339e7443238b268716ac051d24ac9eba093e5d66fd5c5faa2ca17bf744ec31e50627159ce

Download Submit
C:\33b97d96c02a93ac99db7a79\1045\LocalizedData.xml
Filesize
53KB

MD5
95c6472f2c8329ec1c10f7df3a31c154

SHA1
624d46235912dc169913ba77caa7889219e2c394

SHA256
197722527d1ad65a10a29ecec04f029abc549eb5d05bc07a68107ad6dd4bd35b

SHA512
28149ab0c041dc35f717435f3c2218700090fc38723219c1cd40ec7f777c68d99dd08b6a42014ead8fb1e309637b6c33aa5dec0518dc1b72273c7a6fd7ef06c0

Download Submit
C:\33b97d96c02a93ac99db7a79\1046\LocalizedData.xml
Filesize
52KB

MD5
c13b50e2a7f6e7e9343500771cf2d247

SHA1
0b679d20dda94224a5ddd80863a2a32de1cc6f1e

SHA256
3f9bf4eee9ece4a0181ea344344230d73d711aba2fa9248834e3b7547a3062cf

SHA512
32daea597a34f60ca5b73648d66663e4723c0d588af4ce08f76240aabbecd3a35abfbfd5e22abd8eac8ca64a9f2b3edadb8d1c24bc31f53ce5cd902dba3fc5da

Download Submit
C:\33b97d96c02a93ac99db7a79\1049\LocalizedData.xml
Filesize
53KB

MD5
1c8ad8f7aacde7ac59bfd9730cfcae80

SHA1
815c79113429b37d34c7ddff46ceccfe58b4cddc

SHA256
4faa58922f623685f05386ce518c0243e3f310db5ac64c58e5b4e91a3e4477b7

SHA512
27d5871f862756945c66397d539c79bf6032ec0d6a06255ad6b57ad1df3c1e8c87dc55dcc3febfb4bd1ce4eb24f3268fab30b1df3fd1c035d66410337db73785

Download Submit
C:\33b97d96c02a93ac99db7a79\1053\LocalizedData.xml
Filesize
52KB

MD5
984229d90d2e75f49cd9de5df014e484

SHA1
fc32854972f189305a38c11a62ef457cd94026c6

SHA256
c884f515f337e977d4cf1a19ff693c753813ede2e52a9dbe8f6ef25184ccae8d

SHA512
23101cc1b6c17f10a8d53c59c4e9bf6d24d03d781fa1a36fcb89315f2257ea4a1bd652bdbc81845479a88f00f1db52b35a0bba311a9885c7503689f9c25e49c2

Download Submit
C:\33b97d96c02a93ac99db7a79\DHTMLHeader.html
Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\33b97d96c02a93ac99db7a79\ParameterInfo.xml
Filesize
731KB

MD5
4925613d29bc7350130c7076e4c92c1c

SHA1
2821351d3be08f982431ba789f034b9f028ca922

SHA256
9157a0afe34576dfea4ba64db5737867742b4e9346a1f2c149b98b6805d45e31

SHA512
3e69650e4101a14ef69f94fa54b02d8d305039165a0bffc519b3cf96f2dcbcf46845e4669d29ccc5ceb887b2f95fc4756265b19d5c17aa176d3d6dc53ed83f77

Download Submit
C:\33b97d96c02a93ac99db7a79\Setup.exe
Filesize
85KB

MD5
8b3ecf4d59a85dae0960d3175865a06d

SHA1
fc81227ec438adc3f23e03a229a263d26bcf9092

SHA256
2b088aefcc76d0baa0bff0843bf458db27bacc47a8e698c9948e53ffc471828b

SHA512
a58a056a3a5814a13153b4c594ed72796b4598f8e715771fc31e60c60a2e26250768b8f36b18675b91e7ecc777ef27c7554f7a0e92c2dfaba74531e669c38263

Download Submit
C:\33b97d96c02a93ac99db7a79\SetupEngine.dll
Filesize
868KB

MD5
43bc7b5dfd2e45751d6d2ca7274063e4

SHA1
a8955033d0e94d33114a1205fe7038c6ae2f54f1

SHA256
a11af883273ddbd24bfed4a240c43f41ce3d8c7962ec970da2d4c7e13b563d04

SHA512
3f3068e660fea932e91e4d141d8202466b72447107ff43f90dea9557fc188696617025531220bc113dc19fdd7adf313a47ac5f2a4ce94c65f9aeb2d7deda7f36

Download Submit
C:\33b97d96c02a93ac99db7a79\SplashScreen.bmp
Filesize
40KB

MD5
0966fcd5a4ab0ddf71f46c01eff3cdd5

SHA1
8f4554f079edad23bcd1096e6501a61cf1f8ec34

SHA256
31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3

SHA512
a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

Download Submit
C:\33b97d96c02a93ac99db7a79\UiInfo.xml
Filesize
37KB

MD5
d8f565bd1492ef4a7c4bc26a641cd1ea

SHA1
d4c9c49b47be132944288855dc61dbf8539ec876

SHA256
6a0e20df2075c9a58b870233509321372e283ccccc6afaa886e12ba377546e64

SHA512
ecf57cc6f3f8c4b677246a451ad71835438d587fadc12d95ef1605eb9287b120068938576da95c10edc6d1d033b5968333a5f8b25ce97ecd347a42716cd2a102

Download Submit
C:\33b97d96c02a93ac99db7a79\sqmapi.dll
Filesize
191KB

MD5
d475bbd6fef8db2dde0da7ccfd2c9042

SHA1
80887bdb64335762a3b1d78f7365c4ee9cfaeab5

SHA256
8e9d77a216d8dd2be2b304e60edf85ce825309e67262fcff1891aede63909599

SHA512
f760e02d4d336ac384a0125291b9deac88c24f457271be686b6d817f01ea046d286c73deddbf0476dcc2ade3b3f5329563abd8f2f1e40aee817fee1e3766d008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
40KB

MD5
c9064e5728ce30490ffe57f2cc60ae47

SHA1
870e176d01d11460c36d146f8705184efc311009

SHA256
9e86c748174642678845f8ea20d2139a1c003a6b93537e55e351e79489168396

SHA512
361a91a045dd1052627cf6ff639ab0b3ff40b353e9e362e8e44702bc12421c763d47d18888cad060b3691a9d73f63fc26323a68660ecb1fbc5e80e96da1e3607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
1.2MB

MD5
89fe452a2fa7abfc6c38a58c12ba9b4f

SHA1
974d32ed56246635dadb3db69752735dfe3be2b7

SHA256
d0548fbc9f09751d4175ea95faeef4fb1384c2208a2b9c93eb46ed0789ec8095

SHA512
6aa628ca5fddf25e238338752464710ff839743390cd0f46752bcd7dedab80c9ba15aa375c4825624081b634a1ceed2b7317dc775d5d335621db911c38ba852b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
Filesize
33KB

MD5
3cd0f2f60ab620c7be0c2c3dbf2cda97

SHA1
47fad82bfa9a32d578c0c84aed2840c55bd27bfb

SHA256
29a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b

SHA512
ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
Filesize
75KB

MD5
cf989be758e8dab43e0a5bc0798c71e0

SHA1
97537516ffd3621ffdd0219ede2a0771a9d1e01d

SHA256
beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615

SHA512
f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020
Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023
Filesize
25KB

MD5
d0263dc03be4c393a90bda733c57d6db

SHA1
8a032b6deab53a33234c735133b48518f8643b92

SHA256
22b4df5c33045b645cafa45b04685f4752e471a2e933bff5bf14324d87deee12

SHA512
9511bef269ae0797addf4cd6f2fec4ad0c4a4e06b3e5bf6138c7678a203022ac4818c7d446d154594504c947da3061030e82472d2708149c0709b1a070fdd0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026
Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027
Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e
Filesize
22KB

MD5
9196e81f8ed7f223d765423c1f9bc8a7

SHA1
88f9d5c2a6908cf36b8daae803578ca9e1fd2929

SHA256
a4e2bcf7ef3c6c614c2142d3c1fd44caac4eafa86a1779ac31cba164e2d89cbe

SHA512
e7d23866fcac017762d2e2f18597124e9147f458d30038f78ba9f3a2bcbe479fe4792573894370ce2d6f93a00401231d9f01955fde351ff982a82ba87a8241f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034
Filesize
35KB

MD5
5009982b60a0f93eac4c1728e5ca17e2

SHA1
c0f932d333b91a4b971a52ce88bc96320745064f

SHA256
2ffc0ec332938cbce14008ab246c3d918800189aece932e92bedd8adb8332fe8

SHA512
401dd0a45c177130628787b92a17642783d27b1a977833af4110d81cbf2572a159a371beb473baa07ad38ac8297551aadadd2ebb80401a73acd580fdc03964aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
4KB

MD5
4506f5f7919afea322bf65b58592fd28

SHA1
aae8f9553582233ebfd522c90f9e8bdacc4a36df

SHA256
d77848d7bca16826845fb6efb6b04f05dcbabf767840c14752930e8d943fc332

SHA512
618126c55ea4df3b691fb93959452cb744379eb199f53941ce52328686cbb8cbf9e0ce03eb2f2383932bf537af605f5d583e116483e3bcb537adf28736e319c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
aef7ac6fbb67ff45be1ead607d8d1223

SHA1
e89fd4285a31751395c95bdf99d0716982fcafc9

SHA256
354bbd138775e6dbb6fb72c7548eac5406ade05f75e9f70881a1134adeb102b0

SHA512
5d725c02ea512677296ed5b8a33c9ffcb8b077aa1b3ceb9dcd5209b01b5df7c709ba87777b41301edba5e9cdf46f036b5d0cd99aac2a05e26da8da9c6443e255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
b4b19fa19af12876bec86a9ed03db3ee

SHA1
c87b6de6d42413ba148d61187474032ac66bed0c

SHA256
e343756bd858b2f0c2996ac335a10352c66d1b52ae2d6f90dc5b1574cd9a67a2

SHA512
4feeaec17cc98d944216f95e77433aeeef7c4245e26cfc747b656bd111cfc3f0d291c13948950db5ed9d4aeccfef5cacea5fe36103ccba86f753e9cd35af6c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
d53098f77a632a38ef29f8700b5506b4

SHA1
4af993518d5e87f109b8166f92051a59a37a7db7

SHA256
b0573f57a90c8c4cb39e5028ed3d0abe0ae874047b7ce1ecbad743fe97569e9d

SHA512
25dfb824e3699edc0a8555b29ed1d6168ebf097a6672f45b25a2ded186ef379c4a68f8d204efc9f2e60e25131312365b85b4b4df2824071fe37454c12da4d28e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
f24ce2b30235ea3e666b6a73073bccd0

SHA1
10ffe7642108785f46efbfbe87c4c449f4df9929

SHA256
2614a261af230f16c07562f22fe82203b8174f80597ff685b4f9eac5dca3a50d

SHA512
75befe73a95ca19b8362b2980debaedd9e8098a28ee3f258aa0b3ed36d7f1e099ef57f9ca41f51ab9bc0b08d77e0517ae474a0155062fbcd28444a0a62072c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
a4c707d8a252bbe3c308b1b3e56dace1

SHA1
863065c6927b1824e6911efe73f5df96948fb6c9

SHA256
19902c6ab1793f378451071297d3d3d3a3c17e580aac88b6730843b25afb01f0

SHA512
cab3fa84df4aab906823ef5e3a171923c57e29ea3cb30be4da108451da0ba39c11909f4f90ab7d1ffdcabe569d270f6be55a74c08dfab6ca07d51ef4d957cd95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
053b819b0bba99ec1b8557debfc7ae40

SHA1
5ce635679864840a26da3fe3de26a9935ee36f7d

SHA256
e03b0b384737be1d09c8688ba705777bfe0718f7647bc93edef0c41658ba356a

SHA512
c31955339d637bf7a02763e3bbbc89e33680d0b6460398634b7178254c6b0b2cc4969601389b6c6dc65de6a6a0b44ec7f334c6adbc23cae345e768eda672b55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
78fb42f65faef42c2373a21a25b25efe

SHA1
ed565eedaaee37d2534997c6c6e87ca59654f83d

SHA256
f999f44348fc88bc61ac02e11eea19fc9d4f5d42ba1fe6059292e084c85e1f99

SHA512
8a2b6134579d1b0115f794db37842fefbe41c23bf4043eb0d084d751d3b8d74de956420a638b53eb05423526614a97b19c958e38e62726a0d88b927a51a74e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
e138a99a213792d601b5cc09a73c1d7a

SHA1
d4d9a3ff0b6e5c2c29ca617b4db871f1bbc9877c

SHA256
cfa7a97a56d6927d242b1479c2daade638d67a3c96dfad0283cb2ba8e9c02b06

SHA512
d1bc66d20890c34917cb8fcb36f5eaf5cd0bb249f5b7ac3a26df342d141b595d4db449457408d52b52c60c66360134b8a653caa5b8ef3e46880136e24673f181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
b7268aed0c4804aec10d1d3fb7f1ed1a

SHA1
2ed900c008831dcbfc7fef6c04a773ed964a2eb2

SHA256
a0737c1850c5429ef10a8fae8d73f9c145bbd66fd7cd3caa3fd89c3626520720

SHA512
7e177b2b01dbba9e0eab3ec54b9e135ba6b2297fd432bc86565f6971004d0afcaef7fb4a6ce38f6fdd59d3fa13055f2631f0fdbd221279a4dc5cf092877fa057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
181ad64e36cbc301b5ff6eb2728bfb94

SHA1
a4f7dbb76831c3759fb94742b96ee414077b7075

SHA256
05c1072199d99d5f0e5ace1cc83a1547c821b35fcb565571a08f477da2804857

SHA512
025516451da235dab33e0a2f045a9513a68aebc6fbfcb0e409ebdbd9e5770b876f0109068dd46283a662eb47a32bbd74d7b535f87e28ec8bb3821794d90406c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
e91449d7a18ac3a930c8347e593f7b47

SHA1
2b457f2d43e04ad23b97d0167f7c696999f8c80c

SHA256
fc31d5b290d6944c1ecc9566bddc91c4c579e5d9303e4e82daa663735fc868ec

SHA512
b1042e34cbd98d344d5d69d1220f5878a961ccca4d1ef7a9bcb5ce6212919820f674cc1aa3a6195642e5023b627be25c03d50bfd4abc4503f37039bca1257b4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fa056d0107767dabdc958b6c221da06c

SHA1
3d30faa1242ebe8406c644424c055c7cc1359316

SHA256
0a0c50177d6abb46799bd8d25f5f45051a53d06436cae95009a2a2c9c761df9d

SHA512
f3cb89c62f6cab9a176e776f3099492ee6eaa3efe568a02f63ef8e75eadf0cf0072e221959401a435e2bea4d82e0c854b6e3f204b7cb6fe0a7d329e88127ebb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
b8a047609205de63742987932019d88f

SHA1
d9b36532f976fb2a47ae6fb11633e60f4eb3cb46

SHA256
c7c86e6e0e77a31627b4a14f7f5eab5fe48c8d4f8ac25084529fc0db6ca997fa

SHA512
4b879283b0569ff0da59392c8051b00dea02a259a185ee7a32e1b7957d8017bafdd097450e71f3f6612102fe4968068b3c5c90f736d18e8bb08136f13c0acb55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
ff4921dd3b54478e0a1f475747c430f2

SHA1
d4b2acfd1a0ae2345178eadb0e5e5ca994b1726a

SHA256
724758d58103e3fd6b1bef5d08e4fefdbd788c5ad8ba97cd61eca07927ddebec

SHA512
a13963ababab40d3d4f8fd637b53b586369178fcedc4d2e8d806ad57477490ab63f7a2d8a066fe21c4fb889dc63a11c931fa483c547c0e9b9b4e5c5445f17686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
cdbdb5d3a11be254f5ac608092c8daac

SHA1
38a671117946f50893a202d43600ac2df9350d15

SHA256
03d0562c93e37bf2b1e159ece456e618d1b7e7c001e153aace87d2e10c7d127e

SHA512
4556cb5131bca5c5164b02547aeb3f43fcc43518fe0ce7aefc43b216364e9ac07385b95596d42951a8277682f01a519fae82162e0c3b6b2b839c9370c7e90a36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
d39f129bafec7875613ac5e93eddc277

SHA1
59d868cb33d821aaafc14aad87c6c81feb2e03ad

SHA256
bb8aace63c86b24980a7f53d3dd95f10c4ec94009e991079a4120c753b277bad

SHA512
812595f4d8e0515141aba4f758e5315157ee07890f12d4320ffe3e44c08cdfa2426f41aa0d3540927bd246f5b2ced38b07d6299cb26748560cbcd55a5ab28e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
565caa31d403045881dacb5c7cd6a4d6

SHA1
3dbc969c84853d9a6c877afd7467cde4c10012a7

SHA256
4aa983de8141493e0fda58bb5778445269a0235a7a75088acdfc0e75bbe90e20

SHA512
ad882ac25a004302c328384bc13235fc6a0eb09a357ab3695c39c35af70229d4814045d2ae36a206f36320a239252e94f89cbf3113680453b711e3e524d9e84a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7adb21d837e1f392739b32f4d0b2217e

SHA1
cdefb0dd555b5dc8b5b592d23de7508e5261fe1a

SHA256
c66544e7961c5956f872671d5f0345a564dc8f875174d8c16e7d4963329afc15

SHA512
9d27bdb3b19ff70d206e7ea65aa30be795226be29a8864d06298e3adaf39a7dae048221fd6cdae519f086baa257c122f7b2d0409790ee97522df65d4adf4fd70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5f91cd5e99117c6b57c7396e5781d22a

SHA1
d6e335af648c46361b265f2ca61178804e0832b4

SHA256
f964189024a4868ce1ec012e14f56b5fee87f3204981bcf61aba4d34479d6877

SHA512
a3e8ba8653f4130b5d2793da9f519d08e19af174e09a441ec93a41a85a779a11312189e0a428524314f67098c020ec1fa9cb7554ac4a04e6071f0eb978372c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
31b8c38ac8d7682228f6967bc908b1a4

SHA1
0a737a6c31e975b69c67cee66cd65e958e761dd6

SHA256
90cc8fc83e54b19dc77cc49654d7047064f265a04c9bd69e94bd5cccf8c26607

SHA512
20905d301ac399a25f179c0cc2cbcffdd3f0d8281d302c6cd65e3d3b5293e7eb0ae5259a5726ab45e4a9507767225b12f55f575ce8d6b5261ace8a2160cccecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
90b95f8f29143f734cd67a2d279c20fb

SHA1
0a48be2a496da5629d6b85121d7ba61a5b28e288

SHA256
3c0ee57a0d135c5c6a12c22df2fc738a2b87637a8dc7d281e2e3a546e93d65ec

SHA512
bdc359d515c1a071545991200ebb5b4fd5b7438e34d13b48743121c1f5c9da747f92090627e2c706a08aaf2c68961ea63d9560af1bf0162070a4dbb4fd0255dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d6bf97331be402629dd569ac33e79502

SHA1
bedacf3141a084e889ce35eeec40037472b955e1

SHA256
f868af7c5e747fc7d28ff398bd0e3f95996056f81756421371582d4597b18791

SHA512
4854659b03f67078dbde1eab1d39021255e299abf44fcd8cfc733f51b76f9654c396d3a14c7c55e6e8b3d59d4dd06da9caa7ccee5ce2008184a98c3ae1c66d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
09cc9dce1ce56b9dcb157eb0a2a02bda

SHA1
65740493a171ada8fa2dc86b8d74a8e2c8fd7a04

SHA256
8abb905fb76fe31a52bb2b98cf1dd9d01921345391d73e25658ef935d50eb732

SHA512
e60fa43ac9454e51292975a8a3cea49faad642c3355267c6844d8ceeb994a6e35db0fd3406781f3ac51dc95636bb3b404d01b8e801480e2d80ae35f22e24cd4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
3eb9d828d1a6fe5402ebe2f71514baf9

SHA1
d9d92b774748d2deeae2064df00837a92a8b36f9

SHA256
dacf40e8245a146683ff150fb3f9044201b5aa2a71ba04c8dc36d76026903d6c

SHA512
77116079f972c34be32e83bc31e92dd1708eb5a8b7850e13e9e4e5b83d0c129aa03a3b8d9c48fd00d0dfc24817adfb6617b5d023c9beb6c8a75db72113bcc7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
ab12e8cd5d6fa01f1dd1e79f73a5becf

SHA1
11d64e8a2a3880b1ceb3d7aa9f55b122fb4a4a0f

SHA256
2417945b596cd21d0abe5ff30dcb1e706df5f8f703d15caeb0dbbacd01d9ae5f

SHA512
4dc16f740e5faeaa1f518c36fd03c429ed7cd2616ed76f45b387f90a05bcc3ab9d82022ed52c791c873987a1c85ac1baa439d1ad9169244303b0626af4b6a476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bd26.TMP
Filesize
874B

MD5
6bbc99615aa28abe3dffe3fab6fd4440

SHA1
41b324ff72e44a8e7473fb73b58ef97249399919

SHA256
4edfc733f8df1993eae011fa9ce09334091ccdd28dfe4e9e6d225e38dcd31e6f

SHA512
2bf16a4f887bd54a84ab34e82f5724aa7c21132760cee0914b1261d5dde57dc70ffff34405f620c2330428e43a2e02827ff4e31547ada291ecd14d798dae9549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b0b86eca-3c38-42da-9790-7f172f2d61c7.tmp
Filesize
5KB

MD5
b675d86ad37f02f2631c1d3a304bfbdb

SHA1
22ebf1737fba1c0248eee86d03a58fbc3e092393

SHA256
b99c01fa85afe4e4c95c68cd625b52ebf0afe9a0a2c9e65f4b3244370899ebeb

SHA512
829c22e4f1b9142fc00b939b93a002e4f6ffb05fb68ab8d04fb966e20e292538bf754a07b165970cf80d2167b806d7d9b9467bdb4ac45abec620b50bf519366b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
8c52156e3b90243c676efaf1754f1611

SHA1
a1793c4ab2bfb3223a0dd409518c49e7669b22b2

SHA256
e39cfb300ac63247095ff4a5230105bc8efda81777086888a78c95203bea8957

SHA512
2759438d911af05118344f53bbcf075c2a27bb6d3af3a44fd19ba3467007027b24f324c6a359a3a0fd6012ad96945e78c72f6b9abb2c94aea5e9e2d3749af824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
5756ae6c4a3c4fb475577893bfb673cb

SHA1
77c3322f4adbc2e3966dbb5edeb48bba6fbaf5cd

SHA256
5a3f2e8ec0df55c66d4939f2e20ac2514e6279217b6a553f5059740ff41167f1

SHA512
354a3956a6b8f5f84bf06add00843a82edeeb686dbdbe5bf5a3fbfbf266e65206b1f7839d8af061b5e94dd35c68953bd0276e1cc78967503c20a03e08c9b9858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
2f16f2cf10d576737509efc53a36d169

SHA1
bf49894269bd72ad573f33ddbc8e8a6c91938f60

SHA256
2c6bcaf7e91cfda6b3af3542bc9568bf353e02b59877f3d60d222dfb505182e7

SHA512
854b8f6077aa896c11a4dcaf66a4bfc89cbaeb429d6858382d0fb5dea02cfa12ca49e87374a3716d528c59218ae4a0fc58684dc785c2cd1dc71148c76c7d528b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
1728b9f0f06cbc0430c9b8f457409f25

SHA1
a10cae7337c8da8014499d90c830fa7cfca41f1f

SHA256
ca9b4fa61a85437a6b5b3a5f07ab2502c15640029fc89a8fb159e673365499c3

SHA512
89a960a11d972a9da67116ea14c04deea6beae049ef3856f8b0cd0fa7f1c2a9aa52dbcafd4c48a8d7f5052b15d30faf62448153aae0894621e0882360424cf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
Filesize
5.1MB

MD5
a48e3197ab0f64c4684f0828f742165c

SHA1
f935c3d6f9601c795f2211e34b3778fad14442b4

SHA256
baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb

SHA512
e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll
Filesize
18KB

MD5
6ea692f862bdeb446e649e4b2893e36f

SHA1
84fceae03d28ff1907048acee7eae7e45baaf2bd

SHA256
9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2

SHA512
9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll
Filesize
21KB

MD5
72e28c902cd947f9a3425b19ac5a64bd

SHA1
9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7

SHA256
3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1

SHA512
58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll
Filesize
18KB

MD5
ac290dad7cb4ca2d93516580452eda1c

SHA1
fa949453557d0049d723f9615e4f390010520eda

SHA256
c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382

SHA512
b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
19KB

MD5
aec2268601470050e62cb8066dd41a59

SHA1
363ed259905442c4e3b89901bfd8a43b96bf25e4

SHA256
7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2

SHA512
0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll
Filesize
18KB

MD5
93d3da06bf894f4fa21007bee06b5e7d

SHA1
1e47230a7ebcfaf643087a1929a385e0d554ad15

SHA256
f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d

SHA512
72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll
Filesize
18KB

MD5
a2f2258c32e3ba9abf9e9e38ef7da8c9

SHA1
116846ca871114b7c54148ab2d968f364da6142f

SHA256
565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33

SHA512
e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll
Filesize
28KB

MD5
8b0ba750e7b15300482ce6c961a932f0

SHA1
71a2f5d76d23e48cef8f258eaad63e586cfc0e19

SHA256
bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed

SHA512
fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll
Filesize
25KB

MD5
35fc66bd813d0f126883e695664e7b83

SHA1
2fd63c18cc5dc4defc7ea82f421050e668f68548

SHA256
66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735

SHA512
65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
22KB

MD5
41a348f9bedc8681fb30fa78e45edb24

SHA1
66e76c0574a549f293323dd6f863a8a5b54f3f9b

SHA256
c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b

SHA512
8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
23KB

MD5
fefb98394cb9ef4368da798deab00e21

SHA1
316d86926b558c9f3f6133739c1a8477b9e60740

SHA256
b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7

SHA512
57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll
Filesize
22KB

MD5
404604cd100a1e60dfdaf6ecf5ba14c0

SHA1
58469835ab4b916927b3cabf54aee4f380ff6748

SHA256
73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c

SHA512
da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll
Filesize
20KB

MD5
849f2c3ebf1fcba33d16153692d5810f

SHA1
1f8eda52d31512ebfdd546be60990b95c8e28bfb

SHA256
69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d

SHA512
44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll
Filesize
18KB

MD5
b52a0ca52c9c207874639b62b6082242

SHA1
6fb845d6a82102ff74bd35f42a2844d8c450413b

SHA256
a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0

SHA512
18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dll
Filesize
324KB

MD5
04a2ba08eb17206b7426cb941f39250b

SHA1
731ac2b533724d9f540759d84b3e36910278edba

SHA256
8e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4

SHA512
e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dll
Filesize
135KB

MD5
591533ca4655646981f759d95f75ae3d

SHA1
b4a02f18e505a1273f7090a9d246bc953a2cb792

SHA256
4434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47

SHA512
915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll
Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dll
Filesize
1.2MB

MD5
fc57d044bfd635997415c5f655b5fffa

SHA1
1b5162443d985648ef64e4aab42089ad4c25f856

SHA256
17f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3

SHA512
f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dll
Filesize
140KB

MD5
1b304dad157edc24e397629c0b688a3e

SHA1
ae151af384675125dfbdc96147094cff7179b7da

SHA256
8f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb

SHA512
2dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll
Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll
Filesize
72KB

MD5
72414dfb0b112c664d2c8d1215674e09

SHA1
50a1e61309741e92fe3931d8eb606f8ada582c0a

SHA256
69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

SHA512
41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll
Filesize
172KB

MD5
7ddbd64d87c94fd0b5914688093dd5c2

SHA1
d49d1f79efae8a5f58e6f713e43360117589efeb

SHA256
769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

SHA512
60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll
Filesize
8KB

MD5
c73ec58b42e66443fafc03f3a84dcef9

SHA1
5e91f467fe853da2c437f887162bccc6fd9d9dbe

SHA256
2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

SHA512
6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll
Filesize
6KB

MD5
ee44d5d780521816c906568a8798ed2f

SHA1
2da1b06d5de378cbfc7f2614a0f280f59f2b1224

SHA256
50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

SHA512
634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll
Filesize
155KB

MD5
e846285b19405b11c8f19c1ed0a57292

SHA1
2c20cf37394be48770cd6d396878a3ca70066fd0

SHA256
251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

SHA512
b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI8DD5.tmp.html
Filesize
17KB

MD5
11b8874b200bb57cdf1b3955f20dc36c

SHA1
66c8424994768eb6a886bf9a71b870644477055b

SHA256
a23c89f73c65a50922948fa6277acf19b65421368c2cbbdfcc76350242f35120

SHA512
48d00d25f124835f1c6b4ed0736ae0f022cb00ecc9193cf47eb0241a89da6e6afbc30f3f20e102b2b8e5dbceffa90a0cf4686999e686454b84dc969b6cf6db35

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
Filesize
104B

MD5
774a9a7b72f7ed97905076523bdfe603

SHA1
946355308d2224694e0957f4ebf6cdba58327370

SHA256
76e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81

SHA512
c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll
Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenManager.dll
Filesize
2.0MB

MD5
7a5c53a889c4bf3f773f90b85af5449e

SHA1
25b2928c310b3068b629e9dca38c7f10f6adc5b6

SHA256
baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c

SHA512
f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vixw0pau.sih.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.db
Filesize
20KB

MD5
56b941f65d270f2bf397be196fcf4406

SHA1
244f2e964da92f7ef7f809e5ce0b3191aeab084a

SHA256
00c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c

SHA512
52ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 622326.crdownload
Filesize
982KB

MD5
9e8253f0a993e53b4809dbd74b335227

SHA1
f6ba6f03c65c3996a258f58324a917463b2d6ff4

SHA256
e434828818f81e6e1f5955e84caec08662bd154a80b24a71a2eda530d8b2f66a

SHA512
404d67d59fcd767e65d86395b38d1a531465cee5bb3c5cf3d1205975ff76d27d477fe8cc3842b8134f17b61292d8e2ffba71134fe50a36afd60b189b027f5af0

Download Submit
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\Icons\icon (15).ico
Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\dotNetFx40_Full_x86_x64.exe
Filesize
48.1MB

MD5
251743dfd3fda414570524bac9e55381

SHA1
58da3d74db353aad03588cbb5cea8234166d8b99

SHA256
65e064258f2e418816b304f646ff9e87af101e4c9552ab064bb74d281c38659f

SHA512
241ba3f82f37818407bc00909c160b653b45a1a3d156e043b87ba18a7819294716705c952c7b46516c4afd86e6f99bad23e7235b951a371ae6728107f19e5f23

Download Submit
\??\pipe\LOCAL\crashpad_3088_OUAWCHFWXWIANWGP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1416-2059-0x0000021DE94A0000-0x0000021DE94F6000-memory.dmp

Filesize
344KB

Download
memory/1416-2054-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1416-2055-0x0000021DE9210000-0x0000021DE9252000-memory.dmp

Filesize
264KB

Download
memory/1416-2056-0x0000021DE9260000-0x0000021DE9288000-memory.dmp

Filesize
160KB

Download
memory/1416-2057-0x0000021DE91F0000-0x0000021DE91F6000-memory.dmp

Filesize
24KB

Download
memory/1416-2058-0x0000021DE9300000-0x0000021DE935E000-memory.dmp

Filesize
376KB

Download
memory/1416-2076-0x0000021DF66A0000-0x0000021DF6808000-memory.dmp

Filesize
1.4MB

Download
memory/1416-2060-0x0000021DE91C0000-0x0000021DE91C6000-memory.dmp

Filesize
24KB

Download
memory/1416-2061-0x0000021DE91D0000-0x0000021DE91D6000-memory.dmp

Filesize
24KB

Download
memory/1416-2062-0x0000021DE9500000-0x0000021DE953C000-memory.dmp

Filesize
240KB

Download
memory/1416-2063-0x0000021DE92B0000-0x0000021DE92CA000-memory.dmp

Filesize
104KB

Download
memory/1416-2137-0x0000021DECC90000-0x0000021DECD12000-memory.dmp

Filesize
520KB

Download
memory/1416-2138-0x0000021DF6810000-0x0000021DF68C2000-memory.dmp

Filesize
712KB

Download
memory/1416-2136-0x0000021DF6B00000-0x0000021DF6DE2000-memory.dmp

Filesize
2.9MB

Download
memory/1416-2135-0x0000021DECA70000-0x0000021DECA9C000-memory.dmp

Filesize
176KB

Download
memory/1416-2064-0x0000021DEA320000-0x0000021DEB0FE000-memory.dmp

Filesize
13.9MB

Download
memory/4396-2166-0x000002B268680000-0x000002B268681000-memory.dmp

Filesize
4KB

Download
memory/4396-2173-0x000002B268680000-0x000002B268681000-memory.dmp

Filesize
4KB

Download
memory/4396-2170-0x000002B268680000-0x000002B268681000-memory.dmp

Filesize
4KB

Download
memory/4396-2164-0x000002B268680000-0x000002B268681000-memory.dmp

Filesize
4KB

Download
memory/4396-2165-0x000002B268680000-0x000002B268681000-memory.dmp

Filesize
4KB

Download
memory/4396-2171-0x000002B268680000-0x000002B268681000-memory.dmp

Filesize
4KB

Download
memory/4396-2176-0x000002B268680000-0x000002B268681000-memory.dmp

Filesize
4KB

Download
memory/4396-2175-0x000002B268680000-0x000002B268681000-memory.dmp

Filesize
4KB

Download
memory/4396-2172-0x000002B268680000-0x000002B268681000-memory.dmp

Filesize
4KB

Download
memory/4396-2174-0x000002B268680000-0x000002B268681000-memory.dmp

Filesize
4KB

Download
memory/4980-2089-0x00000260634C0000-0x00000260634E2000-memory.dmp

Filesize
136KB

Download
memory/5132-1972-0x00000247CB3A0000-0x00000247CB594000-memory.dmp

Filesize
2.0MB

Download
memory/5132-1971-0x00000247CA3C0000-0x00000247CAFAC000-memory.dmp

Filesize
11.9MB

Download
memory/5132-1964-0x00000247ADFE0000-0x00000247AEDBE000-memory.dmp

Filesize
13.9MB

Download
memory/5956-2205-0x000000001DBC0000-0x000000001E094000-memory.dmp

Filesize
4.8MB

Download
memory/5956-2088-0x0000000000C70000-0x0000000000C8A000-memory.dmp

Filesize
104KB

Download
memory/5956-2177-0x000000001D1C0000-0x000000001D1CE000-memory.dmp

Filesize
56KB

Download
memory/5956-2140-0x00000000016F0000-0x00000000016FC000-memory.dmp

Filesize
48KB

Download