agenttesla | hxxps://mega[.]nz/file/FKVVRDKa#hjzYn8cTZKkNmb9fojMy_bQECNq8eEpwV1CEF6TGbK0

Analysis

max time kernel
544s
max time network
544s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/FKVVRDKa#hjzYn8cTZKkNmb9fojMy_bQECNq8eEpwV1CEF6TGbK0

Score

10^/10

agenttesla xworm agilenet keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

Attributes

install_file
USB.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1960-3826-0x00000000001D0000-0x00000000001E4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Guna.UI2.dll	family_agenttesla
behavioral1/memory/2920-592-0x00000276F9F70000-0x00000276FA164000-memory.dmp	family_agenttesla

Executes dropped EXE 3 IoCs

Processes:

XWorm V5.4 VIP.exeXWorm V5.4 VIP.exeXClient.exe

pid process

2920 XWorm V5.4 VIP.exe
3604 XWorm V5.4 VIP.exe
1960 XClient.exe
Loads dropped DLL 5 IoCs

Processes:

XWorm V5.4 VIP.exeXWorm V5.4 VIP.exe

pid process

2920 XWorm V5.4 VIP.exe
3604 XWorm V5.4 VIP.exe
3604 XWorm V5.4 VIP.exe
3604 XWorm V5.4 VIP.exe
3604 XWorm V5.4 VIP.exe

pid	process
2920	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
1960	XClient.exe

pid	process
2920	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\XWorm V5.4 VIP.exe	agile_net
behavioral1/memory/2920-582-0x00000276DCF10000-0x00000276DDCF0000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in System32 directory 24 IoCs

Processes:

lodctr.exelodctr.exe

description	ioc	process
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe

Enumerates system info in registry 2 TTPs 16 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

XWorm V5.4 VIP.exemsedge.exechrome.exeXWorm V5.4 VIP.exeXClient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.4 VIP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.4 VIP.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.4 VIP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.4 VIP.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.4 VIP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.4 VIP.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616365352757407"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 35 IoCs

Processes:

XWorm V5.4 VIP.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	XWorm V5.4 VIP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	XWorm V5.4 VIP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XWorm V5.4 VIP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWorm V5.4 VIP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	XWorm V5.4 VIP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	XWorm V5.4 VIP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 8400310000000000bf58006d100058574f524d567e312e3456490000680009000400efbebf58da6cbf58006d2e0000003b35020000000700000000000000000000000000000008277600580057006f0072006d002000560035002e00340020005600490050002000420079002000570061006e0074004800610063006b00730000001c000000	XWorm V5.4 VIP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWorm V5.4 VIP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWorm V5.4 VIP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	XWorm V5.4 VIP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	XWorm V5.4 VIP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XWorm V5.4 VIP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	XWorm V5.4 VIP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWorm V5.4 VIP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWorm V5.4 VIP.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	XWorm V5.4 VIP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	XWorm V5.4 VIP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	XWorm V5.4 VIP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWorm V5.4 VIP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWorm V5.4 VIP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWorm V5.4 VIP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "5"	XWorm V5.4 VIP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWorm V5.4 VIP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWorm V5.4 VIP.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exechrome.exeXWorm V5.4 VIP.exechrome.exe

pid	process
3576	msedge.exe
3576	msedge.exe
1448	msedge.exe
1448	msedge.exe
5016	identity_helper.exe
5016	identity_helper.exe
5632	msedge.exe
5632	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
212	chrome.exe
212	chrome.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
4688	chrome.exe
4688	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exeXWorm V5.4 VIP.exe

pid process

5164 7zFM.exe
3604 XWorm V5.4 VIP.exe

pid	process
5164	7zFM.exe
3604	XWorm V5.4 VIP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exechrome.exe

pid	process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXE7zFM.exe7zG.exeXWorm V5.4 VIP.exechrome.exe

description	pid	process
Token: 33	2272	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2272	AUDIODG.EXE
Token: SeRestorePrivilege	5164	7zFM.exe
Token: 35	5164	7zFM.exe
Token: SeRestorePrivilege	5044	7zG.exe
Token: 35	5044	7zG.exe
Token: SeSecurityPrivilege	5044	7zG.exe
Token: SeSecurityPrivilege	5044	7zG.exe
Token: SeSecurityPrivilege	5164	7zFM.exe
Token: SeSecurityPrivilege	5164	7zFM.exe
Token: SeSecurityPrivilege	5164	7zFM.exe
Token: SeSecurityPrivilege	5164	7zFM.exe
Token: SeSecurityPrivilege	5164	7zFM.exe
Token: SeSecurityPrivilege	5164	7zFM.exe
Token: SeSecurityPrivilege	5164	7zFM.exe
Token: SeDebugPrivilege	2920	XWorm V5.4 VIP.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zFM.exe7zG.exechrome.exe

pid	process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
5164	7zFM.exe
5044	7zG.exe
5164	7zFM.exe
5164	7zFM.exe
5164	7zFM.exe
5164	7zFM.exe
5164	7zFM.exe
5164	7zFM.exe
5164	7zFM.exe
5164	7zFM.exe
5164	7zFM.exe
5164	7zFM.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exe

pid	process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

OpenWith.exeXWorm V5.4 VIP.exe

pid	process
3268	OpenWith.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe
3604	XWorm V5.4 VIP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1448 wrote to memory of 1636	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 1636	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 2088	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3576	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3576	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 5084	1448	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/FKVVRDKa#hjzYn8cTZKkNmb9fojMy_bQECNq8eEpwV1CEF6TGbK0
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff54f946f8,0x7fff54f94708,0x7fff54f94718
2⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
2⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
2⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4152 /prefetch:8
2⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
2⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
2⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
2⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
2⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
2⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
2⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4896 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1404 /prefetch:1
2⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
2⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
2⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14544575399285052998,12667870986584210869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
2⤵
PID:1896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4312

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5164

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap10889:116:7zEvent6080 -ad -saa -- "C:\Users\Admin\Documents\XWorm V5.4 VIP By WantHacks.rar"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5160

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3268

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Password.txt
1⤵
PID:1904

C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\XWorm V5.4 VIP.exe
"C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\XWorm V5.4 VIP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff54f946f8,0x7fff54f94708,0x7fff54f94718
3⤵
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff54f946f8,0x7fff54f94708,0x7fff54f94718
3⤵
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Fixer.bat" "
1⤵
PID:4392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Fixer.bat"
1⤵
PID:4520

C:\Windows\system32\lodctr.exe
lodctr /r
2⤵
- Drops file in System32 directory
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Fixer.bat" "
1⤵
PID:3068

C:\Windows\system32\lodctr.exe
lodctr /r
2⤵
- Drops file in System32 directory
PID:5296

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Important Note.txt
1⤵
PID:5568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4436ab58,0x7fff4436ab68,0x7fff4436ab78
2⤵
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:2
2⤵
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:8
2⤵
PID:5660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:8
2⤵
PID:664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:1
2⤵
PID:5712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:1
2⤵
PID:180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:1
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:8
2⤵
PID:512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:8
2⤵
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4224 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:1
2⤵
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:8
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5276 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:8
2⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:8
2⤵
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5356 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:1
2⤵
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:8
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2512 --field-trial-handle=1936,i,1849078714513453340,15800492179257947784,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1060

C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\XWorm V5.4 VIP.exe
"C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\XWorm V5.4 VIP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0lroludl\0lroludl.cmdline"
2⤵
PID:5248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB50F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2383588643A24412996599FB7C78323.TMP"
3⤵
PID:5776

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2400

C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\XClient.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x64\System.Data.SQLite.DLL
Filesize
1.6MB

MD5
1b1a6d076bbde5e2ac079ef6dbc9d5f8

SHA1
6aa070d07379847f58adcab6b5739fc97b487a28

SHA256
eaadfbcafd981ec51c9c039e3adb4963b5a9d85637e27fd4c8cfca5f07ff8471

SHA512
05b0cb3d343a5706434390fe863e41852019aa27797fe5d1b80d13b8e24e0de0c2cb6e23d15e89a0f427aaeaf04bf0239f90feb95bfc6913ca4dc59007e6659e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\167b1b76-e80f-4c6b-bee9-5a4c2300d343.tmp
Filesize
261KB

MD5
b9a5c572da8fa12dc474f84b614789aa

SHA1
0e3a6523daf20046a49e8373f8ad120e07f1e663

SHA256
ddc011750c896e75af4028183e43dbd6d026e0fa1033643db5026ea91b3ee7bc

SHA512
d13c3b8908890014c487c22655cda4ddbc10bebc59b2b8d6b157b8f80c2578640a10c5e035ffe9ab8c523b0fb818fc8909d77328acfe5b60ece19429dda757ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
90b8e3c077c7289cf4b7078243e26f76

SHA1
c8e3387c59c20fcff770b846e972a52f7f93591c

SHA256
001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1

SHA512
4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
5aab27bd40edf14474df8c242ce90f80

SHA1
3c7affcb8c203d46aa5f12701b1013306399fffc

SHA256
7568a9cf4efc0439c115e186cee2c6f5b9989a5db0f4086921eb94a164d70843

SHA512
c566ba6c5975b7f7c9322682ac229c847c0599f93346eadb56eb66b4128ad4433db8fbf26d4a992433a172668ae65b35d175f0304edf45b3773515c35a925f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
7091d328bb1c8b006e45afaa9cd967b9

SHA1
9bf1531a82cb86f3dfb9cf0a23748c55b1a7bff5

SHA256
8de5d8806611915e3b5ee972c825944b94e759863c3f8ff4770e8cff717e8131

SHA512
172a3819318f95bc37a9b372cd04d25a502857f81a2c95ed116bd2c21d57ed2c7ca795260c7531cd16ff7653997b49d800f7d25133e04e4788c51d7c8a2c4893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
4b7bfee8a1d539e9b51fc2200c7f9833

SHA1
62a25cc60d5562f4d5b5b8f9a9c37798af918fe6

SHA256
e839056003fa8bb2bfa3b17b6c26336d4d95e8010839774c8fa356a515ed4a5a

SHA512
49b7778eabdf031be90e20bd1edc25a92f67acb808004e63fb138bb460791d8560450788139840a6125c60a52912171f56fe058b31c66ff2d5ec4c9c1da78565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
0c63b328fc74d13285c3636ba6813fb5

SHA1
f1a6fa8c38120f2ed6f03d72a2bf6c1fdc2b7376

SHA256
c448ac777b4cee37268fb7cb9273214dacd4989f1fceb23767211b4b9a84168f

SHA512
fbe8a3209b5e43b3ae0c49279b36790c82f76414d6181dc76a3297562e2c050ff79bce160c0d6d19220a2d83fb6c539af6c1ddb26efdc4b69c6b5d2b1dec7bc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
522B

MD5
64d71620698d95174c1c614df42f5e7e

SHA1
5247a42169396dc3cb51529ec318d2d323f1fafc

SHA256
f6b2735ddd49747c27b2569db02b4c5c821d44f7b81b3846484604fd3f395f02

SHA512
f0b678df3047aa3068b8fd25c1e7ed6565f613a9f71d5ddcfc657a2d823988b1e53b61463335d857d81782127bfcded09de6359bc93d62d6a8f5d34b3fceb68e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5960d0bb10ce1fc065921607a52cedde

SHA1
e8126b327d76f77d76fd7c30bfdb17aa646086a4

SHA256
903be4c94b6089b7365689db060c11dbf4c679d7eabafe89bcb43979934a5bc0

SHA512
601f0e3d6f28f91e34b5b4bab63512f55ea8a9483bb84ef4e89e6e8231ea13c9cc844c2008f33b0ce689fa9207b753b882acb6a80c723df83adc4d7ef5e9dd4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
3729ea2e01ad921eb9ae1736e3edd6ec

SHA1
1feafe8ee28634008c94d4d8c9fc7e41314afe75

SHA256
6cb427c48abbfed369e731e0e9a5b5fe27778ad32e1dd7c8d5a7ddf6b9e66e20

SHA512
f8255a3c110042d630bdb3887d736474093be4e20ae21235f9054ea33aa01cff7769ebeb4045e69dc316f3fb80c3e600d2302a9a6c811b68ca6939836b6fcc36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
61b33aec7488b7238c18c06a2db16b1a

SHA1
6c420d3e4d711ecd54bab25a67020d5b33c0a10c

SHA256
f1c74ba1b610ceecc4b247468623c1f92ead770ec15a1d04aa637b23a85dc21a

SHA512
2edff4f84ec6bfee647199d0fe0c81ec1cc66ef8c54c4d17109cae4c4deb64b4ac7b66c32d68938dba07ca4bb081a20c12bc4db907d2ddfcf72c8ef9b3fb69b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
40100477891c7e25671c8ec1989c163d

SHA1
0e806da965c1c34220fad6d4f1b545589c20630f

SHA256
2b5be6836698a653c2fbb732649b07480a1cb50a20270978120fdbd0ef05a9eb

SHA512
c36ca438d155c1c7930599525cab47abcce6bb9191928727224c7aafa66fb58a6060956ba64e15efa48d5bffa5f482d487c224c3031893ba2483b3b383c40fa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
ea8f4ccfd0086193af47791572c631b2

SHA1
4895c076409d80371db79489c34791b08560283c

SHA256
8538d751fdcd138bb491323c69e0891d14cb45e693b068b83dcaf923104b1696

SHA512
e0eb47b5a377139c810ae946a5008f6c34e36ecbb1e7c8fdabf6b99eac2e8df8b9e4b99e30320b84f6c09a171e356cfd479de1ede7f205cfb4bb029b956cea96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
90KB

MD5
79442e0d7f95b33c11afdab80d2b9762

SHA1
83874167bf933ca3dd1a96540f323abad857f22a

SHA256
967094c5366fb2d2f6a3eaa05fb2b8c26820314116a65315b8b2eabea5b197b1

SHA512
3348a1b09e0476d7b1d959fec28668f67270fb344f202a1538f834d5b612bcb494e72031e1eee46f45998c81e8dc9e11964147b07f5a2fb9a5d2bcc3a1bdca5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5bf0e4.TMP
Filesize
89KB

MD5
80edc129b495c95b12d4052ba6ac5cc6

SHA1
cdb3e76cd09b9c9d84da3f079e4d1c47a5c65201

SHA256
d8efdef9a001fb89d4c590e4f5c6fd01de095ae118abe347e2828ae157496ba4

SHA512
b5d4bfb1733c05760e89a7549a70d22f68a104ccc69a7a5869b81e1d73cbcfa6190024549dad2bca2e1ebe95b5217dbafd79142b2180a1560e7761d7b3fb3010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V5.4 VIP.exe.log
Filesize
1KB

MD5
a9141ed1837f780cf691c7ce790db9c5

SHA1
86d5a6683a0031226f8477cb2d60edf65325f1ec

SHA256
cf428d3c771587984baaea34a2f01139009f4493431db844f2114daff8f958f0

SHA512
c573c632ab243eb226a878e67c03b328f341ccd8c8696c0f0b6ef7bf6cbc1ae72a1444fa4ac831547590b9420092b4a43528bcffc5ddeeaca071cdb951fa4bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
dac88853583064915bd6e4630816e015

SHA1
749c22438c2d6e5f6c7d13b39bd8bd29940641b4

SHA256
0308ccf86d0c717ec3bb8ad5a057264589b74314b28cc65f58d0015a376fa568

SHA512
eb9daf7900c9cdebb181500b0c13875b64dfd12e084f9495af95d13af6d4b9019b1d0b49931f9a402e37a251331839a57a6e9ac50936ec7129d75fd6f0e5eaf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
8b22500335e7aa3d3aecdfdcf0d8afa9

SHA1
b5076238081a2c0e2a8f0c27cf5d8261049abc05

SHA256
cfde4ad579a3bc3b0eefd838ac0644a0771dd98275642a979b177fc9d33cf270

SHA512
ed67ca8d662bc70c8f08ec10a67846ea5f4f0ba9a02b199ac702fb3bb1927c4ffcf2a3574d907370ab81bfbd86d447e142a5b42ec4f40db83e9ab69b4b5e6651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
436e710e6d938fecef5cafcd3c906878

SHA1
e94a7a470a3d27ab350d545a0ba1e12a375679c2

SHA256
34df4878dda9f1442406bd2fa43b77cf41de9578e52e18b6e3815e61b292363c

SHA512
d11b83d1b5dcefddb32005538cd439a0ad84c7ca81f691278bd227d26d31d6a3851b816e4f5b5602e10fca4502fda5e75e74ff68dea37aa2390387cd080b0268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
520B

MD5
325c68cb570a7d75bf1770ae70d2d892

SHA1
0dc414635b88c8231cd3107b1f88b6eaeaf94805

SHA256
d6497d9310b2bb248cd767f94f86a3408e3d84bd15ccaad01b564ef377e69b6e

SHA512
882050a14c83b976dfd6b2d8eb782d8d40a71734ad30505a2e16f95b655233789c43499acfd5e05f6a556bc9e7b9622d2a60af08bca066855ded34f25fdb9c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e04214e5c4f4a97626006bab4622d95c

SHA1
918f1a5a4850d107733eaf761f2b03a148599ce1

SHA256
f609e5d837f967c550ef9e69b73969d790f91a289adb4231eadffcc16eb49c7d

SHA512
38fe3435469f968fdf737423f80f6b66742f3ccb03df9cb0c8cdea1dad9dac4f55e45aeb1a7dfd7353d18d039b418e1b12c08e04c094c2a8831e43ad6afb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c7b206f9f008eed199ba8f7285dd24fd

SHA1
23b24183db4c03567eeb0e2e67bd068e874c80cf

SHA256
f3639ed73c1aa53318ac0aa56730656aa6eb20d6872d8ec926985b9182940b74

SHA512
e91aa88b3a7855708f7a8abd819bf7053216b475e2aba0b5442f0630cf4648d93356fb9ed136b5ef49d084f896544f2371b013299c748d50147ba3300aae2fe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bc8d0565653e3cb8d73a981a996b25fa

SHA1
b22a553dfe0102c0b0fe711b1de24498589de2cb

SHA256
bc66120614e7004a740644086192bd80caed2c814a94033d2786d6a6ac229d47

SHA512
d4529c129b661bfb2a7559676ccb796069b85bd1fadd68a66b89f335af9223bf1719ebdf728f4ce2c158115d483d3416b38c3752906c52a7b098e25bd088e47d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2ac93f4549493c97865be90d44687af6

SHA1
86c23073eee5b787fc6998af51e17d3df0d41101

SHA256
1402800e6eb04f7ed0a9d4ac73e3cb06c62167bcf1ea3d489975a01edaa85062

SHA512
e28a513b8da8a2b3b45e7face6c1cbd319ea50ff826a1c9b531343d9485406961d9a1a3b2ad4af24023c793cdc3a38b20cbf12d822d1168b124f9ae976134876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
450b0da88900b443245585c274ee451e

SHA1
4afc8863cdb701ea7cc26d576af5bf945de4fa8b

SHA256
a9d17b2b5a64b01a569a9a64c658680b6d4f58f951ad5972e50d8a1d543c8881

SHA512
5aba973c09296ad0df18861e4d590abad7f1e36709a8ab51b94992c2143483b0f93664727b54ab45ce2aca9cbabd8cd41e7bfacba6cae52f046828a6ecaa45fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d69e6d1e7d958d2a2d9703aff40b9076

SHA1
bf671bd5390cc89374f8fe7e1f4dbb32cacf3a8b

SHA256
f4e0a501cc95dc5540f9ecf001539e9f95db91835b82773a77834bd83c290be0

SHA512
d35d5207ea92c476ed19c3d2898fb7e9bca5f7c9417ee1a2ceefc2ca9eb23755c4a7f7eccdc945570f7b8a3c14a78fcd0786aafc894d1ef89e3cbe128a1b796d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
2d7f7b27f0e34bd1a1ccaf777815d3b5

SHA1
f492791b4c7341269fc2668d20755a9e0d04d4e4

SHA256
5c5d1d050eb968606df0c105e50f1713750824f08d79099a7add74d5fcb00dbe

SHA512
4d2ed7859b3241fea34aed10938a544cf8f0f33837ba484ba9f502fd2c233dad6b481544cdfc181c770131309f420caa3fa91d2e2b6615326ed62ecc1c40516c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57956a.TMP
Filesize
48B

MD5
3213a87081ae65299246ce0590ecfea9

SHA1
84bb5b59f808b8e3a427fabf7ad0f44ff20ec31b

SHA256
6e3d228785f6048525173a9a5a5c9a89402424c96e9101bef8daa31c1c066724

SHA512
f23dbda04a2291ea341dcdc512763a778519c89cdcc2f17fd377bfa3e47c4146e3aac489a4957775b86563ed252069d9fbd947af8f6884d2a1a0a528066730c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
705B

MD5
1a07d1267e58222cff868cd93caf07a0

SHA1
546601b17f506eec82ba97134003c3b3beb64826

SHA256
ea4c7ad75760a47d4395773236a0aec6f20ac507026cf309a7e459f4b30e3af8

SHA512
bf05af5e8cb8e68cc3f2447d834759461240ba97c858211163a6ee2d205880576d14fd1b78527dd1c38cff3b89946c87e71415824924a26999f4c0a371ac96af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
705B

MD5
353931274eea908b185d6c6bd87af0e9

SHA1
ad0b41e80772d00db6329b820a5f81bff5016d9e

SHA256
512e317243108bcdb214a0c3e91759ba509a5434ae6ea5b9d58f2e36eabc46b5

SHA512
cc63b5f57ef98b339211a0274de7bdbe8eec2af4ee3fde6cde17e9da6dc250cb17184937ba540c630c8c795ffe9ebb774d12bb2e4eeaa195c5f026d628c53468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5986ca.TMP
Filesize
203B

MD5
195ad26b481472956dc5e41ab1f00a38

SHA1
9e61e7e880a956fc4e85d7c917c3e84e8e907b35

SHA256
cab434ae221775c86128f77d27ba858bf71196bc27b9fccae871c98f4cb25168

SHA512
cb4c57332d41ac4c8a86ca5ebd2b5624e94baccc058eb891677a04f24b6880f51ce9092415c98c42d45afbf877bceb2b04c6024c6712966e26fd6384d85d0533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
67e97b08904591bcecad134113771aad

SHA1
745018f93c0e6f3207597c55df796eab915d2732

SHA256
49a57ddc507f63d207097158c32231fc7d4902bface25dbbc4540c5791ac21d5

SHA512
f6ee4364e38ea3186a53214259bdbc82b9a65b402e21055e4e19d4552980e844816ed78c53f70b30be17410e533ce0c6d9d8bdb0ef17bff803200555a2eb55b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
222f45ba2e49415ce1a0b5baffb924fe

SHA1
eea6900cca84c5c4be4c5cccdfc39bdb30bb3a7c

SHA256
ca0395f0baabaaafb89fffe5397143d0d3ec8aeb5035225d21068cf276193672

SHA512
7db56ae180a173f13ed8c76e213034cbc5629763f51c1b5b457721fcf0d9aabe510dfd9eddba78399cb6b2809fe03181362d85fa18d19482015d6960af24bbd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
db8002c76d86a845f3183951a8d69f56

SHA1
7b547f682b19f2267e620cc53c372e904b668ecc

SHA256
9a391f0051eea7b058318fe1e3db872847d9ba2eb534f84cbf07ac972678b001

SHA512
04180458f6ec5cc4618fb5427449f404906fbcc4eece3526ae8de93b2409ee1fb6732f997753a97aaa6a2aad8650188efc94ee7d01ae2c5f8bfa95af2cd2e163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
866201232819bbbaa512c3328df15ed0

SHA1
e465c7f00137cb8d97f776c3ee24e56502677419

SHA256
0964fac301e3c579fc040f6e1c7be08f27c5f90b50199e5801c7580556113b16

SHA512
994f86ef30bd6a69b572e3035d744b6ab2dcf7f130019398f1e4bd9f34b9210cb3b9989759bbdd48b070a77517cc4e271fac274d23533e2db5edb33e102b52bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0lroludl\0lroludl.cmdline
Filesize
318B

MD5
3ece1c9baccf70820e3135ab21ac02ba

SHA1
9fb3eeb18bbff3aa3d2c9ce1fa775d8d77df0946

SHA256
99b70de0f2d4265a9ef3cec973dfee88bf2cb75e56d54f28a3b7f46bcea5afb1

SHA512
29b1b5b077050f00865e737f47c6df1cc531a2bca4facefe939c70fcc54b5dbea45d08ed23883e9db27bbbe6f0e675194da2d5648ab4be01bdafd69d713f38c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC24A8149\Icons\icon (15).ico
Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogpXG\ogpXG.dll
Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Fixer.bat
Filesize
122B

MD5
2dabc46ce85aaff29f22cd74ec074f86

SHA1
208ae3e48d67b94cc8be7bbfd9341d373fa8a730

SHA256
a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

SHA512
6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\GeoIP.dat
Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Guna.UI2.dll
Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Important Note.txt
Filesize
348B

MD5
dbc1ff2a32272519c2cf94ca910c4b16

SHA1
6a04e8a53f6a2ea9176dc1cc5a27d20bc7ed8869

SHA256
8e9e6e12943cd1a730c1b941a4edb3c5a8c68d412d9b52b72b53e0fd9cfb1828

SHA512
7b1a07effd03ff8dcc8a2997faa612ae52226bdb1baafa09da35b1b868746de907565f23c932d3ef2f5eadb33b40026e7b0e6b8ce0df5e783252d554973b068f

Download Submit
C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Password.txt
Filesize
93B

MD5
9a60b3cf8ebdaaabbd649cb69e614539

SHA1
a3ebeeb7b7c13438e8bec000a4251eb4be9bd43e

SHA256
5d2610a60c22eefeaece6700d46ea93eb9d7637b32466ba8d1aae78b91478cd8

SHA512
9995d9f919aef1e57c363a736089f696f6ed2d5cbd1704f5beb70f377b21c97056f3efc4cfbaf6048c5dc2bb34cd16f738e531450b50f112beda05f63acc5cc2

Download Submit
C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\SimpleObfuscator.dll
Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\Sounds\Intro.wav
Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.4 VIP By WantHacks\XWorm V5.4 VIP.exe
Filesize
13.8MB

MD5
065a8d7fad2ad13b9f04de982294eb21

SHA1
7ecf3a3b1a0fa25f701787d98bd42c6f39c2f8ce

SHA256
3b2f28e621af3ea54abf28071e2f36143a30aa87a091f0ee3764c15b2dea4303

SHA512
0b828b1e545326258f46b7b0c535bfde1fff5ab4bf43bc729803a96e81f4b29a5d0e5a00e59ae392d517051dba37abd5f3b4dacc348242475cfa9e8cbfa16e34

Download Submit
C:\Users\Admin\Documents\XWorm V5.4 VIP By WantHacks.7z
Filesize
25.8MB

MD5
0e2d7a4bbe9b365ecc468da052bbe179

SHA1
6d4fb0796d3be714c23a8f3e96d739d9a1010c88

SHA256
279495695c21dfacc9aa1557881113f03bba0c341bb72c254194566d9b208c4c

SHA512
593405a4975f0246017548f3ccd3bacc41737e3e1c4f6a0ea5d96bcf6306404a1a91d418164ee348081ed4c9eb68701554dfaf20ba62b993b78e17afce930ebe

Download Submit
C:\Users\Admin\Downloads\XWorm V5.4 VIP By WantHacks.rar
Filesize
25.8MB

MD5
68fd5212328872df2abe84b54da019ca

SHA1
c24e5f2d6ea61fef90091612058b81ec1d81c586

SHA256
06ddb6f37c5bb232f7773825f8c90c503e9a0e037628c0e30d99ac011232db48

SHA512
59d1dbf00208ac455b8b59906feae7f3abdb1fa686c847188af709cd3e16822efb1df3831a2d6671b11f61bfb1fa8e4a3686888c2913c544bbcd6dc3cb22bdf4

Download Submit
C:\Windows\System32\perfc007.dat
Filesize
48KB

MD5
54eaefa841aa52bb3580aaa0e64094d1

SHA1
2bf779d07fe707a2adec9045ea06e95f219c1d18

SHA256
783878d5cdfa9dcf40d7ff3e7b5bfcf692c70188d1bab5dd7c646735122a8870

SHA512
a539aec842b76a000a61ca00f39a2557390e26a4ab34e3722bf3b252bd580a575951f7ad72853c256e0f0f03aa3a1552178965ca74696cf372ae00328bc28f6a

Download Submit
C:\Windows\System32\perfc00A.dat
Filesize
47KB

MD5
69c02ba10f3f430568e00bcb54ddf5a9

SHA1
8b95d298633e37c42ea5f96ac08d950973d6ee9d

SHA256
62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e

SHA512
16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

Download Submit
C:\Windows\System32\perfc00C.dat
Filesize
43KB

MD5
8b4b53cf469919a32481ce37bcce203a

SHA1
58ee96630adf29e79771bfc39a400a486b4efbb0

SHA256
a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42

SHA512
62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575

Download Submit
C:\Windows\System32\perfc010.dat
Filesize
42KB

MD5
bea0a3b9b4dc8d06303d3d2f65f78b82

SHA1
361df606ee1c66a0b394716ba7253d9785a87024

SHA256
e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927

SHA512
341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88

Download Submit
C:\Windows\System32\perfc011.dat
Filesize
35KB

MD5
17fc81a0e3f9fc02821e40166f1cb09f

SHA1
2931659b064a216371420db215b1f48de29a1858

SHA256
fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2

SHA512
19a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031

Download Submit
C:\Windows\System32\perfh007.dat
Filesize
320KB

MD5
b9a5000ea316ac348cf77beb0e5bc379

SHA1
4e666af14169eb10a0a08ac2f5ed5ecf4764df46

SHA256
1b25a6879c667258cdb900683004ef007c6b3a1a933d823b124d9a6acf9de608

SHA512
9fd911586a0aebec11c48e9f78de3b3f6e41c98a2770f5ac10d0a3947b4b3f326a8c5028c478c8634fb84a071186606e69a7aff83b1cf972d4728e3923503118

Download Submit
C:\Windows\System32\perfh009.dat
Filesize
310KB

MD5
1ad05e460c6fbb5f7b96e059a4ab6cef

SHA1
1c3e4e455fa0630aaa78a1d19537d5ff787960cf

SHA256
0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71

SHA512
c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f

Download Submit
C:\Windows\System32\perfh00A.dat
Filesize
347KB

MD5
49032045f6bcb9f676c7437df76c7ffa

SHA1
f1bf3ba149cd1e581fe12fb06e93d512fe3a241b

SHA256
089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641

SHA512
55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1

Download Submit
C:\Windows\System32\perfh00C.dat
Filesize
350KB

MD5
518020fbecea70e8fecaa0afe298a79e

SHA1
c16d691c479a05958958bd19d1cb449769602976

SHA256
9a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125

SHA512
ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e

Download Submit
C:\Windows\System32\perfh010.dat
Filesize
340KB

MD5
f9fcefdf318c60de1e79166043b85ec4

SHA1
a99d480b322c9789c161ee3a46684f030ec9ad33

SHA256
9c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7

SHA512
881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8

Download Submit
C:\Windows\System32\perfh011.dat
Filesize
145KB

MD5
f4f62aa4c479d68f2b43f81261ffd4e3

SHA1
6fa9ff1dbb2c6983afc3d57b699bc1a9d9418daa

SHA256
c2f81f06c86bf118a97fba7772d20d2c4ba92944551cd14e9d9bab40bf22816c

SHA512
cbd94b41fc3136c05981e880e1f854a5847a18708459112ca7eb0bdcb04d0034c42af8c58501a21ae56e07a29751236af9735b0a4ded3a6b0ef57d717acd5ff3

Download Submit
C:\Windows\system32\perfc007.dat
Filesize
137KB

MD5
cacc87a7a4824d4fca6da760d909821d

SHA1
a1f2ccfa48a2d8877425f16e0723e3b3ce8f0f67

SHA256
1f431b499e240794a4f798579cdb642dcac1b271451291327404c98605e5ebf6

SHA512
7ac2c48b41a1b13af9c8a0097d913ff5c8fbe72456faf49d0dda213ffe6ed4d2373f16963d42c5d9d09cccbc8d70ede86eba03c815a4c9b2c6af8a5d739c76ee

Download Submit
C:\Windows\system32\perfc009.dat
Filesize
32KB

MD5
1e60bc5e525063b96078df17fbd3c4e1

SHA1
bae8eda409cb3e016ddd420c6354aeaac2d267b9

SHA256
a0894847ca6208cf7e519d8e825458596bbcd78156a453e32872de7592ea20d8

SHA512
5758d535e4ce20cc30b9b57fea1811feffb2655ecc6eec69c942defb4b4f8c06e8e37860f85ec7cad26df9d7635ecaf131a68ec4ee291aa36e448c7ef2339652

Download Submit
C:\Windows\system32\perfc009.dat
Filesize
122KB

MD5
243bb32f23a8a2fa8113e879d73bfdf7

SHA1
2f9d0154d65d0b8979a1aeb95b6cf43384114f70

SHA256
69012c5b50e669fca5ad692dc405017da474a5a4ec876de70d9748a4f30c046c

SHA512
34f7663ef59412a12ce950eb5ab947b2fb6bb811d5cfd92d05b6a884bcb2fc31fdc880b8e152a383055ca0efee707eb23bbfe181ace8c1ca112262f2a75bf0a8

Download Submit
C:\Windows\system32\perfc00A.dat
Filesize
142KB

MD5
bf9f94add28d5e54272b9ec709011d4d

SHA1
7a4070535d0863aa55b59e7c874b47c18657ec50

SHA256
018b8f05912e9caeaff136227834ff2b6515aed2eb662741154230ce1d04b3d7

SHA512
3ebc69f34b9c6effbeffe5681b0555cd6b3a73ffc1ef30916525d7a89c7cb9dbf6b8bf5b24054d2c74a966c47b41e676ac46949224bb551da2797fa63f7989ca

Download Submit
C:\Windows\system32\perfc00C.dat
Filesize
137KB

MD5
9c5082e51f9169b23796382010d5e69a

SHA1
46b0d3c2a8b3829bd61f3e313f3268a9bb0e1a40

SHA256
4abbd4c74fa008754210062d9b25a31c7b27ae04c698d493b7a55fd671ae1447

SHA512
957d58c45dc10e74ef78e68df4153a40c7cef08ace2ddc210dbdeaaac363957d4af0bbe3645f393d812b2ab8097b52bedcafebaa1aa5d015d8933aa34e33a615

Download Submit
C:\Windows\system32\perfc010.dat
Filesize
134KB

MD5
579c88201673ae4d679c6da369fc768c

SHA1
46c67eb656a170c0e2f9193dd3a5cdeb6f99aed9

SHA256
dd841a219b2524a5403be0ad43271ff711147182487269726b60212139516fc1

SHA512
fc4370bda6e57d9060209ef2b66fa0aff30081a8391ad7a6cd2d35d7271f5d377db08508e46beae8cb7c9b3541673204de903154d8c76340788120c210acaa95

Download Submit
C:\Windows\system32\perfc011.dat
Filesize
122KB

MD5
451fd3eea8608134ff91280fb0ff7e4b

SHA1
e81546c72260060eb757195f3702014533b527dd

SHA256
a8228c74b4dc81c755c56beaa5e91515d09c24e80f820713b3095816c4e552db

SHA512
7bf51087ea8b8a0d2ea7b2a0e3b1cff8e44e3549735b1ae757622ca7157c9391132f7d68711a91fbee7f681927759ca552cf885f5aeca4a6a005d8a27fd5f8fb

Download Submit
C:\Windows\system32\perfh007.dat
Filesize
298KB

MD5
eadd51b4e0a81aa0a1ec7392a1ce681a

SHA1
f384c3bc0f16ccb5049ebbf7df776e684da84706

SHA256
1a2fd21891c4055b2ee03ee06665f1a09a6503f7a4b57acba67820ec561d12e4

SHA512
de74112ed8f81f4723241102e9e493921419f836e7f095000a0ae34616db1886c22dff6ab4dfd5bd1ebbc9840498c3606ac0e5791f7fadac1b52c18043571ae4

Download Submit
C:\Windows\system32\perfh009.dat
Filesize
290KB

MD5
56c3b96dd714b0da77c0b9fb0d392c86

SHA1
6dfd6e883c67ea4aef8a03d28874a677441e512f

SHA256
1bc70ca290a7b4afc37049a8435c81d9b863520609d2e4f627d08cd21c07a58e

SHA512
c2036039da93d0c594b99aad74f1bb807c7230a746d749cec57a5f6012e8dfc401f9430fe1c7090280532ffdb044f7a4970e17e5cede82581793d69e9bc6d10a

Download Submit
C:\Windows\system32\perfh00A.dat
Filesize
706KB

MD5
3ced0ee756099c860ec2ddda26b0ad3e

SHA1
3cb71d0bd58d57dd1b1b4cce9604546480523bc5

SHA256
553b18d6d6666ddd0325af89a6e0e6eb5a5e9d6780c71f595d7e2884b57d8822

SHA512
84f8c2b3d817fdf1252f6bc6bf14119e45ea098b6401e52c61014ffd7c4ecc69a2ce27886f64b6a132dfe88d400ecd2e24a8a0f87d208fe1412604aa41462086

Download Submit
C:\Windows\system32\perfh00C.dat
Filesize
710KB

MD5
23270ed87d184d7992983cd5941360b0

SHA1
600a3e067a2490f1c204b5280cfc475be4f50959

SHA256
b090fba956652c7bd1e48b6ddb64b443236dc828de37b1ddf777e0feac276976

SHA512
0ab0511f853220779b2a2cac3d93db9d084d0c4cd1153e1820350e9fca0bf24a03abd108a2a52309786caa16793c301aadddcf398c7d05b3b1f05e1b39720eb3

Download Submit
C:\Windows\system32\perfh010.dat
Filesize
697KB

MD5
97566ede26c69e0c3f452c491bc725b3

SHA1
c20ea4cf93a33378b9389be36d3dc919e84238a6

SHA256
16d1f5b0334a0bd79023e598a94b80e7ec84e0b7583030c0ea6acc46a4d6f8cf

SHA512
097c12024bb746803b29499ec68af33f98ff8d6d3c039e704a2f8344fd5d9b4d4c6ed63dd46735cc147305cf00cd84db3b2870bb9dabad0d96e1208d17285bc0

Download Submit
C:\Windows\system32\perfh011.dat
Filesize
446KB

MD5
e5966c4fef65e8fc0f66895f4776f1ca

SHA1
2819d993e64bf032fc2a4e71d0c40f349f9639d6

SHA256
51ae507017508db59eb8cd168a2219467ed9f9e434c78216c552619ff37601e1

SHA512
3e08fb643b8a7040ff5985d666b07d852f995da282e7ee388dae5785bb0ca543f18c34815077f23e277eb44454703fc0ac369b4ceccc04f20c2be861a8b61034

Download Submit
\??\pipe\LOCAL\crashpad_1448_XAFFPDRCASJNALUA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1960-3861-0x0000000002380000-0x000000000238C000-memory.dmp

Filesize
48KB

Download
memory/1960-3826-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1960-3873-0x000000001E1D0000-0x000000001E6F8000-memory.dmp

Filesize
5.2MB

Download
memory/1960-3872-0x000000001B630000-0x000000001B63C000-memory.dmp

Filesize
48KB

Download
memory/1960-3846-0x0000000002420000-0x000000000242A000-memory.dmp

Filesize
40KB

Download
memory/1960-3862-0x000000001B620000-0x000000001B62A000-memory.dmp

Filesize
40KB

Download
memory/1960-3859-0x000000001AEB0000-0x000000001AEC2000-memory.dmp

Filesize
72KB

Download
memory/1960-3860-0x000000001BE90000-0x000000001C1E0000-memory.dmp

Filesize
3.3MB

Download
memory/2920-592-0x00000276F9F70000-0x00000276FA164000-memory.dmp

Filesize
2.0MB

Download
memory/2920-582-0x00000276DCF10000-0x00000276DDCF0000-memory.dmp

Filesize
13.9MB

Download
memory/2920-590-0x00000276F9030000-0x00000276F9C1E000-memory.dmp

Filesize
11.9MB

Download
memory/3604-3839-0x000001FB39F50000-0x000001FB39FD2000-memory.dmp

Filesize
520KB

Download
memory/3604-3849-0x000001FB39FE0000-0x000001FB3A17B000-memory.dmp

Filesize
1.6MB

Download
memory/3604-3838-0x000001FB3A930000-0x000001FB3AC12000-memory.dmp

Filesize
2.9MB

Download
memory/3604-3840-0x000001FB3AC20000-0x000001FB3ACD2000-memory.dmp

Filesize
712KB

Download
memory/3604-3813-0x000001FB3A7C0000-0x000001FB3A928000-memory.dmp

Filesize
1.4MB

Download
memory/3604-3837-0x000001FB333B0000-0x000001FB333DC000-memory.dmp

Filesize
176KB

Download