Analysis
-
max time kernel
30s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 15:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1246679036214775850/1246843713439928370/Xiern.rar?ex=665ddd32&is=665c8bb2&hm=56466b56cb68af41a8827c77d7c1e188db9840a2a1108ee465ee09284d57b5e6&
Resource
win10v2004-20240426-en
General
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Xiern\Guna.UI2.dll family_agenttesla behavioral1/memory/4272-106-0x0000000007820000-0x0000000007A34000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XerinFuscator.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation XerinFuscator.exe -
Executes dropped EXE 2 IoCs
Processes:
XerinFuscatorFucker.exeXerinFuscator.exepid process 3344 XerinFuscatorFucker.exe 4272 XerinFuscator.exe -
Loads dropped DLL 10 IoCs
Processes:
XerinFuscator.exepid process 4272 XerinFuscator.exe 4272 XerinFuscator.exe 4272 XerinFuscator.exe 4272 XerinFuscator.exe 4272 XerinFuscator.exe 4272 XerinFuscator.exe 4272 XerinFuscator.exe 4272 XerinFuscator.exe 4272 XerinFuscator.exe 4272 XerinFuscator.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Downloads\Xiern\XerinFuscator.exe agile_net behavioral1/memory/4272-96-0x0000000000D70000-0x000000000123E000-memory.dmp agile_net C:\Users\Admin\Downloads\Xiern\40585F64.dll agile_net behavioral1/memory/4272-127-0x000000000AFE0000-0x000000000B122000-memory.dmp agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exeXerinFuscator.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XerinFuscator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XerinFuscator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XerinFuscator.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1880 msedge.exe 1880 msedge.exe 4504 msedge.exe 4504 msedge.exe 484 identity_helper.exe 484 identity_helper.exe 3396 msedge.exe 3396 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7zG.exeXerinFuscator.exedescription pid process Token: SeRestorePrivilege 4056 7zG.exe Token: 35 4056 7zG.exe Token: SeSecurityPrivilege 4056 7zG.exe Token: SeSecurityPrivilege 4056 7zG.exe Token: SeDebugPrivilege 4272 XerinFuscator.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exe7zG.exepid process 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4056 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4504 wrote to memory of 1796 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1796 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 2112 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1880 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1880 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 1904 4504 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1246679036214775850/1246843713439928370/Xiern.rar?ex=665ddd32&is=665c8bb2&hm=56466b56cb68af41a8827c77d7c1e188db9840a2a1108ee465ee09284d57b5e6&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb42bf46f8,0x7ffb42bf4708,0x7ffb42bf47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5088 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Xiern\" -spe -an -ai#7zMap28879:72:7zEvent319971⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Xiern\XerinFuscatorFucker.exe"C:\Users\Admin\Downloads\Xiern\XerinFuscatorFucker.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Xiern\XerinFuscator.exe"C:\Users\Admin\Downloads\Xiern\XerinFuscator.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\Xiern\40585F64.dll" /A:H2⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD563c2eca382968a7a1704395e473d1fba
SHA1ff6cac3dbdb821c56daca38e8b3754e1b2b8605a
SHA25647f364c439d3deaa7994d8beb97bc9ac28c24557dc691318de2a38aa42ea64f1
SHA5126fcc54006688bc17f74f2f6753401b0d1df9fe34090ad97e011b6b2eb61d7c96c03d34e49fe806871298fb3d16f4c7f08a8c1b61570b644ecb9731fedb8f8306
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a73432fcc7c6ea97407ab3c4bffa31d1
SHA153c67dc3e6afd203fb61317c6cc2dbf4307af530
SHA256c907f6b6615290387c010a586ea1f7a225c002e93e95c115f691b9ebd7f0ea8e
SHA512a43f8be1ee0fcab1f7a2fe480ad1543cf00ec9be41d0ba502bf80b060db74e6e009ef5cc140e4a291d450b0527e6d1ac8613123fb270a459e719437a88c53c82
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5bdff7423a9a53965cb936a5d203808e6
SHA1d515b571acf8cf64020e2c000512b184d98745e8
SHA256f1f022a4ad24fd8972779eae5590decaf5d7c0e4181519544d64097f7f01648b
SHA51231bd5b1244c54fdfe4cc0d6d3baa5fe7cfa2fbf998c797ee7d4b9f9db008c835814bbcdf3cd53aec5b6d764608f2e4962d3e9b0497aaf11d055335e3f4a884a7
-
C:\Users\Admin\Downloads\Xiern.rarFilesize
5.5MB
MD5781441aaf3a45240ab7c7334787e4866
SHA12ce4d314ed70be1f3278c5ba9eddb74e40aa40e0
SHA256a5baa4a02e3f040bdebf4aac587d62f5a5f6af0bf20e1ba7b00725932006fec8
SHA51236156846d45d2dd07c999adfae82c3254731ba52d09d560fd5bcec7e49fb888da3486475973a19a9516f1de2ee446f47e2298207dae26eac48c23d9f4dd0099a
-
C:\Users\Admin\Downloads\Xiern\40585F64.dllFilesize
605KB
MD5e8fc38352862ee9f26ea98310ca6228b
SHA1d61ca1128339024007be84f2c3a30e30c597b61f
SHA2566486fd7ba81fc1f22d2bea279e1655dea5a12539256fbba4f8975abda117172b
SHA512f0663851da02c62f0c36d2246d8186d12c60da98732f0bd4894011c25f00129bc556f6d7f7b229eb940c43d12c1a46a627141191ce5214e9dbc399515ee1214a
-
C:\Users\Admin\Downloads\Xiern\Data.txtFilesize
30B
MD54eb99446804dd9182bba634b675f8820
SHA1087c62695ff4ed06938e6435b5288a1a58f71fa9
SHA256903423c6b5e691782e62f4c52abf2e4cbc3c8fa058d80c51e52afe96f63f80fd
SHA51215168423762d476de5575ccedd6a9240cbc9cd5b07a0c5ad872de66d850532e65eaa8e58307ec08b597c6df9fa8d515194af3897e2ac41f20c4a9b5e5a817aea
-
C:\Users\Admin\Downloads\Xiern\Guna.UI2.dllFilesize
2.1MB
MD5278752062981db6fe27ba55f5099b8ae
SHA18446637986cf4a24e9135ee5c54f3170600e1e83
SHA256538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b
SHA512142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5
-
C:\Users\Admin\Downloads\Xiern\XAuth.dllFilesize
161KB
MD5c7d4a3ab07d02adc892e319bf3247fa4
SHA139100c0d278929fd287f18a4346ac69a0bfa5125
SHA2564c8fb4e68ecb3e9ac2f9f24d99ead16413a125e7caa310662c28a68fd4f9818b
SHA512f3a1207b1db42726b9542fbc7c434a02b1642f9d0f6599572f5a74136743898c45c25e94caad208c3a50cae86541ba94849d0603531060e8eabd059a69600934
-
C:\Users\Admin\Downloads\Xiern\XCore.dllFilesize
444KB
MD5e66e01b948d384710e109e7d562581d4
SHA1ca4f9e82789ced5623792fd168f67b41abf20041
SHA256aab1a265f0049d3004e1deda5939237a29c7914a46ff0b46c8158ce5384bb4ef
SHA51221b9309b4407e5e59c3d2af9c8791bcde06c8100beed9fcebb1a710254a3f83cea915fc2e4ce87371c16a43e6e43a46e151ca92cb38dedba9b9f47a5727d8e00
-
C:\Users\Admin\Downloads\Xiern\XLoader.dllFilesize
526KB
MD5a67b3c5cf1da3dd42294c11e2ddc6df5
SHA1422e8f46e4e977191ec788dce5a2623dbc232b58
SHA2560649cf0c59f95bcc4f1ad77f70cc89522ef500d8b103bbe7ba418112c53bc2a4
SHA5120deeeb282241b790fdf2646600f085fc2c73f9dd376bc503f5abe8387496620377ac330755d153384da5fb035b89bee86146c06c1872d54babc00cbbd358b225
-
C:\Users\Admin\Downloads\Xiern\XerinFuscator.exeFilesize
4.8MB
MD55a8bb4280a95729fab667f826792703b
SHA10139dbfa18441b79ccc87e082f05ff59e936d082
SHA256a6d109aa0a175087a583536f8d1dba93cfde21e9f217ed41ef086ef3df74ca5d
SHA512d770e2c639ddea88512d15a311933d31d54604d5343fa8957dee596393354565cb635ba26406d91c921b85afb8286dd0ad746654ae217db1d6b2c9e82d3a78fc
-
C:\Users\Admin\Downloads\Xiern\XerinFuscatorFucker.exeFilesize
639KB
MD52de060d3f9f6f67988efb330e29c4fc1
SHA1e1496de704b21489642e9c2f4908889f42bcbf10
SHA256ccc3947f54257accb39bc2e92aeca3e13e4e96c995682f1af8c3892b7fa2ba00
SHA512ce664f4ab1e7f3d2bf65acbfa613cc4db3c4a7720ac71bd3432d9e6b2944c1c19fd81c453e8e6c33fe31efba90d370dedec4c9530737c2078982550a71b8dfaa
-
\??\pipe\LOCAL\crashpad_4504_RLEQCBHBHRXYTSIBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3344-91-0x0000000000F70000-0x0000000001016000-memory.dmpFilesize
664KB
-
memory/3344-93-0x00000000077D0000-0x0000000007D74000-memory.dmpFilesize
5.6MB
-
memory/3344-92-0x0000000005B00000-0x0000000005C5E000-memory.dmpFilesize
1.4MB
-
memory/4272-120-0x000000000AC00000-0x000000000AC8E000-memory.dmpFilesize
568KB
-
memory/4272-107-0x0000000008AB0000-0x0000000008C6C000-memory.dmpFilesize
1.7MB
-
memory/4272-106-0x0000000007820000-0x0000000007A34000-memory.dmpFilesize
2.1MB
-
memory/4272-102-0x00000000075D0000-0x00000000075DA000-memory.dmpFilesize
40KB
-
memory/4272-121-0x0000000008EA0000-0x0000000008EBA000-memory.dmpFilesize
104KB
-
memory/4272-101-0x0000000005BF0000-0x0000000005C6A000-memory.dmpFilesize
488KB
-
memory/4272-127-0x000000000AFE0000-0x000000000B122000-memory.dmpFilesize
1.3MB
-
memory/4272-129-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/4272-132-0x0000000005520000-0x0000000005526000-memory.dmpFilesize
24KB
-
memory/4272-97-0x0000000005B50000-0x0000000005BE2000-memory.dmpFilesize
584KB
-
memory/4272-136-0x000000000AF90000-0x000000000AFC0000-memory.dmpFilesize
192KB
-
memory/4272-137-0x000000000ABB0000-0x000000000ABC2000-memory.dmpFilesize
72KB
-
memory/4272-96-0x0000000000D70000-0x000000000123E000-memory.dmpFilesize
4.8MB