agenttesla | hxxps://cdn[.]discordapp[.]com/attachments/1246679036214775850/1246843713439928370/Xiern[.]rar?ex=665ddd32&is=665c8bb2&hm=56466b56cb68af41a8827c77d7c1e188db9840a2a1108ee465ee09284d57b5e6&

Analysis

max time kernel
30s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1246679036214775850/1246843713439928370/Xiern.rar?ex=665ddd32&is=665c8bb2&hm=56466b56cb68af41a8827c77d7c1e188db9840a2a1108ee465ee09284d57b5e6&

Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Xiern\Guna.UI2.dll	family_agenttesla
behavioral1/memory/4272-106-0x0000000007820000-0x0000000007A34000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XerinFuscator.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	XerinFuscator.exe

Executes dropped EXE 2 IoCs

Processes:

XerinFuscatorFucker.exeXerinFuscator.exe

pid process

3344 XerinFuscatorFucker.exe
4272 XerinFuscator.exe

pid	process
3344	XerinFuscatorFucker.exe
4272	XerinFuscator.exe

Loads dropped DLL 10 IoCs

Processes:

XerinFuscator.exe

pid	process
4272	XerinFuscator.exe
4272	XerinFuscator.exe
4272	XerinFuscator.exe
4272	XerinFuscator.exe
4272	XerinFuscator.exe
4272	XerinFuscator.exe
4272	XerinFuscator.exe
4272	XerinFuscator.exe
4272	XerinFuscator.exe
4272	XerinFuscator.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Xiern\XerinFuscator.exe	agile_net
behavioral1/memory/4272-96-0x0000000000D70000-0x000000000123E000-memory.dmp	agile_net
C:\Users\Admin\Downloads\Xiern\40585F64.dll	agile_net
behavioral1/memory/4272-127-0x000000000AFE0000-0x000000000B122000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

36 raw.githubusercontent.com
37 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
36	raw.githubusercontent.com
37	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeXerinFuscator.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XerinFuscator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XerinFuscator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XerinFuscator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

1880 msedge.exe
1880 msedge.exe
4504 msedge.exe
4504 msedge.exe
484 identity_helper.exe
484 identity_helper.exe
3396 msedge.exe
3396 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

4504 msedge.exe
4504 msedge.exe
4504 msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	msedge.exe

pid	process
1880	msedge.exe
1880	msedge.exe
4504	msedge.exe
4504	msedge.exe
484	identity_helper.exe
484	identity_helper.exe
3396	msedge.exe
3396	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zG.exeXerinFuscator.exe

description	pid	process
Token: SeRestorePrivilege	4056	7zG.exe
Token: 35	4056	7zG.exe
Token: SeSecurityPrivilege	4056	7zG.exe
Token: SeSecurityPrivilege	4056	7zG.exe
Token: SeDebugPrivilege	4272	XerinFuscator.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe7zG.exe

pid	process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4056	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4504 wrote to memory of 1796	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1796	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 2112	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1880	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1880	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe
PID 4504 wrote to memory of 1904	4504	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1246679036214775850/1246843713439928370/Xiern.rar?ex=665ddd32&is=665c8bb2&hm=56466b56cb68af41a8827c77d7c1e188db9840a2a1108ee465ee09284d57b5e6&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb42bf46f8,0x7ffb42bf4708,0x7ffb42bf4718
2⤵
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
2⤵
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
2⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5088 /prefetch:8
2⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
2⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,2838721944892872188,10459635459667173883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1792

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Xiern\" -spe -an -ai#7zMap28879:72:7zEvent31997
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4056

C:\Users\Admin\Downloads\Xiern\XerinFuscatorFucker.exe
"C:\Users\Admin\Downloads\Xiern\XerinFuscatorFucker.exe"
1⤵
- Executes dropped EXE
PID:3344

C:\Users\Admin\Downloads\Xiern\XerinFuscator.exe
"C:\Users\Admin\Downloads\Xiern\XerinFuscator.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\Xiern\40585F64.dll" /A:H
2⤵
PID:1852

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
63c2eca382968a7a1704395e473d1fba

SHA1
ff6cac3dbdb821c56daca38e8b3754e1b2b8605a

SHA256
47f364c439d3deaa7994d8beb97bc9ac28c24557dc691318de2a38aa42ea64f1

SHA512
6fcc54006688bc17f74f2f6753401b0d1df9fe34090ad97e011b6b2eb61d7c96c03d34e49fe806871298fb3d16f4c7f08a8c1b61570b644ecb9731fedb8f8306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a73432fcc7c6ea97407ab3c4bffa31d1

SHA1
53c67dc3e6afd203fb61317c6cc2dbf4307af530

SHA256
c907f6b6615290387c010a586ea1f7a225c002e93e95c115f691b9ebd7f0ea8e

SHA512
a43f8be1ee0fcab1f7a2fe480ad1543cf00ec9be41d0ba502bf80b060db74e6e009ef5cc140e4a291d450b0527e6d1ac8613123fb270a459e719437a88c53c82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
bdff7423a9a53965cb936a5d203808e6

SHA1
d515b571acf8cf64020e2c000512b184d98745e8

SHA256
f1f022a4ad24fd8972779eae5590decaf5d7c0e4181519544d64097f7f01648b

SHA512
31bd5b1244c54fdfe4cc0d6d3baa5fe7cfa2fbf998c797ee7d4b9f9db008c835814bbcdf3cd53aec5b6d764608f2e4962d3e9b0497aaf11d055335e3f4a884a7

Download Submit
C:\Users\Admin\Downloads\Xiern.rar
Filesize
5.5MB

MD5
781441aaf3a45240ab7c7334787e4866

SHA1
2ce4d314ed70be1f3278c5ba9eddb74e40aa40e0

SHA256
a5baa4a02e3f040bdebf4aac587d62f5a5f6af0bf20e1ba7b00725932006fec8

SHA512
36156846d45d2dd07c999adfae82c3254731ba52d09d560fd5bcec7e49fb888da3486475973a19a9516f1de2ee446f47e2298207dae26eac48c23d9f4dd0099a

Download Submit
C:\Users\Admin\Downloads\Xiern\40585F64.dll
Filesize
605KB

MD5
e8fc38352862ee9f26ea98310ca6228b

SHA1
d61ca1128339024007be84f2c3a30e30c597b61f

SHA256
6486fd7ba81fc1f22d2bea279e1655dea5a12539256fbba4f8975abda117172b

SHA512
f0663851da02c62f0c36d2246d8186d12c60da98732f0bd4894011c25f00129bc556f6d7f7b229eb940c43d12c1a46a627141191ce5214e9dbc399515ee1214a

Download Submit
C:\Users\Admin\Downloads\Xiern\Data.txt
Filesize
30B

MD5
4eb99446804dd9182bba634b675f8820

SHA1
087c62695ff4ed06938e6435b5288a1a58f71fa9

SHA256
903423c6b5e691782e62f4c52abf2e4cbc3c8fa058d80c51e52afe96f63f80fd

SHA512
15168423762d476de5575ccedd6a9240cbc9cd5b07a0c5ad872de66d850532e65eaa8e58307ec08b597c6df9fa8d515194af3897e2ac41f20c4a9b5e5a817aea

Download Submit
C:\Users\Admin\Downloads\Xiern\Guna.UI2.dll
Filesize
2.1MB

MD5
278752062981db6fe27ba55f5099b8ae

SHA1
8446637986cf4a24e9135ee5c54f3170600e1e83

SHA256
538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b

SHA512
142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5

Download Submit
C:\Users\Admin\Downloads\Xiern\XAuth.dll
Filesize
161KB

MD5
c7d4a3ab07d02adc892e319bf3247fa4

SHA1
39100c0d278929fd287f18a4346ac69a0bfa5125

SHA256
4c8fb4e68ecb3e9ac2f9f24d99ead16413a125e7caa310662c28a68fd4f9818b

SHA512
f3a1207b1db42726b9542fbc7c434a02b1642f9d0f6599572f5a74136743898c45c25e94caad208c3a50cae86541ba94849d0603531060e8eabd059a69600934

Download Submit
C:\Users\Admin\Downloads\Xiern\XCore.dll
Filesize
444KB

MD5
e66e01b948d384710e109e7d562581d4

SHA1
ca4f9e82789ced5623792fd168f67b41abf20041

SHA256
aab1a265f0049d3004e1deda5939237a29c7914a46ff0b46c8158ce5384bb4ef

SHA512
21b9309b4407e5e59c3d2af9c8791bcde06c8100beed9fcebb1a710254a3f83cea915fc2e4ce87371c16a43e6e43a46e151ca92cb38dedba9b9f47a5727d8e00

Download Submit
C:\Users\Admin\Downloads\Xiern\XLoader.dll
Filesize
526KB

MD5
a67b3c5cf1da3dd42294c11e2ddc6df5

SHA1
422e8f46e4e977191ec788dce5a2623dbc232b58

SHA256
0649cf0c59f95bcc4f1ad77f70cc89522ef500d8b103bbe7ba418112c53bc2a4

SHA512
0deeeb282241b790fdf2646600f085fc2c73f9dd376bc503f5abe8387496620377ac330755d153384da5fb035b89bee86146c06c1872d54babc00cbbd358b225

Download Submit
C:\Users\Admin\Downloads\Xiern\XerinFuscator.exe
Filesize
4.8MB

MD5
5a8bb4280a95729fab667f826792703b

SHA1
0139dbfa18441b79ccc87e082f05ff59e936d082

SHA256
a6d109aa0a175087a583536f8d1dba93cfde21e9f217ed41ef086ef3df74ca5d

SHA512
d770e2c639ddea88512d15a311933d31d54604d5343fa8957dee596393354565cb635ba26406d91c921b85afb8286dd0ad746654ae217db1d6b2c9e82d3a78fc

Download Submit
C:\Users\Admin\Downloads\Xiern\XerinFuscatorFucker.exe
Filesize
639KB

MD5
2de060d3f9f6f67988efb330e29c4fc1

SHA1
e1496de704b21489642e9c2f4908889f42bcbf10

SHA256
ccc3947f54257accb39bc2e92aeca3e13e4e96c995682f1af8c3892b7fa2ba00

SHA512
ce664f4ab1e7f3d2bf65acbfa613cc4db3c4a7720ac71bd3432d9e6b2944c1c19fd81c453e8e6c33fe31efba90d370dedec4c9530737c2078982550a71b8dfaa

Download Submit
\??\pipe\LOCAL\crashpad_4504_RLEQCBHBHRXYTSIB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3344-91-0x0000000000F70000-0x0000000001016000-memory.dmp

Filesize
664KB

Download
memory/3344-93-0x00000000077D0000-0x0000000007D74000-memory.dmp

Filesize
5.6MB

Download
memory/3344-92-0x0000000005B00000-0x0000000005C5E000-memory.dmp

Filesize
1.4MB

Download
memory/4272-120-0x000000000AC00000-0x000000000AC8E000-memory.dmp

Filesize
568KB

Download
memory/4272-107-0x0000000008AB0000-0x0000000008C6C000-memory.dmp

Filesize
1.7MB

Download
memory/4272-106-0x0000000007820000-0x0000000007A34000-memory.dmp

Filesize
2.1MB

Download
memory/4272-102-0x00000000075D0000-0x00000000075DA000-memory.dmp

Filesize
40KB

Download
memory/4272-121-0x0000000008EA0000-0x0000000008EBA000-memory.dmp

Filesize
104KB

Download
memory/4272-101-0x0000000005BF0000-0x0000000005C6A000-memory.dmp

Filesize
488KB

Download
memory/4272-127-0x000000000AFE0000-0x000000000B122000-memory.dmp

Filesize
1.3MB

Download
memory/4272-129-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/4272-132-0x0000000005520000-0x0000000005526000-memory.dmp

Filesize
24KB

Download
memory/4272-97-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/4272-136-0x000000000AF90000-0x000000000AFC0000-memory.dmp

Filesize
192KB

Download
memory/4272-137-0x000000000ABB0000-0x000000000ABC2000-memory.dmp

Filesize
72KB

Download
memory/4272-96-0x0000000000D70000-0x000000000123E000-memory.dmp

Filesize
4.8MB

Download