Analysis
-
max time kernel
100s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-08-2024 00:53
Static task
static1
General
-
Target
XWorm v5.1-5.2.7z
-
Size
54.5MB
-
MD5
76219b3556e25086fc52f8e2b93fbd0c
-
SHA1
066a0f875820e51a60c3552a06b7b97f8bab6bbc
-
SHA256
fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
-
SHA512
ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104
-
SSDEEP
786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Guna.UI2.dll family_agenttesla behavioral1/memory/4220-364-0x000001AD9D510000-0x000001AD9D704000-memory.dmp family_agenttesla -
Executes dropped EXE 4 IoCs
Processes:
XWorm V5.2.exeXWorm V5.2.exeXWormLoader 5.2 x64.exeXWorm V5.2.exepid process 4220 XWorm V5.2.exe 4860 XWorm V5.2.exe 568 XWormLoader 5.2 x64.exe 428 XWorm V5.2.exe -
Loads dropped DLL 4 IoCs
Processes:
XWorm V5.2.exeXWorm V5.2.exeXWormLoader 5.2 x64.exeXWorm V5.2.exepid process 4220 XWorm V5.2.exe 4860 XWorm V5.2.exe 568 XWormLoader 5.2 x64.exe 428 XWorm V5.2.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe agile_net behavioral1/memory/4220-354-0x000001AD80580000-0x000001AD811B8000-memory.dmp agile_net behavioral1/memory/568-509-0x00000276682F0000-0x0000027668F28000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
msedge.exeXWorm V5.2.exeXWormLoader 5.2 x64.exeXWorm V5.2.exeXWorm V5.2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.2.exe -
Modifies registry class 64 IoCs
Processes:
OpenWith.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000000259507c1000372d5a6970003c0009000400efbe0259507c0259507c2e000000279e0200000006000000000000000000000000000000ad98e00037002d005a0069007000000014000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c0031000000000002599980110050524f4752417e310000740009000400efbec5525961025999802e0000003f0000000000010000000000000000004a00000000004c0a1701500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Key created \Registry\User\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\NotificationData OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications\7zFM.exe\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications\7zFM.exe OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications\7zFM.exe\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications\7zFM.exe\shell\open\command OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exeXWormLoader 5.2 x64.exepid process 3296 msedge.exe 3296 msedge.exe 1368 msedge.exe 1368 msedge.exe 1992 msedge.exe 1992 msedge.exe 4932 identity_helper.exe 4932 identity_helper.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe 568 XWormLoader 5.2 x64.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
OpenWith.exe7zFM.exeXWormLoader 5.2 x64.exepid process 3880 OpenWith.exe 236 7zFM.exe 568 XWormLoader 5.2 x64.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
7zFM.exeXWorm V5.2.exeXWorm V5.2.exeXWormLoader 5.2 x64.exeAUDIODG.EXEXWorm V5.2.exedescription pid process Token: SeRestorePrivilege 236 7zFM.exe Token: 35 236 7zFM.exe Token: SeSecurityPrivilege 236 7zFM.exe Token: SeDebugPrivilege 4220 XWorm V5.2.exe Token: SeDebugPrivilege 4860 XWorm V5.2.exe Token: SeDebugPrivilege 568 XWormLoader 5.2 x64.exe Token: 33 4860 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4860 AUDIODG.EXE Token: SeDebugPrivilege 428 XWorm V5.2.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
7zFM.exemsedge.exeXWormLoader 5.2 x64.exepid process 236 7zFM.exe 236 7zFM.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 568 XWormLoader 5.2 x64.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
msedge.exeXWormLoader 5.2 x64.exepid process 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 568 XWormLoader 5.2 x64.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
OpenWith.exepid process 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exeXWorm V5.2.exemsedge.exedescription pid process target process PID 3880 wrote to memory of 236 3880 OpenWith.exe 7zFM.exe PID 3880 wrote to memory of 236 3880 OpenWith.exe 7zFM.exe PID 4220 wrote to memory of 1368 4220 XWorm V5.2.exe msedge.exe PID 4220 wrote to memory of 1368 4220 XWorm V5.2.exe msedge.exe PID 1368 wrote to memory of 4436 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 4436 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3960 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3296 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 3296 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe PID 1368 wrote to memory of 2124 1368 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"1⤵
- Modifies registry class
PID:2340
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:236
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2684
-
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe"C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffefca03cb8,0x7ffefca03cc8,0x7ffefca03cd83⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:23⤵PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:83⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:13⤵PID:800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:13⤵PID:796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4028 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:13⤵PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:13⤵PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:13⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:13⤵PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,3879053981334204028,7525848972582585451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:13⤵PID:4104
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵PID:236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffefca03cb8,0x7ffefca03cc8,0x7ffefca03cd83⤵PID:1752
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4232
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2736
-
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe"C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:568
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1308
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004CC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe"C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:428 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵PID:2940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffefca03cb8,0x7ffefca03cc8,0x7ffefca03cd83⤵PID:3348
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51be7203acd6229945a1cba0d5e856b7f
SHA114ba215de70394a60f5616267ee855f368b41ff7
SHA25696210dd80524de4c054948d92475cee3574823cd8dc8331db1210bddcd3fafff
SHA51233300a8fcd18dde69d84a5892d8ff933e71a69328b1078793e00a32899f39ae38a4f8c75e1df7a56f516ac76dc65d4bd61aa9d9fd3a50be9e5774a94ad26f49b
-
Filesize
152B
MD55578283903c07cc737a43625e2cbb093
SHA1f438ad2bef7125e928fcde43082a20457f5df159
SHA2567268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2
SHA5123b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601
-
Filesize
152B
MD50487ced0fdfd8d7a8e717211fcd7d709
SHA1598605311b8ef24b0a2ba2ccfedeecabe7fec901
SHA25676693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571
SHA51216e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993
-
Filesize
28KB
MD51c987fe93c9ccce63912f78f15b73ce2
SHA1e07dd9e0742d8d0e6b615e52d47b754a35aa229b
SHA2565b6d25b85fe1a4e6ad598e0c5a1d228df511492b0b6ff7a4840f37b33aa930cf
SHA512e4bfb4a123ef7d18714c06b7218a4c317859e26025ea4847183dcba94b8cae8a419eb46fadac6b1d13e761280a963786794039c307be5894009d5f7d3492da54
-
Filesize
80KB
MD514e39be019da848a73da7658165674cb
SHA1e016473c4189a8cc3dbff754a48b3e42d68af25a
SHA25639595a1806156cfcadf3cc4e20c5c3f3eec721386a0551790a15f025ba9402bd
SHA512828a383de549871aa80ec960a7e371ef47da96d01ebb9628d1484ceed9eb698aec5109b3de0b24ff8000610a2c2d633616c9fd28d380656fecbaa930cffed029
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD59810215a92fef85b05feef9497d743be
SHA1e4f6ed28685c0ca72371266b9ec7cf41a07c72df
SHA2560e3e681c86db6c19703e57b8a7b18092d1798ebdc06743e5fdf91ac8d22a74a7
SHA5127a227ce2060f60e656dfb5b9c2762895e34e570536b4463e916106051855bb10729f1de9bb90941bd7c4837e35e97234703f3a9300f601c8406a723a0bf95a2a
-
Filesize
442B
MD59ab8c66db2dfec493315df84963bdc2f
SHA1a37dc370468850d63a47fac4c6e9f74eb639d627
SHA2567b96b1707abbea5a7eac93d27813330edac46de29575e14583f9f35aeae8bf9d
SHA512e3b2a81d418d4df5af68782cf4ce76794e26449e74f1ba91340fa209d339fde8e805d9db993023d60c021d620c54d38888b952901f97ad7f026026e43b2f14b3
-
Filesize
5KB
MD5f529084481860fba124b104b4b78af3b
SHA1534caa127a33d5eb6f272aeefd2df3e8b94f80c0
SHA256bc12aa6bf9567b460eaeaa6701cf2bed7f02a08860b7c17d8968c9b00c73be89
SHA51283731126cbcd326d574b50233b2515c20b945e7256b0665dd8ac0cb9542927ab03e51e0fc92d685532bd9bf0b27979b5273152abadc6b5c02e62dd1a57867263
-
Filesize
6KB
MD50594ab1002c7a40c513b52c6f22fa634
SHA124586001618527996a530fcff882553f3f5802bc
SHA25619ab3194b1d669d94d39aadebb0e1a69b99b1085f8865fde5a37943f738b389a
SHA512c0c11506cabd927033671d959515e33095ae10a1276e3f9d64443cb4572f6016fececf65f1c8c20058f493e5a49adad6c646d8da276abc40619ab51cab8e73dc
-
Filesize
6KB
MD55816ee56f32cfad8a45bf3ae62f4efb3
SHA140188ad07fa22215424d0e5c9a0ab6b1bee33f48
SHA2561ddade422c279eebb28af17fd83a38f73cb5b02455f3165c7c2bdbb38f10d6ee
SHA512af5b00c94a428444dc084a4d3387fe6bd164234d15cab373e1bee572aea7d8aec210a6ac1b2b5dd9e76c61c4d46aa66986f30bc41fb1831dd2fa937612a44cd3
-
Filesize
538B
MD5ae737b4fe20a9dc74ea652de6d4fb545
SHA1656dd3cc709638da2bc3905358dc6bd81201bb92
SHA25684427c9cf4f7dab0fbeda548bcd8fba26321de5e0b6ce6e740ab6cc5f119853c
SHA512d5dd568f332a30208b777244fee174a4f964b08db3f658875839f614b5b54599e6b62c2f0ee0110abb66b0e2659084d0537d6504049d34b831433d323f1d121a
-
Filesize
538B
MD5b93c74a0fbc5b830d2508e2de9b753d2
SHA1abf2c75aef8995b1f4bbd4ceec8ee0cdde0a1c56
SHA25608c4400c18aba10654949a779807701f5560828e4d659cd80593141bdd6323ba
SHA512378d130aaaa25e2e3e08ce7f07c17d9ec5c00b8061693422f602f2225cc27bc711df79c213e54c9d910f18b295b4afa82db4eb7c82ad44b0816ef219cd1396ec
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5b303b6d29bb0e64a20f2105e888189aa
SHA18d6b09811d06c754bb0e0d71161da72f6b5c01f4
SHA256668076d5d5c1829ade72486c17629484a5a65edc1698c819e60f0be9e27ed21c
SHA512c8e48ea42bf993bfb865808d9b1427b73f7a59ce5ba29bd12405f910a9b89ba675ac5ce3e2577f539b5c4e75389068953e632793039bf08009460b678f17066c
-
Filesize
11KB
MD5f2c6c07653aa7015380b291a819f8938
SHA1f14a325be8ae6a2592bf2dd186221be8234e277b
SHA2565bb5aebad946a5ae1708d84aebde05c873aaf7ca1f6ec88bcffc04793b8cb239
SHA512355310904eb73183519f6f9b641a8170d5f86bd143e9747e7d7de430addf97edddd0b9de814e8690c0900888ea3ab66f64ef454506fb0084d852f41bc904e749
-
Filesize
11KB
MD5e521448804ca7777fba96c42d7b4fe20
SHA112258777e4359064235447744c3bc0b6753e6b8e
SHA256a6520adca2aa129e3ab7b126aeb88390caf69720d479231ef49abc39811d18f6
SHA5122a947f6a7b64ff509378d6fc8f9fedc25d27ff1f4ae334fce424daafbc40823d0d164e047769798148630ef6b72228c36fc910ffd0bf55b3898ff669003b4f33
-
Filesize
14KB
MD5a33787e517327f72efcce873b6ebf21a
SHA1d76398d4ed8acde14ab304a31159aa50e2d42574
SHA256e04ded5ef85016b8ad518f8135f6ff49d78ce5e8d9c89c94f0cc3a3b864dad84
SHA51229de0f4bc51eeb3a61608bb63ffc019bf028c4fb0376b012c608b4f5f1a4da2f75bfa8d15fa097aece03c0f031ecb3c925ccdccb9c6c8584072d00bad70a7e71
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
187B
MD515c8c4ba1aa574c0c00fd45bb9cce1ab
SHA10dad65a3d4e9080fa29c42aa485c6102d2fa8bc8
SHA256f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15
SHA51252baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
350KB
MD5de69bb29d6a9dfb615a90df3580d63b1
SHA174446b4dcc146ce61e5216bf7efac186adf7849b
SHA256f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc
SHA5126e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015
-
Filesize
138KB
MD5dd43356f07fc0ce082db4e2f102747a2
SHA1aa0782732e2d60fa668b0aadbf3447ef70b6a619
SHA256e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6
SHA512284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e
-
Filesize
216KB
MD5b808181453b17f3fc1ab153bf11be197
SHA1bce86080b7eb76783940d1ff277e2b46f231efe9
SHA256da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd
SHA512a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3
-
Filesize
6KB
MD56512e89e0cb92514ef24be43f0bf4500
SHA1a039c51f89656d9d5c584f063b2b675a9ff44b8e
SHA2561411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0
SHA5129ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b
-
Filesize
319KB
MD579f1c4c312fdbb9258c2cdde3772271f
SHA1a143434883e4ef2c0190407602b030f5c4fdf96f
SHA256f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a
SHA512b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9
-
Filesize
241KB
MD5d34c13128c6c7c93af2000a45196df81
SHA1664c821c9d2ed234aea31d8b4f17d987e4b386f1
SHA256aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7
SHA51291f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689
-
Filesize
238KB
MD5ad3b4fae17bcabc254df49f5e76b87a6
SHA11683ff029eebaffdc7a4827827da7bb361c8747e
SHA256e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA5123d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3
-
Filesize
12.2MB
MD58b7b015c1ea809f5c6ade7269bdc5610
SHA1c67d5d83ca18731d17f79529cfdb3d3dcad36b96
SHA2567fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e
SHA512e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
Filesize
109KB
MD5e6a20535b636d6402164a8e2d871ef6d
SHA1981cb1fd9361ca58f8985104e00132d1836a8736
SHA256b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2
SHA51235856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e