stormkitty | 007b4d5c9d30e5735d6e66276263ac160647f82ead368b1ac28e1d776b289948

Analysis

max time kernel
1800s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-10-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bookmark.json
Size

1KB
MD5

31250fb90c32c3e1453c947715f7c711
SHA1

01d35f9b915574dc7898c378baa0259600138658
SHA256

007b4d5c9d30e5735d6e66276263ac160647f82ead368b1ac28e1d776b289948
SHA512

ce85530a216ef82669a517cda743947538675beafbb0594f75057d072b203f093845562244035930fa83294ad7868114ce46a3e9706234ad4764c2f10e24f257

Score

10^/10

stormkitty xworm defense_evasion discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.23:19182

Mutex

0tac3AbqQOn4BTfX

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

147.185.221.23:19182

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x001400000002ad17-1050.dat	family_xworm
behavioral1/files/0x001a00000002ad1d-1060.dat	family_xworm
behavioral1/files/0x001a00000002ad1d-1090.dat	family_xworm
behavioral1/memory/2348-1092-0x00000000005A0000-0x00000000005B6000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2348-1117-0x000000001D300000-0x000000001D420000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3320	playit-windows-x86_64-signed.exe
2348	XClient.exe
4288	XClient.exe

Loads dropped DLL 1 IoCs

pid	Process
2348	XClient.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
237	camo.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\playit-windows-x86_64-signed.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 518929.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\playit-windows-x86_64-signed.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\XWorm-5.6-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1980	msedge.exe
1980	msedge.exe
1976	msedge.exe
1976	msedge.exe
4768	msedge.exe
4768	msedge.exe
804	identity_helper.exe
804	identity_helper.exe
2040	msedge.exe
2040	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
660	msedge.exe
660	msedge.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe
2944	Xworm V5.6.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2944	Xworm V5.6.exe
2348	XClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2808	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2808	AUDIODG.EXE
Token: SeDebugPrivilege	2348	XClient.exe
Token: SeDebugPrivilege	4288	XClient.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
2944	Xworm V5.6.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
2944	Xworm V5.6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1124	OpenWith.exe
2944	Xworm V5.6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3352	1976	msedge.exe	82
PID 1976 wrote to memory of 3352	1976	msedge.exe	82
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1696	1976	msedge.exe	83
PID 1976 wrote to memory of 1980	1976	msedge.exe	84
PID 1976 wrote to memory of 1980	1976	msedge.exe	84
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85
PID 1976 wrote to memory of 4940	1976	msedge.exe	85

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bookmark.json
1⤵
- Modifies registry class
PID:4652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc890f3cb8,0x7ffc890f3cc8,0x7ffc890f3cd8
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- C:\Users\Admin\Downloads\playit-windows-x86_64-signed.exe
  "C:\Users\Admin\Downloads\playit-windows-x86_64-signed.exe"
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6228 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,2297857687004407715,17956046079093358075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7072 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3460

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3812

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rar2l514\rar2l514.cmdline"
  2⤵
  PID:2428
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE24B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98091711478045EC9D2032C772A6B2B4.TMP"
    3⤵
    PID:2892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3620

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\ClientsFolder\EDA3F00D73015A5C9EE3\Recovery\ProductKey_10-12-2024 21;12;48;431.txt
1⤵
PID:500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
27KB

MD5
b07b8d96b10dc66e9b2dffd0577d677f

SHA1
d1342f5ada9ddbc8ff6b7cfb9ac2b6a13d6aeb87

SHA256
29f8b5c28b9464cf233fc6c0205bdc9a5221f6d2ae6320939bec8807bfe0d5f6

SHA512
5f1bc3cce9b36674ebdc9951c2e3b9af5cb7f0660b2847974f94e6e4c5585be136fd8f5cd7962d407ccd6d7daae378ebdcf89deb0c4f9f479b85e89ba11f1080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
42KB

MD5
c4b98197a24c1bf1d1dc87d4e44ded7a

SHA1
5bb87686486d5644c991148b5eb49b2548084048

SHA256
3d292da1869d798ace4b0f667bc97fa08766678187cc32a239027a93510f5cd4

SHA512
3c4b084822d61ecd19b8b40990b995b7f04d90ed51ca2f4e3eb61ce47b2d5e5ab02b8c2c5a413edd95106d207dffb8ffc3e20ae79e2ed8ed317332964481de80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
20KB

MD5
dc2a6466867f08aa8986282c2cf21912

SHA1
4c5566635ae3e30496bd921ff848f38b5095290f

SHA256
3479459441c0a79dc4dfa2c3a5fe64cb4791e57356f9686b0abea319432c8b1e

SHA512
c93dc5b0633a04c34bd853a0dd451833407c1b8bfcf1f67bf221b5bef3eebfd50cafc0c3689f3d879615180253c12d024fa64becf84c7d11d4bdf3c48c160eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
74KB

MD5
cd9a75d1facf4dbce1f17665520eb82f

SHA1
b1d6b455ec1941f13e41e4b3deb1768c1c1074a8

SHA256
7897084b81a034768ab6c4c49d84f6170892fcaf19783d173a640a1c66f82cff

SHA512
36a719394dd354bfa718d84d0af2b40b08c047403ccd89bf49c192c163e3d5541c77bf100d4bba7fddcc2796ee99305e31380febdf69e2a78420ee99cb76479d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
101KB

MD5
51b84831b1d4ffcf4d16ad11c07576d9

SHA1
271798636e967fba3fb294926f12392313e8896f

SHA256
7c3ef29107c35256fc79837019e3559a233bb3389336bd87f186fbaada3c607e

SHA512
1a6b6a415b1ce079b3fda596af6cc382bd55bba45d7d60370b30ffbea52a2b47e47e7fb5d348e2984ec30cd957dd75236af6c02ac75fbf729315b1a6de6a80a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
b8f4e0429ed479cc8003ef5bc9bc6c9e

SHA1
e51513ff65b4794c4a3d6ac5c1ed0fc15f0bd94a

SHA256
0e09ca90f65f749649bffec164647d010dfa5ec27537a9e9df5f67577470aa3d

SHA512
cb0a9bc752eee6357b4787f8a4e61247e49792735b27b7409d0fcb161fca296d532a13e4aeb014a55d0b27dcc30f523e3f133583a3f324db5f7cdec8936593a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
e809ec444f53e83a4a4254aabecbf596

SHA1
03a00f392f15699e9021ba02645cdccfbe4c3f23

SHA256
13c3100cc38373688010a9f8856cf4b6a6a36a67f3caeb965aa945ec907d1b92

SHA512
6ab2923dc44408d114bf49d85db3764172e146cca94f05db5560fbafb568fd85a2daf63f831dbfac4e530e7495fbdf27d11853692b7b9627b69014164c311964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a17060b047b2522ce46e3d40258c73d5

SHA1
f3d92ce3f8c4d980f71043decb4d0df3b606bffc

SHA256
daa339b2bcedf82d1ff9ba36946857c16aae7a0ec4364953acdb417f253e3ced

SHA512
29e6b76dd5aee1f5be39ea3d9fb37249726c04f5b30e63c31b2994dff989e2241ede1838a6787bc2dfb8bccdd7f53da36210c8b7041cd28260e2d2b73c331fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
1ea2847c2ff469d7f31ea9d9ae5cdca1

SHA1
0d0e583e210be070fc78cce711232ba28bfa3f04

SHA256
2f84bde4c2f7ce5aac79b78d278061d299e81a9962ed8d172542feea0458cb77

SHA512
60089e2324f548c839a0d38cbea67756817c10d2aa6319d36ae3f087b7478b8118bd170dbfa520be0f486b5acb7f1eebe07495104fe1b3d9f01af9fadeca32c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
59e86555532e3d6e1dad56233b66681b

SHA1
fe26a43db575eaa648bd029eb76eb2720239c853

SHA256
2970ab82c39711232ed2edefd1c06d503450f9486d964a9ecfa9f71df8236d8a

SHA512
5997ef1f5fb67f3dc7359ac91e8997679d50a8a80f778f2af421281051b406a1a12d16ffd24510b05c20c02cc5bc09b5ba88051ab2a425ea5c1493206ddfddce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
27456ffb9cd55c1fff0ddfaeee785883

SHA1
513f67788a859932b4de499a78761881237b88b0

SHA256
711153d11948e3839a829bc92559c2f8c146fe1eca78a5e86aaa9119dc1860d1

SHA512
925978296eba3a22cad1361e1845fa777c1ecdc38152637a6070177003a24321e96f5ec5e5d610301a79008d5c9984be7cc912b3f8c1c97239b5a5eb293fadf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
2e28d145afe23b771aba5fdd70102885

SHA1
ecb08457ae9ba7c4a1c87581cea6386608a84302

SHA256
e83301c3d453417a55b6bfa765d37f07cf0682a196647b0694d9541cad9c3152

SHA512
4ddbdd2a3334a49c8d35249294c79649651c73b60a79e38344b553aecb2a4898b7dafd3ab29234168360b69dc5223db8aa8cdf08ae66db74b630cdc1718d703d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
46KB

MD5
b64e56c5712c77b8d6835aecf187f717

SHA1
3b21748cdcb7e65b3ab49f918d7a20b291755535

SHA256
1930d07617d6c978d2d13c2226b7e773a08b5854515843e0f051fd31832d92ce

SHA512
2cf834f53bbc6285d7f5792594e401e55f11c3b28a8642edc12110753c10cb8a7092a58a48df3cb62d23654d93963a277bd1a636f5cc8fca781553c0cc08123d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
478f573f4f5bf9c8fcd58d3f543ec4e6

SHA1
c4ed10d0ef92e814ea5b284e2e54c51896f2b064

SHA256
65b1f6dc5f83223a636820943ec942527d284d416e826f48978a2398bbbb00da

SHA512
334b8a78dd4443e29b05f307da916487a08bd46be5ba0d9b4723546de36d8c14cecb0f4d656345b3584557cc9f3b5f4655bf511886be7dfde6dd8c4ff650ea34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5cbaa829296928eb2e0df8fc0aa297b7

SHA1
8fa0ff6936733a80a0050108fd21bb541255081e

SHA256
51235895ae854de332bc1cff75fad3084b9de5dbb6c1c3dfc021256e4f109672

SHA512
20b5e6fc2a3f73e38b1ff0566188d8b45b133611ae2404a425c050ee8451c13c51ff4217e7fda0ca79e5e403a480c2836f8271a996383644b2e18cb251a56c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
786cbc753b6da760565766eb47d26808

SHA1
1f77d7ecbc6abfad5747352cfb48e6695eb47907

SHA256
db6337b269465f51fd3ebd9e4a748c1453ed0db7f90b385ccbfd9243839f6787

SHA512
4957aa2dd8bd5dedf326bf15c3761a806570714049f5ba7f47b9a869b3a4ec012f7e65adb7a0c19055cf993d84b9172f63ff80d483fb3d75a800cbfab06ca502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0a983544612ba00ffcb3c7008fbbe310

SHA1
9c646a04074af984424e5c342e32ee4a31e91b57

SHA256
dc47cfe63ccfe632f477c41f4e8b47bcbbcb1d271bcb6fa6872048bdc931d601

SHA512
f910fa46ba6fac622e1e1ccda079ed4d5a94cdc2d878bea45ca1b6130acf3f8d8d86fc11d002c837592b770203d14442d6a42f00c95ff99ab2ca22a1389ca4e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b4d6a196b71d871db8e1e8c6a1cfb78f

SHA1
ae4999cd52893d9cccead46156c2862e094e11aa

SHA256
3e68cd321aa5a45d46a62388ef7d33bd5e1b04293e7018f0ed41d829ae48987d

SHA512
094671a30a79cc5002d80fd0d9b03f412b8b7209e222cf0dcca76b648e510f0d505cb7b62a2f72101bc8711d79529f441db0277479569d73b8368df7b9b569a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f689a337156339b4ddcd3699ec629486

SHA1
23fa42865378691fe1d48ba159a9b446ccce50bc

SHA256
a6dc01f6dc2925166a016c4f17962c68c6eb1f80cb53d2bf191c058d30a05837

SHA512
e8825a2867a2fae053468a39d707c04658a3360126b5b77a0368bb50aefa03aeb6d2bf5be2be66d8df19dff0d3aab50e52b395551015e1d1fce160674d8bf2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
54f71a5998e1abb2c117f1e345b94735

SHA1
d94a3d1686800ef5f0de1376d0a534e1106eca54

SHA256
e7c0871d697fba77c89686977ad3f88c735ca7f8db21a65584f8f09302f74023

SHA512
187482438f0c83eb9c7021bdb8e9d1bcd8236d1fcf4a72e18d83de11010c9f90f06148addc404963b7f9422a6fb0fe474769638322d300a06e193f6075bf4836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5f5fbd88f34fe3553b50c710f7bcfd9f

SHA1
1bbac67ba158c0fdd6d71bcd3f298a80f783dfa6

SHA256
f50da52011badf7e88ddc871ac75458c04d3428c99d0db9a83a81e5d4ffda68c

SHA512
7cc1d9ecb8de7e55e5d2db0841c7b188d42095b5167de06d738f5a177800bc0bf2a6cab1532b3545503d41301e4c12c40a791b3307497ef9b9f8b7a29c97837d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9d87bdb68202eb581e6062ccaad72f31

SHA1
ff7856527ffb4c636a5e00b6446c2471ddd247e4

SHA256
c41b0910e4f66a2cc036ec78d20721b80cf71697e9865a4f9b87c62d29738b69

SHA512
07100d1d3a785f27d0805ba73030a471e6a3bc07bd5348cbcc6527cbb3cfc9e06a84b7afd9f783f7e00b3fb0c0289a84a8dd0e5cdbdf3ab42232b158c48b442b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
20da8236526e72f3f67c4ceba5889eb2

SHA1
3a428422c419f000f6d271bb427efee1839eb8a4

SHA256
a890e3ec048d58afdb4f35adeed79b3f0c8278d709de8189f579b873ca108094

SHA512
0ddf59aae3e19a0569682dd0fba19ddfe04ad01909b830c24adf44faf5cfe02365c854bc15baafc7e4bb54fc28880f027391f43db8daec626404f2ec76c6a140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
86b1cee6308a502e2fd6cb222426ed41

SHA1
31e15f3ad2aaffef4e30e7e1c34ce2a2bd3c0c8e

SHA256
896fbd4833e286b844629d0b778814c88b23d2d8bc0420919c391d9c5a159c1a

SHA512
18e9c38588f5cea8e23b1d430ea27c3b62d5ef1197ef6ff33d1c9170158e7a7bc8603f67af6efe6a647b1c48736bbd13479b70586ed9402a4a946760289d74d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1032bb5caffbdf0fc541cabada64779e

SHA1
fad095bbc61e5553c3d46b2e65df6160a919aa1e

SHA256
d50928657ca44ea52b4f2830fb5a46aa82bb702eae398cccefee6ddc40264ac7

SHA512
b493b91db98ea6e174ad786a455d40c6085b6336052917657cb83aa155afec34907f4f5b9716b01f7aa70ffad39599bc6c232396a0428ce894b3211f19ce44cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e2bfba66e0bb465c14ff3228b4188d1

SHA1
6d95df915804a1069d6b0c1a442b2e3e616943f8

SHA256
d53ef70024698d2ead67e5105c70dd1c3f51ff9a3b50f9bbdec57279501f2d58

SHA512
75e8f39151a01aca15907f8ede9c7e0af5f8adec1457197bde7564de428ede2a2db44887d42b79650289280639ae7c811fdc44410a77994bff8269bf9972ae66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1fba79814163f25111c8cfd1ca38a18f

SHA1
622fa046dd4dfb1750bd56f730eb21e4e305abee

SHA256
d4f8d63f6862b5ef503512eb8e5c46e5549ba99d0720a9a2140fdde969fc7e49

SHA512
3a5142e337f7ea8cd4f99d6620fdf179a1410972c727a2bfbf3248993da8218c9ec7b93c442407032745bf6a9c5e6bdc32f6c6180af0c6c32555f4793d00bd3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
081e341c13eab22442325a014bf75976

SHA1
7ef09aba08b9ac36301d45c64b0996c2a14f798b

SHA256
8e4ca0588a3bc3219af849a89d430b14a4c7ccbb6c12d8064b8460d154f2a48f

SHA512
a5bd3f07076bbe79d392ef27bff10cafe5c11d6b4d5e4bec0808c5724a2717e7cd587868350cd6180037f124eee49a79f21c4a82deed434c0f4797881c180bb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
efcaa390d39823a595b9fa38ba80d873

SHA1
27998fff35f1d16ebbf9af376de680fe5219f1b9

SHA256
55476c890e323612c55ee2980e114cb88f290c76b8efff77e9b9d28c8a165749

SHA512
976eec704f7ae75ed5c4fd8c549f6a804411d3753e47805e2c36385c92b849938ce8615025967ce28eabdc0ce9d26be089dd559b7f5f8fa9762ddba33274af32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6984d60ff439d647ed2d7b110478972f

SHA1
b155b744a9641457231a7fad77b511ded05e938b

SHA256
030b9ff4c535e2f4d3ba40d33312390e69ee668311e2ef2df3bd42c7bb8e680b

SHA512
b9c1c99bf8ae9c248c34dc7802654663775c127596e42dca43b53ce5f5c6217f279e964618a0d0c772e0c56936a51b27a0938726f362aae979884a7ba03e234a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ce2f1d676514619a4e525e1f501828c9

SHA1
b522fa9d2cda187affc48a13a4a6cc9c57d4d17a

SHA256
01f98ec763f391fcd509ab1d8666c555f17112985d80c51214c0d2bac8ebce04

SHA512
8b2269bb832f1f5b723b9f4e3a5b4f0c878c6afced669675d18ed8a00f00a171d4430412e0a1c255aaa5e455863ab59d67a7fe44891ed7fcc2660d750b9ef0fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
58c5dca55a044e9bf38d3f2e053cf33a

SHA1
2b82520132b912e37260ac102265c7f9a395bee6

SHA256
fcfde0d561a15e4168d29795d2bb7b3f4354c331059403076e563a0c27f20742

SHA512
8fe41ce7d604fc740876729b9ac7bceb0082fd455f1e8cfbdf4f60018b250de9083e159ae65a9d44171db429094f3d74ee46aa6a118180c3fd33d4c560d72f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
dac458c0a22b6d498e1906599c36be31

SHA1
be6ed32108fec5b5d0c9d645fb901143432daccf

SHA256
18156379df02aad70d040ba1fe049fd46b3991ecec7c28004fc564e753343d2f

SHA512
b51544d501142927f5523f6008932fb2cbcf1515a3f4865645b60b32d85fe30ca903277c076eae872e2c5d28a11c7a2c17638e6443a76c1902602040386509c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c4ee52cb3b39e44ea7bd642518868c6e

SHA1
8a0eb35a3a7ca9245444959f60065f20d980e7ba

SHA256
06263229a8ab5385a4ee9afd7e8bb77623f9d83a82598dfb5f51cdbbc2ebd9cc

SHA512
8a7d926087991bf7cf95defe372fa65006a689e0cdacc7d598fa552b772d5ffc6e6795032c6e260c9d082f027822edb527230b37740ed35c743bb8f30cc0654c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
15c07e1805302cd2893137b040e8c157

SHA1
f2565be9a39af2bca008f69c5eaf0e4e6f6de2b2

SHA256
23540c27e9f47096156832932c1be411fbe355889135c631dc8a2acba26a1f5d

SHA512
b3b68404d68e6d20a00d0cb6760cc17683d350e8557b8488f94922c91686baadedbede069b8f65715763f9c8f74cccfb1b6cc939c4d9abaf0ffdac630e262f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f17f.TMP

Filesize
703B

MD5
b7660d2f055ec0fa50c5f3eb84ef7cd8

SHA1
988eabf196b815151732079cbc99474262bd091e

SHA256
b6b02fdb387616846ef33673b0af89106e3f92486fd551417fc33bca7b5c09b5

SHA512
fe69da6106c2ac3375bafdf47058cc839cc8514bc26544ec03603f1c3b7d7d76cf3cbe9fbf988c65d1f4c77c67f56bad32576008b3f7a191af6989e34c4396cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
9ce04a93fca605d6f792e5882dc5705b

SHA1
7ef93124be7fa70ac81f9e064810b7f7a7c557a6

SHA256
99266d7a568b41a3f70fb3d4a5952cf8a10fe6480a9f8a0b2f5c2f98b9619e1c

SHA512
9077b38cd3501f7f714ee1aaa136d64fd29d32e8616b7da91d7d680b34b0a0650ffdac06b4248018a104f13c479cdd320f0873e0495b77b4824d94f5e407c271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e64f7478-a5f7-4596-b423-4811eebc4492.tmp

Filesize
6KB

MD5
68dd83190fbbc1415fa7eb558f7da7cc

SHA1
788fb4867362a1c4a38b78edc30d9bc909b8423a

SHA256
45faaf7d3e06cc07edb9cc917a8042cd56dc7498ffd62bfdb08df5e0e2fd9649

SHA512
eef9e950fc115f1bc5e9e1c6a20c47a9fff074a040755a4c3457ca5b0c7c842528077834110bed2c9940b76e13dc2889dcc2fd87b7773945f48b8f7fb4507312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f27880c4dc0b0e2fe0ed2fa80b2cdbe6

SHA1
0590a203c97f4859fe9272768c71da4462f51c1c

SHA256
46f6a619572e7e789ca2b12dad555c8e32c9b50cd588a22eb5fe6d871a3a2a01

SHA512
40685b5aaaf8aca754bd3361ef1e9f08c60bd8d328361ba0394ddde2a7914b1b969944099ee08513801b923710db7b89a47e04711dcdb7bbe6bc654004253c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8ac7f92b1d23280570bc4aa90aeff57a

SHA1
acd32af59f3db05afedfc3b4b09ca0d74897921a

SHA256
73cde8a17995a6db30260a6115691067c173f5b4649d37a04054b1eb428dd89b

SHA512
f407538cd4d58f33049299743936e63060b63677be2a6c3106e497078a0e949324150a7b65eda528995fe7a8c21f37d32cbe355d1634449352845d80c3157858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae41500e14378b290de34dccae7ad728

SHA1
a0dd84e4c10e1e58c8344a05fb3e547518d01118

SHA256
fd90b0449fa6d3a76988f74e6dfccb8e4fa347841696d684fb4c7cef1425735f

SHA512
b1fcaf628d7b54f14c7bc5cdc06eb7084f6d7f74b4c5a9fa8fc704b6e15ab8cd18547071ece8b9db8d6cfe59ae212a78563646d62df6a740c17f6bb058a83de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e72813c5c366fcca668839e58b3d93f1

SHA1
c4d909dcca719ab341e64e3e403709809fd888b7

SHA256
158703072b25a59a09e32391e67ac9167e46ddb3416908a91f20632deaaf73fe

SHA512
9cc4ac28578919d214ad5cafe6f793cdbaf707bce81bfe39a4495b6c9c38a123bad9d6860e85b36409c379cc4f5e2949c3c2c8ede79f388ac982a8b4f7fa0d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a715b15c6cc4000a4cafddae1dbbc06d

SHA1
9c99c881b6f4df67d1d0eae7318e06fa48202639

SHA256
8b843aa9a9ffecd7e131d9feba54dfb36b778b2cd0c38940130774fa2ead3d47

SHA512
a7b8473bd86968e1c64a39ca13bd1fafcbad49915f7559ca05b53d73ecbf3ebd4034ab5fb2477347361d73f89c492248718222807f8183a14a66e8f7d2dc9880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
69f20e6b2971b08bb3b9390fb58703ad

SHA1
74046de9072d577422f1aeac50e287cc40c196ac

SHA256
61b3012e2696d6978b93a6b0b37086b5c016f47cf8ae3c6a181ed7467dc3686e

SHA512
fe583f13b7e90d9efa01cb09b304e819371e31b38fd1bd0e0373aa0faf2036c6ed3dd3fd8387c2e1889d792cd9972625fa8fa67a23b8934ba239cbce728f9179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
822c405c8ae341a0c941f4b3ac8db47e

SHA1
250f5db398659837d6449531b169d7ee91fd2f29

SHA256
f701dcceb91101d27bcbc8b6824da1aa5168a53cad533dc266bec2f4d8bf31c0

SHA512
fb56e272700e644745d7a51edda085782a991644f8c09600622ce88d8bb628342d4e201c7cbbd414bf0b189e0707511279c9f45ec8b8e96f49387fe4228fe359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
54f9d606955c816068a206a22e651716

SHA1
822871134b33828b587de16cac53bc1204b2c8ab

SHA256
cc8a9ef2f5da22099df54e94b04bd73d7a900a4a7c778aafb27a3401529b0696

SHA512
f36de932647a61533c2d76588354fcda67071a2ae37d8a7c6086f2bd41f405ffc699b4688e830e6a3db913718b5f5c749a5f09eb0c05d1b2ff4ed25cc14535d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92ae5bb649375adfe501f05efb4cd814

SHA1
01ba930d1dabfa71a74405956c43e32e1ded764f

SHA256
c9f18f82273a001ea2eda8f2eaeb239c5a46cb981c0ba1e301f8fd75fdd04ea7

SHA512
9395a88f8afc27a6487ef7fd58087c1e908dadabf0087dd848f3e7b4f49b4a68d9603946dd08ce15ea379822d2ee4bf241332c6265e626b03be5638bf3840775

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE24B.tmp

Filesize
1KB

MD5
733f7542cd20b040eda52ae12b9e9544

SHA1
6d5ffe9a7243540b636c84db45a674b7cd77b5ac

SHA256
deaa12fb8d5ad21c57bb45133d2c492553233f4d185831f9dc6336adc2ffae87

SHA512
b6f17e0e3e5fb232b4239a191f24ce4b035e990c0cbe2d0bc6acbdc25cff7ffe89367b4cf1555467e898d22d5c3e6a9e0e72098173df9e7537ce3097f0fc9d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rar2l514\rar2l514.0.vb

Filesize
78KB

MD5
871131c0f0bf96f4238ac523cedd3424

SHA1
052b53ddc53d7cad331b5245b94c2bd5b46a1122

SHA256
1dc2b2e9ea50657fd8a679e93d12007893cc26860d176118930808fd3614ba54

SHA512
ccaa1a7d96e3c7f0930006843021a1375cb081494fb3f2ea1986efebbe7a2b75f82b383d288d7a03f07d831eff24b5cfdeb143356b7f06bd1bf7618d8fd1d921

Download Submit
C:\Users\Admin\AppData\Local\Temp\rar2l514\rar2l514.cmdline

Filesize
322B

MD5
ca88d516761895aa8575dcd03e92332e

SHA1
665d1fcc0555ca46de5a10f26ad8c3eb7ec1087c

SHA256
7bfcca8e0625eaaa6dbbb64da9bdca8eff5843508a34dd0cf347641ec262fa4e

SHA512
d022ff98f6e8972aeb28464043febb7264b31e18908d60490af84fec950fdfe1c13a6ccfc512bc5afae4daaec50678fec879d8602a64451a99899bc1aa7db077

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp983D.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc98091711478045EC9D2032C772A6B2B4.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
baa5361647741dd45db40ad5a78f7dab

SHA1
23900eecb11138c9f9c5a5e3f3cf26481d76b1b1

SHA256
0d1f28d6fb1a45f32356804222136a69c3041c3bc44a50cf30b96bd00db321b0

SHA512
b0593c7351e5a787be95cbe2580125a226f6a68b8e61d7bd80ac272c85af5f7ebeca7ff7bd073b3dd7d0c31709120c1b06133e8e6e5d160808e8121046bd5812

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
9292426529d4ca6fde405b2dc273aa11

SHA1
947778c14a17f90d0804bd0d6514b7838bacf406

SHA256
bd708050a6e9b99765565ab8e9fccea0a95963569c56c55ae3493b8571f4869c

SHA512
36aa6607784c5d78391f563ed90ad988a3ad03162bac574db2ecef3392fab8d2d517eb5edc30abdaf5a96f0123e205d4774f8a68ab7ae594663984614c929078

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 114741.crdownload

Filesize
25.1MB

MD5
95c1c4a3673071e05814af8b2a138be4

SHA1
4c08b79195e0ff13b63cfb0e815a09dc426ac340

SHA256
7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

SHA512
339a47ecfc6d403beb55d51128164a520c4bea63733be3cfd47aec47953fbf2792aa4e150f4122994a7620122b0e0fc20c1eeb2f9697cf5578df08426820fecd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 518929.crdownload

Filesize
4.4MB

MD5
4ed55d45fcb0242eb24016c994c286d8

SHA1
493682a2cc401c1157eccb82b81c21fa838169c6

SHA256
dd1acb19e47bca4a935f2f72a68390bd2fc3a8ed608af7c9c247d3a69d7fba0a

SHA512
083885895b67c48977a16ed6e28e5bf5c52d1e1a9dcf4d78235b258be7f8382ea98a6626c19c081a0d44cf50bb648f919d8842f29040e5b872b51a7a87a57e07

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\ClientsFolder\EDA3F00D73015A5C9EE3\Recovery\ProductKey_10-12-2024 21;12;48;431.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe

Filesize
32KB

MD5
521916ccb03df2f308b62a220b320b04

SHA1
f2494bd283fa86521fb4ff051269d923472a74a3

SHA256
016d0e095436bc48643a5c2fdcbc24fffdc16d09e44f4129ccd5b48cf43ce594

SHA512
99fb89227a5abf7a2ea8f5daa82d4a9b760a2c78d650a9ec58c361520ee7080363d6e0621c0f3498e7a7ec773616d18e2cb1b48347d6ff447e792430eba1d517

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe

Filesize
63KB

MD5
6ec1b63aea33e4a7db807f262dc6101c

SHA1
041ccec09927bfe2d524e124772422bd02b955c2

SHA256
b5829fe90b13a295bf42ebd1417c6982639c37aac6970fdcae9610f9ca7665d8

SHA512
c0dde1499aa5d832065559858d7bf45c45fc54db8eec05bfa3a10b92e959f2b8449a269eede88bdd85f71ee0dd1bf3bc58341d6b4964120c02fb6ff94a0c1898

Download Submit
C:\Users\Admin\Downloads\playit-windows-x86_64-signed.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2348-1106-0x000000001CFB0000-0x000000001D300000-memory.dmp

Filesize
3.3MB

Download
memory/2348-1117-0x000000001D300000-0x000000001D420000-memory.dmp

Filesize
1.1MB

Download
memory/2348-1099-0x000000001B220000-0x000000001B25A000-memory.dmp

Filesize
232KB

Download
memory/2348-1161-0x0000000000EB0000-0x0000000000ED2000-memory.dmp

Filesize
136KB

Download
memory/2348-1209-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2348-1092-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/2944-988-0x00000208EBA40000-0x00000208EBC34000-memory.dmp

Filesize
2.0MB

Download
memory/2944-987-0x00000208CEA70000-0x00000208CF958000-memory.dmp

Filesize
14.9MB

Download
memory/2944-1098-0x00000208F27A0000-0x00000208F2852000-memory.dmp

Filesize
712KB

Download
memory/2944-1097-0x00000208F3170000-0x00000208F3452000-memory.dmp

Filesize
2.9MB

Download
memory/2944-1096-0x00000208F03A0000-0x00000208F03CC000-memory.dmp

Filesize
176KB

Download
memory/2944-1095-0x00000208F0400000-0x00000208F0482000-memory.dmp

Filesize
520KB

Download
memory/2944-1045-0x00000208F2CB0000-0x00000208F2E18000-memory.dmp

Filesize
1.4MB

Download