Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
197s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 23:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html
Resource
win10v2004-20241007-en
General
-
Target
https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html
Malware Config
Extracted
xworm
127.0.0.1:19998
close-todd.gl.at.ply.gg:19998
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cf6-1612.dat family_xworm behavioral1/memory/5136-1630-0x0000000000410000-0x0000000000428000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5536 powershell.exe 4564 powershell.exe 4764 powershell.exe 5648 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation XClient.exe -
Executes dropped EXE 4 IoCs
pid Process 5136 XClient.exe 2084 XWormLoader 5.1 x64.exe 4908 SystemSecure 1548 SystemSecure -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemSecure = "C:\\Users\\Admin\\AppData\\Roaming\\SystemSecure" XClient.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\system32\perfc011.dat lodctr.exe File created C:\Windows\system32\perfc007.dat lodctr.exe File created C:\Windows\system32\perfc009.dat lodctr.exe File created C:\Windows\system32\perfh009.dat lodctr.exe File created C:\Windows\system32\perfc00A.dat lodctr.exe File created C:\Windows\system32\perfc010.dat lodctr.exe File created C:\Windows\system32\perfh010.dat lodctr.exe File created C:\Windows\system32\perfh007.dat lodctr.exe File created C:\Windows\system32\perfh00A.dat lodctr.exe File created C:\Windows\system32\perfc00C.dat lodctr.exe File created C:\Windows\system32\perfh00C.dat lodctr.exe File created C:\Windows\system32\perfh011.dat lodctr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings OpenWith.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4616 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2468 msedge.exe 2468 msedge.exe 2268 msedge.exe 2268 msedge.exe 1096 identity_helper.exe 1096 identity_helper.exe 5748 msedge.exe 5748 msedge.exe 5536 powershell.exe 5536 powershell.exe 5536 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4764 powershell.exe 4764 powershell.exe 4764 powershell.exe 5648 powershell.exe 5648 powershell.exe 5648 powershell.exe 5136 XClient.exe 5136 XClient.exe 5136 XClient.exe 5136 XClient.exe 5136 XClient.exe 5136 XClient.exe 4616 msedge.exe 4616 msedge.exe 4616 msedge.exe 4616 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 5136 XClient.exe Token: SeDebugPrivilege 5536 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 4764 powershell.exe Token: SeDebugPrivilege 5648 powershell.exe Token: SeDebugPrivilege 5136 XClient.exe Token: SeDebugPrivilege 4908 SystemSecure Token: SeDebugPrivilege 1548 SystemSecure -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5136 XClient.exe 1072 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2956 2268 msedge.exe 84 PID 2268 wrote to memory of 2956 2268 msedge.exe 84 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 4132 2268 msedge.exe 85 PID 2268 wrote to memory of 2468 2268 msedge.exe 86 PID 2268 wrote to memory of 2468 2268 msedge.exe 86 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 PID 2268 wrote to memory of 3188 2268 msedge.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd3a146f8,0x7ffdd3a14708,0x7ffdd3a147182⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:3136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:82⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3988 /prefetch:82⤵PID:2516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:1276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵PID:3380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:12⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5296 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵PID:4808
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1408
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1972
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\Fixer.bat" "1⤵PID:1456
-
C:\Windows\system32\lodctr.exelodctr /r2⤵
- Drops file in System32 directory
PID:5472
-
-
C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\XWormLoader5.1V.exe"C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\XWormLoader5.1V.exe"1⤵PID:6060
-
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5136 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SystemSecure'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSecure'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5648
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemSecure" /tr "C:\Users\Admin\AppData\Roaming\SystemSecure"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html3⤵PID:1160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdd3a146f8,0x7ffdd3a14708,0x7ffdd3a147184⤵PID:6060
-
-
-
-
C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe"C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe"2⤵
- Executes dropped EXE
PID:2084
-
-
C:\Users\Admin\AppData\Roaming\SystemSecureC:\Users\Admin\AppData\Roaming\SystemSecure1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
C:\Users\Admin\AppData\Roaming\SystemSecureC:\Users\Admin\AppData\Roaming\SystemSecure1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1072
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize432B
MD5bf1f1554337ffcda540af1944e7e9b7d
SHA14580e870572277c03089745a8a8017bdc97c075e
SHA256c74355258b6ae53b5860d8d1de6f79762865b46cb459b4cb6deb470efb4ff40a
SHA512211bf008add17d0f34b34012e42c3c68d84939e1cc20c13fd1189fd26c28787ffde1b6028765b807f2a8865fd5494de9cf2f00e90c169c21ff3f12bf72a45498
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD58a34233c765c53bf9c22a30599051649
SHA1bce8a4f9e47c8976e03177123aa828ad19c501b8
SHA2561450aa5df46f759f15dfb616ea03df7f33fe09c71f9b09e579b4e77264260e8f
SHA51225c02295a3ea80f1c257f7788da1ddf663f923bc6bd541b6ed28f93b27d8c88fe7cb0e1b4186cec64d3928a0f1d850b3ed38b16ef518efdfb3594d0ad25a51d1
-
Filesize
1KB
MD5f03575c32e0c4c102b08de58942b71fb
SHA1546cfd39b10736b648ca6b213a8b59ae63867ed4
SHA256f25fa7b938046dc1a0de793ff2196a111e8ec30a2a41f4cb78dc5021f6631423
SHA512c2148b7fcf4a795bed744fdbf941323d5a0df83a039e962f789dacf688ef18c8d90198910f31532503f8a77cb3c13bff61cdd28cc09d42919070fa1af56c5355
-
Filesize
2KB
MD56a2385113362126518588a4307f6685e
SHA146a5ba28dc1073aaeb3ac23f3697f01e089cb8b8
SHA25630b6352cb6e78acf5edf1a3ed88c0e0461210a0575e9bf9ebb92052a16ff6c58
SHA512e27166132332c2025a59d3b9052bb3e15874a843f69a9b658d09a96fc78b7eaaf28627deae13c2fa5bf87c0245a36442350d0831832d36a2d667494c5bce7b70
-
Filesize
5KB
MD5285b64817818745bc81a58d3ccbc3fae
SHA1d968ff1a18651d2db8cf3d643cf6e97c22dcb52d
SHA256cedbb4c3e0bffd1d79b0714fb18277c3ada554bdde4f00134b2234b5fcbe9cd7
SHA512d6df12c3ae8c00dc44b5628f908d27143214b92a48ee5c35e4e6ff2da9a2796f528318d032d67a194da99f59f5cc3f0bae57cf606142915d76c230c286e395b1
-
Filesize
7KB
MD519bbe8c046e264af75d9e6ba03177c58
SHA176df9dff8a0c850fe93989403c76183e493124f4
SHA256c0ae6b549470986fa0b7772e7947b27beca220268483530dc8affbcd77176f0f
SHA512581d95169e874f45a8125d27ac02f9b57f5e7b0057ec8729807bba533c0f5f4a7379bbf513cd65c7f8bb759414cf919faf78fda946366abdbbf2df1c7308fbbc
-
Filesize
7KB
MD514745f5e86b27b34472ddeebe8854175
SHA191cd28d4ad168328242cc3f4328b7f8b08605be6
SHA25629ff0d175730e4c34e690f9d95903655d4d128650c891f19e2503b9b701931be
SHA51273b9b9eee941aaef9c813a2994d4c31c07442b69abb4b35aff78cbec4a3fa033a89d4b3023351c44f7f4f36e1d4a7cc9af3c1b6ae59346a15cf2a6e7a131049b
-
Filesize
7KB
MD51e2038c58b736272cc0616fda2550ef2
SHA1c4f8b6a2f484bb40216de7be890d8f0eb3082a03
SHA256b20241a3d05e8ea55208d0abfe341d51cc4ff0b15d24ad905a97a5da8f4dab9b
SHA5122ad122359ad26d16b41c9d35fee88e72aa47179b473729fcd1e850958d259964a4bb80d36ff4ed0d710b8352bf133f7385d099ca45751a688029bdbe6f127c58
-
Filesize
7KB
MD56db7ca851288ad2a9371f01d11f69e94
SHA112bff3b8d1cf0ed01d6a9e011a1fffb9f6bd2fcd
SHA25637845bd3e06ccbba86dd9724a66439c6da76f52cc482a6032d72670ee54c207e
SHA512271c329834ec9c8f87dbf0869ae5ede45f2123affe52d136c7056ec219dea315b1847a3599b9bc336161df4d8d4543354a15eeb0b65d7ba59d8347ef633b1884
-
Filesize
1KB
MD502d18990e74723c295351a709be7bcd2
SHA1cf63ad77c0986a0de5f98c1ffac4a268e78bd8d6
SHA25618a982815228ede7430b2d01ecf2e1300459ea9b59c426675601f355e459483b
SHA5126c7a357e2572a9a6a964a95e55d0f13053f32200689325be76ebea6088068a97cfe51de957191a51fc51a1b8008537b02d88d8b4de7dab3f0b052c53409a1809
-
Filesize
1KB
MD5321c1f6831fdd50d2f1431f1c1a850a2
SHA10d907bb48d86eebecd8d4d0f7e59ed11a17bdb33
SHA256e67935541e1850db12b38b7790f1d9a9a95ac86244da016b1a099c89e81820e4
SHA5126ceacb4260a57078ad36316cdcd0f153fd548d78ca6386abd2fe3bbffb53076bcad559869b60cf1cb97b755b7e472b1c838a58602e7e371b6dff7f3fc68ea2f7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c8224a254813fcdc1cd02840a348a084
SHA19bd1c048ebb5e9fea56b5ddbe7204b625d185122
SHA2569eba47ec80e0c61ae5826af6f5a133d08482b9f78e22ea103231a75b2a3b6aef
SHA512ca252addfbf98df93d13ea73bde3465cd602bacdbe7e3b0ce2fa95470a262c1d7cc9fd74c28152fe152034c8ed69d390bc22a6489564a9d8e65c6b6b03cf7845
-
Filesize
12KB
MD56c015ebe6a89cfebaf3d5b7963d3adab
SHA1f2b765c07fdf3ae7937c29d1ea497a3b456e9530
SHA2566782f0c57c08a6a07e8dfed3d8856957a4e535e6f5df1834e2ad471a2f3350d1
SHA5128376f82cd8aa1b796d91d7e912d51fece0bd54a870f8ab0a9fcee898b2480b6918fc74dde749c804685585da3d0efcc5ef546315765815f5e59c948133474be8
-
Filesize
11KB
MD573708f29017d36f58d87fcff28713ddc
SHA1d4476a6536d36ce5ee93d5f897219ef04e09302b
SHA256381eac06defec7c77d8e8fb0eb1d65f65c6d99cb042f342a3f8a7a6972b3bef0
SHA5122ee2d141b2bbffc6b20466de67e7a1de6a6205351143412196eae5e0c963069d76c41bf5dadaab29ad9dabbc03cef0c11b28d1d4610101aff4d19602d639498b
-
Filesize
11KB
MD5716a35d5ff4fa7082d17413464229bf8
SHA1de4320cc7cbc1329e17107401db2cf96a8cf552b
SHA256c919a5ccb5980fc74a3194cf2e62b7a99a9fffe4a8aa42cd86bc5e20c9dc6014
SHA5127d13997147a83bf4fe38512c646dcf9c29d20473ed865fd2d35bbb019b08be2fbf5af52619d4beda2e5272e55becfa21dba491bd3f85c1adb11f1e9e6767b16e
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
70KB
MD5c408298b5922a6b71305cdcb25f534d5
SHA114952e04f5ba70ec6ca9846b00c02c9a399213f5
SHA256822841455e83194306282409047520bf8513a189db088277aa42bf4221ff34d0
SHA512518c0e524033625bc7415e632675bb129507e6385f5d97a943b451bd34f54146cc608043ec896538db30905f4e0ba98d65fac92700b280b810e0a3790cdea7e1
-
Filesize
109KB
MD54bf2058e2fe4ee6490873acd8d00fc71
SHA1099f6cd30e1db09c0c51fad208a2c2706c6bd437
SHA25653d7f79b97f9bb3883a26b4cd84127e4c0c932ba82d9dd437b52373099049bea
SHA512f4382641663486fadb345537b2d2fc8097e918ccc4697e79e5d1c219a6e66f301a2a4bc65f4a95f740fc92eccaef55ebd99ed49dafdbe2a28f906c15c549d4a5
-
Filesize
2KB
MD5312c60a72fc22b70ce3c9320c3a15cb4
SHA15a67801856c8ea39b9c9148c74b552ad88a98269
SHA256c9d6340c7035b9073a8df4d2a62c5ead2fa817f85d2f217ffc1a40a5f512f7bc
SHA5128d03d3d4a1cf2c683ed8faeccd0aa5f74dbce4220668816ff089fec789c33cdc2ec8335c3b64b5fb23471cb91edb12728d0f717a569b7d4e75dcb42782c50ef1
-
Filesize
22.4MB
MD5c8bf1b2a8963cedb82301e450ba1a534
SHA126a89470845f55c5c999228c855340075f808f24
SHA256d76029efae6c946a84ea3de73a4c07ee9b03314b2700cc77d3716bc88885119c
SHA512cbb46c38de3892810f2cdb8d4c8419b3eed20f00ee52d788e6b1f364bfd60d3614b80488727d77c8098bd54b93d2080a61788ceb5270233a161557ff2da0cbe1
-
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize16B
MD5f591cdd4d0b46e0cd793ac4c1c992222
SHA1c5e4fe2eb6810877cbb0f6bce444af5c909abff6
SHA25633d12c57a2e1c1030604dafcea395593c98524169036ffd64028075bf26bf729
SHA51267a39fc7d867bbcccdac95d44a80edc29f00e8797c69af46e9a2be73fe8f7d503cefadd6eaf00c2861c57582d98ba7c2ef618aa11aa3138b0b0178bd518ecf19
-
Filesize
44KB
MD5bc3d1639f16cb93350a76b95cd59108b
SHA147f1067b694967d71af236d5e33d31cb99741f4c
SHA256004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9
SHA512fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249
-
Filesize
47KB
MD569c02ba10f3f430568e00bcb54ddf5a9
SHA18b95d298633e37c42ea5f96ac08d950973d6ee9d
SHA25662e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e
SHA51216e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e
-
Filesize
43KB
MD58b4b53cf469919a32481ce37bcce203a
SHA158ee96630adf29e79771bfc39a400a486b4efbb0
SHA256a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42
SHA51262217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575
-
Filesize
42KB
MD5bea0a3b9b4dc8d06303d3d2f65f78b82
SHA1361df606ee1c66a0b394716ba7253d9785a87024
SHA256e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927
SHA512341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88
-
Filesize
35KB
MD517fc81a0e3f9fc02821e40166f1cb09f
SHA12931659b064a216371420db215b1f48de29a1858
SHA256fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2
SHA51219a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031
-
Filesize
307KB
MD5312d855b1d95ae830e067657cffdd28c
SHA18133c02adeae24916fa9c53e52b3bfe66ac3d5a3
SHA256ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf
SHA512f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14
-
Filesize
297KB
MD550362589add3f92e63c918a06d664416
SHA1e1f96e10fb0f9d3bec9ea89f07f97811ccc78182
SHA2569a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce
SHA512e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468
-
Filesize
347KB
MD549032045f6bcb9f676c7437df76c7ffa
SHA1f1bf3ba149cd1e581fe12fb06e93d512fe3a241b
SHA256089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641
SHA51255b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1
-
Filesize
350KB
MD5518020fbecea70e8fecaa0afe298a79e
SHA1c16d691c479a05958958bd19d1cb449769602976
SHA2569a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125
SHA512ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e
-
Filesize
340KB
MD5f9fcefdf318c60de1e79166043b85ec4
SHA1a99d480b322c9789c161ee3a46684f030ec9ad33
SHA2569c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7
SHA512881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8
-
Filesize
141KB
MD5ab91dd7fa8878b8d14608522cc38102e
SHA1c4cf62ad6183a2d341fb3de756cb672516897183
SHA2567aae74ee957962add631778e45a174693a15a2e9ca48e151f2fb5e31488eecf7
SHA512f1202cbb56c93182d1aec675d9d069d1156d2cbe11cc6b05358f0e83786e4a04b0a6ba42be378574d01b8d17a3f2e38110d45f7d7a10cd89f8d7d8c83ff35455