Analysis
-
max time kernel
1050s -
max time network
955s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-10-2024 18:52
Behavioral task
behavioral1
Sample
XWorm-5.6-main.zip
Resource
win11-20241007-en
General
-
Target
XWorm-5.6-main.zip
-
Size
24.8MB
-
MD5
98af17dc86622b292d58fbba45d51309
-
SHA1
44a7d9423ce00ddda8000f9d18e3fe5693b5776f
-
SHA256
eed75f0edf37bdd0d0a64ac8723672dbfe64288fb3845b89cc3596d0511f67d1
-
SHA512
b3b9c67e373bcba5bd039088953400a3296b374f29f5de00f56c0702da7f9eccf0c452586d486c17ab1ea5ab16240112fda8457ec258d2ba9735b17959db4b05
-
SSDEEP
786432:3vngbHGYI0DuXXEDgfI+tjIdubuu0SVww6vZqwffr:fgbHGY2hfI8yuxV7oswXr
Malware Config
Extracted
xworm
5.0
127.0.0.1:8888
Ytuq3ImrRukuy0zi
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
xworm
127.0.0.1:8888
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 12 IoCs
resource yara_rule behavioral1/files/0x001900000002ac28-253.dat family_xworm behavioral1/files/0x001900000002ac33-263.dat family_xworm behavioral1/files/0x001900000002ac33-265.dat family_xworm behavioral1/memory/1392-267-0x0000000000AE0000-0x0000000000AFA000-memory.dmp family_xworm behavioral1/files/0x001e00000002ac31-2027.dat family_xworm behavioral1/files/0x001b00000002ac3a-2037.dat family_xworm behavioral1/files/0x001b00000002ac3a-2039.dat family_xworm behavioral1/memory/1520-2041-0x0000000000BF0000-0x0000000000C08000-memory.dmp family_xworm behavioral1/files/0x001900000002ac5b-2240.dat family_xworm behavioral1/files/0x004700000002ac64-2250.dat family_xworm behavioral1/files/0x004700000002ac64-2252.dat family_xworm behavioral1/memory/916-2254-0x0000000000260000-0x000000000027C000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/1520-2183-0x000000001D2D0000-0x000000001D3F0000-memory.dmp family_stormkitty -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3100 powershell.exe 1780 powershell.exe 4944 powershell.exe 2968 powershell.exe 792 powershell.exe 3980 powershell.exe 944 powershell.exe 1540 powershell.exe -
Deletes itself 1 IoCs
pid Process 916 XClient.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 16 IoCs
pid Process 1392 XClient.exe 640 XClient.exe 1520 XClient.exe 4316 XClient.exe 3524 XClient.exe 4228 XClient.exe 1016 XClient.exe 1096 XClient.exe 5076 XClient.exe 916 XClient.exe 1260 XClient.exe 3348 XClient.exe 2992 XClient.exe 3392 XClient.exe 1032 XClient.exe 3244 XClient.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\system32\perfc00C.dat lodctr.exe File created C:\Windows\system32\perfh00C.dat lodctr.exe File created C:\Windows\system32\perfc007.dat lodctr.exe File created C:\Windows\system32\perfh007.dat lodctr.exe File created C:\Windows\system32\perfc009.dat lodctr.exe File created C:\Windows\system32\perfh009.dat lodctr.exe File created C:\Windows\system32\perfc00A.dat lodctr.exe File created C:\Windows\system32\perfh00A.dat lodctr.exe File created C:\Windows\system32\perfc011.dat lodctr.exe File created C:\Windows\system32\perfc010.dat lodctr.exe File created C:\Windows\system32\perfh010.dat lodctr.exe File created C:\Windows\system32\perfh011.dat lodctr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" XClient.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1520 set thread context of 4092 1520 XClient.exe 122 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2092 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Xworm V5.6.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\TypedURLs Xworm V5.6.exe -
Modifies registry class 49 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "7" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0 Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Xworm V5.6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Xworm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80922b16d365937a46956b92703aca08af0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Xworm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Xworm V5.6.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings Xworm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Xworm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Xworm V5.6.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Xworm V5.6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Xworm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Xworm V5.6.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3340 schtasks.exe 2324 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3656 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 1780 powershell.exe 1780 powershell.exe 4944 powershell.exe 4944 powershell.exe 2968 powershell.exe 2968 powershell.exe 792 powershell.exe 792 powershell.exe 1520 XClient.exe 1432 powershell.exe 1432 powershell.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2816 7zFM.exe 5036 Xworm V5.6.exe 3656 explorer.exe 1520 XClient.exe 916 XClient.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeRestorePrivilege 2816 7zFM.exe Token: 35 2816 7zFM.exe Token: SeSecurityPrivilege 2816 7zFM.exe Token: 33 2072 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2072 AUDIODG.EXE Token: SeDebugPrivilege 1392 XClient.exe Token: SeDebugPrivilege 640 XClient.exe Token: SeDebugPrivilege 1520 XClient.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 4944 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeDebugPrivilege 1520 XClient.exe Token: SeDebugPrivilege 4316 XClient.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 3524 XClient.exe Token: SeDebugPrivilege 4228 XClient.exe Token: SeDebugPrivilege 1016 XClient.exe Token: SeDebugPrivilege 1096 XClient.exe Token: SeDebugPrivilege 5076 XClient.exe Token: SeDebugPrivilege 916 XClient.exe Token: SeDebugPrivilege 3980 powershell.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeDebugPrivilege 916 XClient.exe Token: SeDebugPrivilege 1260 XClient.exe Token: SeDebugPrivilege 3348 XClient.exe Token: SeDebugPrivilege 2992 XClient.exe Token: SeDebugPrivilege 3392 XClient.exe Token: SeDebugPrivilege 1032 XClient.exe Token: SeDebugPrivilege 3244 XClient.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 2816 7zFM.exe 2816 7zFM.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 5036 Xworm V5.6.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 1520 XClient.exe 1520 XClient.exe 1520 XClient.exe 5036 Xworm V5.6.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 1520 XClient.exe 3656 explorer.exe 3656 explorer.exe 5036 Xworm V5.6.exe 5036 Xworm V5.6.exe 916 XClient.exe 3244 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5036 wrote to memory of 4680 5036 Xworm V5.6.exe 94 PID 5036 wrote to memory of 4680 5036 Xworm V5.6.exe 94 PID 4680 wrote to memory of 3012 4680 vbc.exe 96 PID 4680 wrote to memory of 3012 4680 vbc.exe 96 PID 4068 wrote to memory of 4772 4068 cmd.exe 103 PID 4068 wrote to memory of 4772 4068 cmd.exe 103 PID 5036 wrote to memory of 948 5036 Xworm V5.6.exe 107 PID 5036 wrote to memory of 948 5036 Xworm V5.6.exe 107 PID 948 wrote to memory of 3576 948 vbc.exe 109 PID 948 wrote to memory of 3576 948 vbc.exe 109 PID 1520 wrote to memory of 1780 1520 XClient.exe 111 PID 1520 wrote to memory of 1780 1520 XClient.exe 111 PID 1520 wrote to memory of 4944 1520 XClient.exe 113 PID 1520 wrote to memory of 4944 1520 XClient.exe 113 PID 1520 wrote to memory of 2968 1520 XClient.exe 115 PID 1520 wrote to memory of 2968 1520 XClient.exe 115 PID 1520 wrote to memory of 792 1520 XClient.exe 117 PID 1520 wrote to memory of 792 1520 XClient.exe 117 PID 1520 wrote to memory of 3340 1520 XClient.exe 119 PID 1520 wrote to memory of 3340 1520 XClient.exe 119 PID 1520 wrote to memory of 4092 1520 XClient.exe 122 PID 1520 wrote to memory of 4092 1520 XClient.exe 122 PID 1520 wrote to memory of 4092 1520 XClient.exe 122 PID 1520 wrote to memory of 4092 1520 XClient.exe 122 PID 1520 wrote to memory of 4092 1520 XClient.exe 122 PID 1520 wrote to memory of 4092 1520 XClient.exe 122 PID 1520 wrote to memory of 4092 1520 XClient.exe 122 PID 1520 wrote to memory of 4092 1520 XClient.exe 122 PID 4092 wrote to memory of 1432 4092 cvtres.exe 123 PID 4092 wrote to memory of 1432 4092 cvtres.exe 123 PID 4092 wrote to memory of 1432 4092 cvtres.exe 123 PID 1432 wrote to memory of 4912 1432 powershell.exe 125 PID 1432 wrote to memory of 4912 1432 powershell.exe 125 PID 1432 wrote to memory of 4912 1432 powershell.exe 125 PID 1520 wrote to memory of 4392 1520 XClient.exe 132 PID 1520 wrote to memory of 4392 1520 XClient.exe 132 PID 1520 wrote to memory of 4984 1520 XClient.exe 134 PID 1520 wrote to memory of 4984 1520 XClient.exe 134 PID 4984 wrote to memory of 2092 4984 cmd.exe 136 PID 4984 wrote to memory of 2092 4984 cmd.exe 136 PID 5036 wrote to memory of 2576 5036 Xworm V5.6.exe 138 PID 5036 wrote to memory of 2576 5036 Xworm V5.6.exe 138 PID 2576 wrote to memory of 640 2576 vbc.exe 140 PID 2576 wrote to memory of 640 2576 vbc.exe 140 PID 916 wrote to memory of 3980 916 XClient.exe 143 PID 916 wrote to memory of 3980 916 XClient.exe 143 PID 916 wrote to memory of 944 916 XClient.exe 145 PID 916 wrote to memory of 944 916 XClient.exe 145 PID 916 wrote to memory of 1540 916 XClient.exe 147 PID 916 wrote to memory of 1540 916 XClient.exe 147 PID 916 wrote to memory of 3100 916 XClient.exe 149 PID 916 wrote to memory of 3100 916 XClient.exe 149 PID 916 wrote to memory of 2324 916 XClient.exe 151 PID 916 wrote to memory of 2324 916 XClient.exe 151 PID 916 wrote to memory of 4172 916 XClient.exe 156 PID 916 wrote to memory of 4172 916 XClient.exe 156 PID 4172 wrote to memory of 3804 4172 msedge.exe 157 PID 4172 wrote to memory of 3804 4172 msedge.exe 157 PID 4172 wrote to memory of 4512 4172 msedge.exe 158 PID 4172 wrote to memory of 4512 4172 msedge.exe 158 PID 4172 wrote to memory of 4512 4172 msedge.exe 158 PID 4172 wrote to memory of 4512 4172 msedge.exe 158 PID 4172 wrote to memory of 4512 4172 msedge.exe 158 PID 4172 wrote to memory of 4512 4172 msedge.exe 158 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2816
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3204
-
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nay5qu1i\nay5qu1i.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C8FFC303E054F99BB101E745BDE7E2.TMP"3⤵PID:3012
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pgvbvlt1\pgvbvlt1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4708.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD98ADBFC8D543EDA479815AFB77FCEB.TMP"3⤵PID:3576
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\paopaign\paopaign.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5794D26068E04756A0811CB085F0C383.TMP"3⤵PID:640
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3576
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004801⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Fixer.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\system32\lodctr.exelodctr /r2⤵
- Drops file in System32 directory
PID:4772
-
-
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640
-
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 127.0.0.1 8888 test CE611C4B0753FF1227092⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text4⤵
- System Location Discovery: System Language Discovery
PID:4912
-
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"2⤵PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2092
-
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3656
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"1⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdc19d3cb8,0x7ffdc19d3cc8,0x7ffdc19d3cd83⤵PID:3804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:23⤵PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:83⤵PID:2980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:13⤵PID:2516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:13⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:83⤵PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:83⤵PID:1424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:13⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:13⤵PID:3856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:13⤵PID:536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:13⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3712 /prefetch:23⤵PID:1712
-
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:748
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2032
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3244
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3348
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
152B
MD5d91478312beae099b8ed57e547611ba2
SHA14b927559aedbde267a6193e3e480fb18e75c43d7
SHA256df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043
SHA5124086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96
-
Filesize
152B
MD5d7145ec3fa29a4f2df900d1418974538
SHA11368d579635ba1a53d7af0ed89bf0b001f149f9d
SHA256efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59
SHA5125bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91
-
Filesize
5KB
MD5898bc3071b2d538511ca0c9d3cb3ced9
SHA13dd89fed2f5e48b199264f9ca593120ecaa0d86f
SHA256c067d86fd7810f417ccd6a7eba13fc00ab3d20a1da5a4315cd63dea859035479
SHA51245ad9480d57b5d98b59d49959157f399d62bc0d3c44ce21e5941734e176afb140795917c846164587732cf4d557c835b61735dc3c1dbccf22fff7c4c7fffb707
-
Filesize
5KB
MD509cefc54487672f7aeb9f9e981b9f1f4
SHA1ea6498fe65ede71322535f2a86a0eee5a493eb12
SHA2568801817ce0a35b8b7ce28276814c0694081855ac0a11f0b891df3479cb1a4801
SHA512d521d0a606395b1dd5b02c6b2a749213e60132e02d1a8df24d40078edb085b665ba40d27a536018a03258ae59022630cbb1439b85ffe4e2564dccaa2562a4dc7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5469e67866a69de6a4213d55d8d33d332
SHA1d8adc63d4d88c764b4116d001a721c6eec0d199e
SHA256097e7da2dca6eb6822ff16180dac9f1e334be93ecd9b55c20206401d2c156d92
SHA51289dc103cd846544de11ad756ac84c858ea6018555046056c2774e8b3b2f555f847447e61cb5c61f658a8a55105340a63f8699bde0b80051d4d3942186a00d69e
-
Filesize
11KB
MD58ed19c6e4e60c6a3416b51ae95fe4d47
SHA12137b64f309e6e894a543f74e17df3ef1d39da4e
SHA256b3142a8360ba8999d1863892ff396465573ecfb77a08925a4d2c83779584efbc
SHA5126c9025b4e94b5527f83127737ed316113a2a5ddf00a5b0a10e6b75ea23cfde15a145a5f3dac849adf7bc3b77611b50e017012ad7ba94aca42da1de2f80d7e4e1
-
Filesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
Filesize
944B
MD51189a72e42e2321edf1ed3a8d5568687
SHA1a2142fc754d6830de107d9d46f398483156f16a6
SHA256009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea
SHA512b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29
-
Filesize
944B
MD54ae54c3a00d1d664f74bfd4f70c85332
SHA167f3ed7aaea35153326c1f907c0334feef08484c
SHA2561e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c
SHA512b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889
-
Filesize
944B
MD555f30089624be31af328ba4e012ae45a
SHA1121c28de7a5afe828ea395d94be8f5273817b678
SHA25628e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473
SHA512ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787
-
Filesize
11KB
MD5ed1b0e00fd83b0358c2b39b801f6b3cf
SHA1ad20a274a21401c2d74bb9d4b0a01f8885465457
SHA256624f9ecae9487408c12ac5feb5eec9af8556e451ef4c6b73c1b44a9935a6771c
SHA512b5c578dff80f3f9957d4e62379299c34c1b770e83153573b4ad7bf4fce367f492b7fc268c818ce81d8b6d6839f176a7eb76aaf39491d4f5aa786edd4d96e5bcd
-
Filesize
944B
MD56344564097353c8e7e68991fffa80d88
SHA12ac4d108a30ec3fbd2938b0563eb912415ea7c62
SHA256d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da
SHA512e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303
-
Filesize
944B
MD585a856d138f6fec5b2d64d1b6658a61e
SHA1a42398c085485601e3fc915f2d0c2fbd7046ad55
SHA256737694fb0ef78d16514fe65ec4013400f3ceaa54c1e63121a228247d5cd2b3bf
SHA512dd9b92f6bb47e7e9b927ff7d2d39aef4427b2574eed365b1f4e5944093377791742b08d5b726c76f5c47231985346541d149b4c59320193ebc7d83775a36f3f5
-
Filesize
944B
MD5052b734e3d0b49bccde40def527c10df
SHA12ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0
SHA256d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f
SHA512bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba
-
Filesize
156B
MD55bc65b142d36f2ecb21ebc423b858697
SHA17a7d528f45738c0f74ccf6dd83845e5dc447c93c
SHA2561da9c3992c1727535a233a0c83d4299d0983bfaaae0fa80977b824db4e17064f
SHA5127947e1df46261df57c03e0c9b6b164695317e47443bdebde9056c77f6a7e10e1060d902d7631b13ed7373ff6a33533230c411927ec619616d2bc1e4ede5fae6f
-
Filesize
1KB
MD5c90ca972b01ff3fc245e58765f33c260
SHA18a783d32f1125352312b85e4c66b5faa5aa26954
SHA2562c1ecdd7cb5788a42a1cb4329953f0b7cf6d146d3b4b52633cf7697d2c35ab66
SHA512a29d8040690a2bc22b56a6ee7e359b2e555aa40f556c7f26d6d112892f65cf9d328fb3bf3104f45ea1dc7bd9b8bf0b2c69f3afd7df45a7a78e0d0fa31c16548e
-
Filesize
1KB
MD55cb49b81e4d9fdcd50ca9ebacfb64649
SHA151c94bc7d7af97eb794e20041b3ca14dc7b0a88a
SHA25681310b698325056a5b4beac5c9a7afec1fbe6f3de7f5a896ca3c53f1af59c26b
SHA512db75e9efb92f0c04d527e4912d8680c733171ba66fea1925ae17c915e99c9c2352a6723d8d5f90afe64213a94455bed4c6c2262286558f43937b7952e7406e34
-
Filesize
1KB
MD51d007e26a7fb3fd771b03139721a1069
SHA1b3685ad84845e40c93f36b98532e24528b01d403
SHA2565854da8c1e29adf03ff536c81ba53e257c6d41b024e1a34a397a61a66926bca8
SHA51200f74fb0e408ea2df74a12ea310042db44fccc3c1e4d8af6bae3b7740649074ce474c68f700136f2ad8c913db5029e281180d09ed4943d7c834f8c91ea307cad
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
78KB
MD50bc404edeb6130e2e3f02a0fd349585a
SHA12059d99876574508ab07928255cf32da044a0b81
SHA256dd46fa282fa9f9edb11e245d28640ab3a7cb03e0a58485b8e233dcc0bf7aae5d
SHA5128ac38121ecb4de0b95c0f540a810f3025ac7e7cf89141e1043ef40340cb8a9da364370aa4c13c5c375e0829682f09c910bdbefdd52423e0bc2ff0c5af9fc9dc0
-
Filesize
322B
MD5f4c5b7793d0bd17232894f566252f24c
SHA179eb587bb56ed792258dec213277efa9cae94afa
SHA2567d930d9daa399113a18c097d60e4985302c01fde0a5b96b547a3200800e0364f
SHA5128eebb5d157f8ce08697142b4fe8dad2bdb95651e1a40df7fedc9d4f3119fd989949ee04e6caeea7bee88c5152defd987b2ba6731a8533f6073647efa21e970fe
-
Filesize
78KB
MD507f6b5b21ac34d0d3c75de5fb9711708
SHA15741038d11a1828874eecf3a7031589733236662
SHA2563f01c8a610dad889ad5cc569245edb15aa4b9fc73c2f6d843f33adf212185460
SHA51209c409122b542aec4663e6257b827f1ea224e318eca4e6e846c7644b3030aedf8b420ec9a638d7a9e5f0fe24572567d0a44cbd922c1d8e0725e6323683a62d9b
-
Filesize
322B
MD536f7af05c23d383c8eb18cce94789410
SHA16f25d1d4c1b6816bcc2b7ca81af21d1036395a14
SHA25619b66161965dd42e8529a72bb28d341f48a0947e5d3f018e2e66767d47770f43
SHA51240e08d9b691e584ebddd955bda4530fc2ef50cc74946db39108cb562b8a21ff375a36dcec7b4923748c8db12ff665c2a1c17e2eacb3e0c9b9567a73063b58df5
-
Filesize
78KB
MD564f04ab6b59d57baf48890a8a4ce4592
SHA1e8a3a001bd7b25ea2c94bdf99626d15bdb4c4364
SHA25696ab90789f8a1011132a27ec52bf4016e3ddf6009c3f31d50a32d5255109ab78
SHA51236d69c3579f1140f8524584cec9a30a6b13bb46b6b387174e7eda8bc370fe32f1495b80099b959e3d4a2ab41582cecb7990fbc1dd5582d66781f5bfbd0c9314d
-
Filesize
322B
MD57a69a5aa14c3a5668a05063c89b63457
SHA1207e29b7925b8983c67c5c34b6b09e54cf7c3f5f
SHA256ce410b7448c78470370c61af58f974793005c3645f68f1e54c49e478a5fe7d27
SHA5121abc6eee08c6c1808d3118e0f3a4ac275da8b2fbd9dd9b0a3a3356d762110c1121163a06e4c59d979f41513594ef3507fc8554baa7f4f54a7eba0cf330be768d
-
Filesize
180B
MD571492ed8330f6510f2090e449d03b855
SHA1f6e54d501f87c89a43b03d0208f53888ba9e2eca
SHA256d240c00e5e41859688b8513f2899f21d75c5ef94eec35ccd928382afcd6917d7
SHA5127d50718f6c3aae3627c7b0f04dd08c0dd2e809ab706a9d37c962122ff35174e8dc44ad0eee36c0b364dca345d94d611972ba52861b7023c7787131b94ac8eacc
-
Filesize
1KB
MD5d40c58bd46211e4ffcbfbdfac7c2bb69
SHA1c5cf88224acc284a4e81bd612369f0e39f3ac604
SHA25601902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca
SHA51248b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68
-
Filesize
361KB
MD5dbf9f0c04bc49859568938f5448d64f8
SHA1ab09e5f2ddbc316a4af58744d81c7f7c38301db3
SHA256ec0d7b20ae6aade9330a120ce99cd9044a2b8a622ba5ead82d644863af790bed
SHA512c16f533f53537e7b3f8f262a9b34a12b794b1c409f6e81f491360cc7fcc5a5ebf4bed3aa5b7e01c75c9b1ea9edcd7e791e5871def124a4169e10892ea67677c7
-
Filesize
45KB
MD5151fe26e67d4199afc63e301b2bd25b2
SHA1065a5dd2b84dbe4f58f86d22b3a637bb658895d4
SHA256826b0cbfcaf99c3d68fdb3279d2559afcaf3c34c29339d633493804f44f30fc1
SHA512d13ebfb23cfef9c922294cf963768f58b6d3edacf7c8da3c78e09e95b48751642d3be96643e1a9ab362845c8d5ac6c5705b560283ff522c8897f628474b53d8c
-
Filesize
78KB
MD5db811222a049ecb4f12532405101459d
SHA1b582a1c32ef696c83c8651f90f3397301bfccab6
SHA256ababdbbd391e7117a574601635ba9070fd0d6a4aaa6993ce13a1456c3fc42085
SHA5127782d5f75d292efa51e449508bca8df4a54d2d958540ad30999f2f0bc695da7e15123441d4ec2575785336b32072a59d9718ddb0d74441d2ad4296db60960753
-
Filesize
43KB
MD51016f7be626ddce56693e01772a83e37
SHA11f138481b8a26e8b20e2fe3daa6b1c2e3c9311e1
SHA25630818f3f2a2ac59bb484288a3afbbb658d16911444690d5c822c3d084296614f
SHA512e22f83ca2d765f05b9a25d9a313344b8546b9312540c2a21b7ec4f27fcb81ff8b369ccf5104b1c82dfbd237eaee061049b34f74d50061556fc971da969b9ae3d
-
Filesize
70KB
MD5bc69a86107ba51daa06c38404d8babe1
SHA1a7568e83e385afe0ef2f1139e55d0bf370c68a9d
SHA2562fd8e6798f3d28e09db0569fed9bfe2d501c2ba66591a155187bef736b1fd4df
SHA5120d69bd04387cfbe511629c7e461be06966772c641ca1e67c18a02ac7f20055c495b5dface9da0571c286542c55795d453a428616d81e1bc63878a98c35bd7345
-
Filesize
43KB
MD53e4bc05b76e8c81e3812d86ea5b540b1
SHA10991551ad0165e2ae2d3ee878fbf1873df07de51
SHA2562770a2cec69243dfa461c7bcb15cb8de87d09087ec4c04224d50f6941f228856
SHA5128ecf59aba963ed9c9b5dac950faa05eda8e888234bf56428f3b4d32491fc2b89bc28925f69496053b8243de57a4c77d4fba9f2c603e8f78f48f59ed7162c8e0b
-
Filesize
89KB
MD5ff94b2956336fd6f03e968743751de46
SHA1539536cec2b6291bbac777a738ff05687f93fc9d
SHA2569ad695b1d47a79b845218e8413508302d099c75387afb4f98784ca9215030933
SHA51260a2b3ece5ef21ff2fd1c57359488e49ce1e721569ff82d6f8353a8b94c08d7912b7a5e8c6432aff1270d393bb534f92467cd8dd896955b8e38d73588f350997
-
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize16B
MD5f45fe582f513ecbd33f88346370b9dbe
SHA1db304d5e889573bad86b90efaf8ccd0ca1a6c0c9
SHA2566a82147ef0cf1f162b91e9748e7cc0e320bba5a0f9dde0de54c0240cd25bcabb
SHA51246dafed5b02d549e725c7e814a5c95bb464fc83502a2d8223fb128dc386561c17372f9236b3b5689f01ba442ae6e0c219c8bb595c6b588fe08da15c988fceedd
-
Filesize
924KB
MD5c93ee3abeff4ac24936471f80b36ec7a
SHA10120649571a4b692ff5d10aae8dd87dffd3a0f81
SHA2562f691caff7e1980cfb069d2608b6470b3a06cdb90467ce47820e8602115a0c5b
SHA512dd319d1eea708284588ff67268cb23bd7b5cde505f3a8a1e7a27a587920ee5877efa4c1d8264cae48de343cabbf11bbe457b49f348b46288765eeff45d20cab5
-
Filesize
333KB
MD5b746707265772b362c0ba18d8d630061
SHA14b185e5f68c00bef441adb737d0955646d4e569a
SHA2563701b19ccdac79b880b197756a972027e2ac609ebed36753bd989367ea4ef519
SHA512fd67f6c55940509e8060da53693cb5fbac574eb1e79d5bd8f9bbd43edbd05f68d5f73994798a0eed676d3e583e1c6cde608b54c03604b3818520fa18ad19aec8
-
Filesize
122B
MD52dabc46ce85aaff29f22cd74ec074f86
SHA1208ae3e48d67b94cc8be7bbfd9341d373fa8a730
SHA256a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55
SHA5126a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3
-
Filesize
2.9MB
MD5819352ea9e832d24fc4cebb2757a462b
SHA1aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11
SHA25658c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86
SHA5126a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a
-
Filesize
147KB
MD532a8742009ffdfd68b46fe8fd4794386
SHA1de18190d77ae094b03d357abfa4a465058cd54e3
SHA256741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365
SHA51222418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
10KB
MD5640d8ffa779c6dd5252a262e440c66c0
SHA13252d8a70a18d5d4e0cc84791d587dd12a394c2a
SHA256440912d85d2f98bb4f508ab82847067c18e1e15be0d8ecdcff0cc19327527fc2
SHA512e12084f87bd46010aded22be30e902c5269a6f6bc88286d3bef17c71d070b17beada0fe9e691a2b2f76202b5f9265329f6444575f89aff8551c486eafe4d5f32
-
Filesize
97KB
MD54f409511e9f93f175cd18187379e94cb
SHA1598893866d60cd3a070279cc80fda49ee8c06c9b
SHA256115f0db669b624d0a7782a7cfaf6e7c17282d88de3a287855dbd6fe0f8551a8f
SHA5120d1f50243a3959968174aa3fd8f1a163946e9f7e743cbb2c9ef2492073f20da97949bf7d02c229096b97482ff725c08406e2e9aa72c820489535758470cf604f
-
Filesize
115KB
MD5ad1740cb3317527aa1acae6e7440311e
SHA17a0f8669ed1950db65632b01c489ed4d9aba434e
SHA2567a97547954aaad629b0563cc78bca75e3339e8408b70da2ed67fa73b4935d878
SHA512eee7807b78d4dd27b51cee07a6567e0d022180e007e1241266f4c53f1192c389be97332fcd9f0b8fda50627b40b8cf53027872304a68a210f4d754aa0243b0c2
-
Filesize
9KB
MD51c2cea154deedc5a39daec2f1dadf991
SHA16b130d79f314fa9e4015758dea5f331bbe1e8997
SHA2563b64b79e4092251ebf090164cd2c4815390f34849bbd76fb51085b6a13301b6d
SHA512dceebc1e6fdfe67afebaef1aff11dd23eda6fae79eb6b222de16edebdfebd8e45de896e501608254fb041824080cb41c81ac972032638407efc6bfeb930bfd00
-
Filesize
9KB
MD54ea9ab789f5ae96766e3f64c8a4e2480
SHA1423cb762ce81fab3b2b4c9066fe6ea197d691770
SHA25684b48ca52dfcd7c74171cf291d2ef1247c3c7591a56b538083834d82857fee50
SHA512f917059b6f85e4a25909a27cad38b1ef0659161c32df54860226ff3d858127d8da592ea9072ad41d5a9986dd8c04a37e9ad34e2251883a8c2f0933e6aa201414
-
Filesize
361KB
MD5e6fec4185b607e01a938fa405e0a6c6c
SHA1565e72809586e46700b74931e490e2dc1e7e3db1
SHA2562e2f17b7dd15007192e7cbbd0019355f8be58068dc5042323123724b99ae4b44
SHA51213daeb2bf124e573590359f18a1d962157dc635a88319c9ed1a2e8ccad6322fb081579e1e8fbe62ffe55c8286c2bc8acb251d572a4beb00641ad5009a380e513
-
Filesize
361KB
MD50c24edec606abda7c6570b7dcf439298
SHA14478a102892e5eb4bb1da8e9c62d17724965691a
SHA2568fc693238afc49a8098dac1762bfae891e818bb84749c6eef5f1b0c6c8ffddb2
SHA512f8de3ffb8f9fe1394b3626ae5616213d4612b43f0635fa9053d74ac6fe536657e796289487f245b8abff74f1de8368c0df8e56bf21f540366ed86a378649ea24
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
502KB
MD53b87d1363a45ce9368e9baec32c69466
SHA170a9f4df01d17060ec17df9528fca7026cc42935
SHA25681b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451
SHA5121f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
833B
MD53df649ecaad6d64de9b4cc8bc8b23651
SHA1e427566ab2bd4c6d85bf4cd6882748e1588aed99
SHA2560eb3b1b999047c79f180dc730a1e86444c2ed8817b8ef7b8b66430581ea46ce7
SHA5125522f66e4061eba10411e7d499da9b3daf403dbd34d158a99021dd305a54df4ea00066b043b0e6e035d95aaacc92be8e51919f19dbe80ac1ed2d2eb5afc425e0
-
Filesize
1.4MB
MD59043d712208178c33ba8e942834ce457
SHA1e0fa5c730bf127a33348f5d2a5673260ae3719d1
SHA256b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c
SHA512dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
Filesize
14.9MB
MD556ccb739926a725e78a7acf9af52c4bb
SHA15b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA25690f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA5122fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
-
Filesize
39KB
MD5c6a00700213a4cdfac7b02faabc2fa10
SHA1d1fab1803050a67c59dfce442c1f1dacb166d0dc
SHA256987d276742eba82260ac1509adc8678651d30103162b44d4e62fbde1b2f28559
SHA512e3c879502f91b7e4ccbd300372108ffe0cfd2e49070c54f1b27fb83d3c0a7344ea7393b619f1fd6b21314915e32c50fb93f5a1511a383098107c57f1a14faf1d
-
Filesize
51KB
MD59abcc480d2a0cede7fd7393e50c0333c
SHA1de6d9114c9632e4683fd7a03251d0de34893f64e
SHA2562ddbd04182af159fbd282610381b9a265ebced2338fcafccba93556ac710f09f
SHA5124be9e6a999a89188b0bf20849f6663914a44c67acd382514fd554d87fb72bff3ca1cdc9a11e163085e5638ef8c16d35383bf9611e409aa07b249dcd9c2dfdc49
-
Filesize
47KB
MD5391168ff06e8d68c7a6f90c1ccb088be
SHA1c3f8c12481c9d3559e8df93ade8f5bfefd271627
SHA2567f2847cbf10a70dec0bfb78ca1bf2e548caa8de43deb290cc21d4d1a47bd7525
SHA51271fe34a07a2107c03fc4735ca78814adc1c55ee3362ce01d6b9983b0ac52315485135b58edecbcd67252c1e27a451138a765bdf3f746e1241834cf35106520c6
-
Filesize
46KB
MD59c127d90b405f6e4e98e60bb83285a93
SHA1358b36827fb8dbfd9f268d7278961ae3309baaa1
SHA256878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578
SHA512bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73
-
Filesize
32KB
MD550681b748a019d0096b5df4ebe1eab74
SHA10fa741b445f16f05a1984813c7b07cc66097e180
SHA25633295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a
SHA512568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e
-
Filesize
328KB
MD5c7ad9f8721cac9822ad70f2e1737b070
SHA17cc4133e5e092aa117291dd2b310572b2c2f7bdd
SHA2567f17488d24e106804d8cce2c342a170e3e32d503b4af5417b25ecbbb80be2b5c
SHA512fc8c98e07f9e4398a619c5f0e064b5e5c0883db638c2b494aaa5394d80bf60d39dd5f9c1df7f4bf966a24819408ec465fd3db064021896c9f86c81c030ca67ca
-
Filesize
314KB
MD56132d850a2cc939d338f3cb699b87aaa
SHA1553366e320c574030dc996d608cc0b6e0dede672
SHA2568c61d67e0f6eb8f2b378bd6a5688e2e8bc9f5756da163e5236a0656bf8ccd25b
SHA512590230014be668343dfc8f0b44c68841f5acaa9685ac7cfec1e346c052835747141265008b6602cf8c8f7d6a441acb34f560243b4e4c354fd471046103c06a34
-
Filesize
365KB
MD5fbf09be5a4b447d06479adf39a90c57f
SHA18f0311b2bc5f14b23f6823e515b633cb87c5fcd2
SHA256578a9897f5449e19dac75c3dae6ab13abf6af78c4bda0aa02a1a804771ac960b
SHA512029f7c79f5965bdad2619821cc672b44d7351ae69cc4c2e7791f34fc9ba5b7887f28c7eb4f2f4ca0b63c34a69e5df47c642971432f142041b298470cadad65a1
-
Filesize
367KB
MD5188927d8245b4a76b814f959f99d3bda
SHA1d69758a0e54e3c7b169331332dc779d5281e3870
SHA256183c609fb27b3410afe44b985fe6819ff56920ddd250345dfa50d9c29a4a3b92
SHA5120094bfde6a4814bdb0f5143b189b9fe6c8a90644c98c40de6e8489e12a623fb9239e3f7183e6dbfd982eef230809f0eb7ff7d18f287d5f91a532a4966a303702
-
Filesize
362KB
MD517fca415b7e48c2c2fdd19f6d6e8d963
SHA114ae5776de719e91dbebc1d3b6b99e58d54d78f3
SHA256805f0eb289ee420b282882c66eba1bb1e335f260b517a99c263f23717d04fda5
SHA512ba7479f9b641da6824867e449b3398124d3d13da8cc182f3e6bb6db74d8b8e900143119a12563d6947db652f33edad1ce391b529ce828ef6fc36e341b3f3be29
-
Filesize
159KB
MD5ab6f8e83a55fadfc107060ed8311e0a4
SHA155a39474b14b6600543080268d41e8732ba0edad
SHA2568647f007d314a30ae0760a8b70c6c42b4cf0e7da321795dbf1d254377a70ff18
SHA512f5be5c78e9d10dd69c8b21ab4d5702a3a24e2ff4cec19ae56a9d58e6ceb9edc40e17b548373b7db5ce58b6759ef3ce361e8514c774fda9a7d988d330a7944732