Analysis
-
max time kernel
1050s -
max time network
910s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 19:37
Behavioral task
behavioral1
Sample
XWorm-5.6-main/Xworm V5.6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XWorm-5.6-main/Xworm V5.6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
XWorm-5.6-main/XwormLoader.exe
Resource
win7-20240903-en
General
-
Target
XWorm-5.6-main/Xworm V5.6.exe
-
Size
14.9MB
-
MD5
56ccb739926a725e78a7acf9af52c4bb
-
SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc
-
SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
-
SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
-
SSDEEP
196608:P4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:PuyIhhkRka4i
Malware Config
Extracted
xworm
5.0
10.127.1.218:7000
uBj08adO6b2UYXMU
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 6 IoCs
resource yara_rule behavioral2/files/0x0003000000000707-26.dat family_xworm behavioral2/files/0x000300000000073b-42.dat family_xworm behavioral2/files/0x00070000000006f3-48.dat family_xworm behavioral2/files/0x0005000000000731-116.dat family_xworm behavioral2/memory/1352-615-0x0000000000490000-0x000000000049E000-memory.dmp family_xworm behavioral2/memory/4120-618-0x0000000000B60000-0x0000000000B6E000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/4120-1631-0x000000001D990000-0x000000001DAB0000-memory.dmp family_stormkitty -
Stormkitty family
-
Xworm family
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
Executes dropped EXE 2 IoCs
pid Process 1352 Updatedpepperx.exe 4120 XClient.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Drops desktop.ini file(s) 17 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Documents\desktop.ini XClient.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Music\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Videos\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Links\desktop.ini XClient.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Searches\desktop.ini XClient.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" XClient.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\Crashpad\settings.dat setup.exe File opened for modification C:\Program Files\Crashpad\metadata setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Xworm V5.6.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3652 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\TypedURLs Xworm V5.6.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765188673028729" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell chrome.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 chrome.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags chrome.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Xworm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" chrome.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000100000002000000ffffffff msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Xworm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 chrome.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Xworm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Xworm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" Xworm V5.6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Xworm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Xworm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" chrome.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4120 XClient.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 1808 chrome.exe 1808 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 4708 msedge.exe 4708 msedge.exe 3532 msedge.exe 3532 msedge.exe 1976 identity_helper.exe 1976 identity_helper.exe 5980 msedge.exe 5980 msedge.exe 5980 msedge.exe 5980 msedge.exe 5180 msedge.exe 5180 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3852 Xworm V5.6.exe 3400 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
pid Process 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 4816 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4816 AUDIODG.EXE Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe Token: SeShutdownPrivilege 1808 chrome.exe Token: SeCreatePagefilePrivilege 1808 chrome.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3532 msedge.exe 3852 Xworm V5.6.exe -
Suspicious use of SendNotifyMessage 53 IoCs
pid Process 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 1808 chrome.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3852 Xworm V5.6.exe 3400 chrome.exe 5180 msedge.exe 4120 XClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4972 wrote to memory of 3652 4972 cmd.exe 121 PID 4972 wrote to memory of 3652 4972 cmd.exe 121 PID 3852 wrote to memory of 708 3852 Xworm V5.6.exe 123 PID 3852 wrote to memory of 708 3852 Xworm V5.6.exe 123 PID 708 wrote to memory of 2856 708 vbc.exe 125 PID 708 wrote to memory of 2856 708 vbc.exe 125 PID 3852 wrote to memory of 3684 3852 Xworm V5.6.exe 126 PID 3852 wrote to memory of 3684 3852 Xworm V5.6.exe 126 PID 3684 wrote to memory of 724 3684 vbc.exe 128 PID 3684 wrote to memory of 724 3684 vbc.exe 128 PID 1808 wrote to memory of 3652 1808 chrome.exe 132 PID 1808 wrote to memory of 3652 1808 chrome.exe 132 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 4452 1808 chrome.exe 133 PID 1808 wrote to memory of 1484 1808 chrome.exe 134 PID 1808 wrote to memory of 1484 1808 chrome.exe 134 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135 PID 1808 wrote to memory of 2224 1808 chrome.exe 135
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e34p5dqz\e34p5dqz.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBFA7BBB390746BAA99E8DF667B12588.TMP"3⤵PID:2856
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i2do1ink\i2do1ink.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6236.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89B7148C716144F89444181F1CB31350.TMP"3⤵PID:724
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://evilcoder.mysellix.io/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3532 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb263f46f8,0x7ffb263f4708,0x7ffb263f47183⤵PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:23⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:83⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:13⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:13⤵PID:2788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:13⤵PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:83⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:13⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:13⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:13⤵PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:13⤵PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:13⤵PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:13⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:13⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4640 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:13⤵PID:5424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:13⤵PID:5704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:13⤵PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:13⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:13⤵PID:5764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,16615019208970508202,6456061771182752701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:13⤵PID:4168
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1200
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f8 0x5001⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:3652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0x70,0x124,0x7ffb3574cc40,0x7ffb3574cc4c,0x7ffb3574cc582⤵PID:3652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:22⤵PID:4452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2076 /prefetch:32⤵PID:1484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2084,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2368 /prefetch:82⤵PID:2224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:4948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3308,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:3124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3720 /prefetch:12⤵PID:2140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:82⤵PID:1644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:82⤵PID:3240
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
- Drops file in Program Files directory
PID:4588 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff627104698,0x7ff6271046a4,0x7ff6271046b03⤵
- Drops file in Program Files directory
PID:1488
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4880,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:12⤵PID:4092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4732,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:12⤵PID:2624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3416,i,12692136984835885693,13643609423655514347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4124
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2552
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:232
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5384
-
C:\Users\Admin\Downloads\Updatedpepperx.exe"C:\Users\Admin\Downloads\Updatedpepperx.exe"1⤵
- Executes dropped EXE
PID:1352
-
C:\Users\Admin\Downloads\XClient.exe"C:\Users\Admin\Downloads\XClient.exe"1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4120 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵PID:6056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb263f46f8,0x7ffb263f4708,0x7ffb263f47183⤵PID:5184
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:4696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5525bede3f6e4e60b63bb8d46b005be64
SHA1d8edebd64583ddc2111efce5e5c67e04d16be485
SHA256573c4153a79fcf59e1b797fbb7a3599292480b140a0f0aa814020d077d4baaa4
SHA512649234c9fda714b770185343859bb2d19f345a42d8e60c4ccc1fae0528325827db4eac4c8a5a1e6a4cafe98d49cc2128dc034ced2496c27fa44a1c6d5fcb99d8
-
Filesize
336B
MD5e707db7d5eeae358dd9c26ef77d3e5a1
SHA1229e9bcecfadcc08f5c6a87149ca0871ef2339e8
SHA2569828f8a1bffe24bc4c0d38855d6a41f52e3b469cd54640d0e490585f14dfa2ae
SHA512d747dec4b0ef811b6d0cec5c2865e25631d24561b933d943baa277b089bb5656022fee057f9bdca3b536cdec6c90f2babc9e7d46d0cfcb236c652cc99763a97b
-
Filesize
160KB
MD5433d7b93d5f6a274d9c30984b5b711b1
SHA183e885241ec3274d4442819009052f5a023df59a
SHA256528a10925bcbb1f038390a7021d2a72b2e3d2776f594870e9881dd6012c24bb8
SHA5127530e521ab64a651c0b57e1ed01d381ddbd2e1e32bf7d615a4334a5b2df3843fa14f3b082c22d55971660edc902e2a1991b03fd6886b5e07ec6b738d29720d5d
-
Filesize
9KB
MD51649afbbfdcd5c0b03e18c505c544809
SHA1913fdfb85150797d4db6e1d409eedb183ad13878
SHA2566b29c95175fcaa725901405e3e4fd8698b8aba31e40884ea229caea927816bb3
SHA51227cd63544f14e7c41ef18c4cffc9a87b3cda06eb2d415daabb19c8769601892f84c8a521722de73dc02f6023e2bd0930da898bd1a7deea28bd865b5519b66022
-
Filesize
9KB
MD5ed3c188e6ee894c1bdc6074d697c5403
SHA181b5ee369b0210de71493df19ccc2f9e98f060ff
SHA25688bd5ab77acbdd2e389617b51470e55cd3601904ea0c7d6a2dde9f58e4d0e123
SHA51221be07cfd62f51e069cff43767be69d22ff204a8b01dc6aae16a0610a2b1d45cc9ed3a4937065b9fec6e966bd875de338923c0f831d0046b9f6963a772982ebf
-
Filesize
9KB
MD56058cc8ec1aa6d210f446b1f46657a5d
SHA148f05eb94aeacccdd33c286e91a33b1694a1e10c
SHA2567c246e2899bba67f38e0925df774f2800b90527c64b71323114b8d2cde413a8f
SHA5122e148e00b3a40af9f872be6c99d9e40fe54497ab6079d4a6bfebb311dd1801cc5e8d89535cc860e9ab3132b98aa77f778ec04ae7cfe60e92147aee76a810136e
-
Filesize
10KB
MD5673c51a85672553e07e67e38eb416ed8
SHA1176334b484e919d39e14e9f85e673dc1cd13197a
SHA256903da68782e3fabef5515d61a1a8180ae5b077a0246736c0e5491f1811b3d4bf
SHA512f99e07287574c3738487d81278feea4340d86bc7ae1c23ca9304a0bad83f4dc7661af1ac15b833d9bf89f6da97beb7a7f7482ef142197016465ec1cf5d190fba
-
Filesize
9KB
MD5662790771477ec11c2baa2385a922006
SHA14baa1e700e72e7c062a6d66dd3381eaca66b0bdf
SHA2563230f0dc9770af701163b527792f555615b7a43e830a907902ff9bfd9e14a890
SHA512387b744d19b51bb191b3e88a5617a068bac0721e492619a20a7e4483152ceb3b32d3e2c7b0c72c60b0d656277ba19b498067d5e0e96da5fe9105f780e9345fcf
-
Filesize
9KB
MD58939628bcd287b33a584b96b8ad871b8
SHA1941b73620c66d3d64225b37326596e9cb576dbf1
SHA2567a125bb89c08a8fe5582da68d9b3869ba2bd03580fb8e3ac1a7f7e53a10a072d
SHA512d2766f4c9810171f55d0128e495fb06d8fc694682fa271d5a906f8da3e92aff574a505b1d57675d69f7d7e84658c416a2911ba14e1e849514d3124c4299cdf06
-
Filesize
9KB
MD51fe45a39e422f87cdbb04766068d8ad0
SHA1d749a94515efc8847e4b0106ddcbdcd3ed44f451
SHA2566c83047061475799dca885455e0ead01160806d1978b16e437115ea58afb9008
SHA51203c15eda63fb45b84c123034c08ba4b326969b7e5c85697959a9d91fcb2c41085d7a17684376ace05c8949bffb400fb154c62d2600b2ea10430d5e6160da435c
-
Filesize
9KB
MD5745bc76351f869f63b4a91baea6ba772
SHA16fef7df0973709e3193677aaf07ac67c45e8b62c
SHA256e750f2f17ff9b2e0ada57da46614933810bc798ea870c902eec46ec3b958559f
SHA5128ed305f0550ef2a2b91a8441dbbfc30c22643d4bd984c43579a264b320cba2f6c36ed63de55da4093a555f94f9ca4dd0208e3f3461a589d1d6d5035547ab2a83
-
Filesize
9KB
MD5af49df1fdac0c7f75cc649d1fdf77a82
SHA15f383b23448758316618a6fdd5ee7446996549bd
SHA2563fb4858ab0ae7fbdbcec97d0cfecfc6e03157ae1d015deee6e1d96efb5842772
SHA512f72b31118a3f8bde2aec75601c068275deeef22e968044daa1f8efd8b6baa1d92d77dc3287ce9fee5e3e74466c0402ddd7037b92b924de62ba21e68927602d4a
-
Filesize
9KB
MD5912a289088c3d2300c6fb1fc778ddcf9
SHA1daf306f1b4eb1aa9c63050f31794a082a9b56e7c
SHA256b9a6b29365d306a9da2ba33a618e6618dbb8a50c6f0530f07e4f9f50d8e4637f
SHA512095b1b872fa50d61c2389050676258bf5e4dbfd78d2f723e2e5c0afa09714567ce16239bde4c70ad9cbc2642f972d75287ef44df5620be2d37795207f505adfb
-
Filesize
15KB
MD588f3dacec27fe1cd5ad64ba6ecf8d792
SHA141feb28af71db24959afb55b2fd804a47d83ee1d
SHA25673ea04af8db82cfc98654fdfd1ca5a6a94ab3c1cb7bf8d34b95a703c772541e1
SHA512a298a1a4313eaf0a7781e321ad52f996cc4478a5605f228913dd3e173a60de026ce75f2fd1c02cade8323169e7105d11afaab9284c32eb8ddc2284a7b34ccc18
-
Filesize
233KB
MD55a1ea8d03cd37f75c20ddc60eeedb6c6
SHA1e2d8b3290b64f435eb3fc6cc62a856e82f3b8076
SHA256f9421c7f1f50ee24ef55589fcc93f1776485b48e2de00909715e62b6f7a7a9df
SHA512827bb548fd81e3e9b2f5f1c36b4f42ca03b166fef4d7eb3f9287835551ba0120a873dbc3415c33c87b15fd26dc9b69dec6b0230e25e51742e08d183bc5b3a426
-
Filesize
233KB
MD51c570aef094652ba0d439b612d5d8798
SHA1db4ff6af943b13c18293bc2225197406279ca028
SHA25641f69a3411c964ff1079af4a9c25d321a1b66ba2b97aeb19ced2e9f9e89979ec
SHA51232ed27768975ef3a0dd60d1c0b9311bc42e049de06b94ecaca1ce0a6b04b069ca33456cfb819789478b34783190ff78d5fbb1e4c6c30a46427e0cd7e6f5a1a49
-
Filesize
233KB
MD5917cb36714de44f73507801b9eddf1e4
SHA1a8186463c0e7a3d90972fc9e8464f27c201809a6
SHA2568823d93cd104908bc6a89006f5e1c23337120b550f202d02fa9a87d2cd7b3fb2
SHA512fb3f034d26b7abb77be27c844bd365260420f9c28d42265d5e14bba678ee2d66d42fa60305a90623d7230cdeb33d2bb62afb39db56ec8c0006d0e9be8511cd14
-
Filesize
264KB
MD5d4d70268d965beaf0caed712eac8b292
SHA1020aeb854e3a0d4105cbd07efa235d06a3e7982a
SHA256f1a293bbb57a7f1da2e1294eb35cad6c1567050aa1dce644a80089489442e87f
SHA512756db77630a5d06407aaffff81859cb321a01d4fb70edf797691dffea8e298310ed876d3f1c9649158c47c2e8dce1fb894c5dd9770ee388e5cdc0fac53590cd8
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5ffce4c4303148f5ee4928d72144edd95
SHA1962ddc72e5a7c8fc0949d8f1706d7c504ebd1e06
SHA2561b48193bf1cfe046af23a68f1bd076c91c5e315cdec66291776030b5d5f1f03a
SHA51294fe5686db640b87b950cac4593982bc2d24f9f56035e1b871ec1cebd6f26a55b5357c41c5b7e04d6698644b49a6333669ac2ec317d6516b2e11a3196b291a47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5581e5665db12e0c9ea2c4f97c52de4f7
SHA1009646a92463b680ff655ec38c5a7c6fff570ef0
SHA256cc0a9c67431c9a853fdfb42294f550c60554fb7777d4ebf69dd048acb1b927aa
SHA51295a4f4d6d9f0f671a45b2aed62664815553c0a25499bad9de317414e0e8a30e73ed361b7bcc39c3f867331c5e942216c3533ad80786348545897018a27e9f6a1
-
Filesize
20KB
MD5ecdf65f5c70bbc55fbb8b994a147b570
SHA1443c81deed0a2cfbf33dde7632c2a916f317b846
SHA25657b6946e05410fc1b51bdb4a7f54c085727529f2f4aaebca188b67a4480d92e5
SHA5122f3eeaa9eb3fa80744b4ddb4299725fb4ee1d5aae645891c10b90b26d7e7e7a53147bece185f6850541791a3db6dc6823605d95cb8fef6bcf866abe55cf9233f
-
Filesize
124KB
MD5c99b83eb5f83b61969a15ccaa935b59d
SHA16dadbc63fb751a66b6a8d94e5e72b7915ec7d948
SHA256353ef431817a213ebd33fa70d99ce2f8fa9f46425e1c270ce181bacc81ed4720
SHA512906ae828ea04f97987a14ad0f2211f9a2312d9d87622a3be479bf7bbc21f8dc3a6995f5ba523b1d1e066154383aa57edcd648edf87742c9c38805b3c513371ed
-
Filesize
2KB
MD57763656dd99fec30b235241d2489e680
SHA17c52ef18499a7fa7d013f98cb900a4580083b4a8
SHA256368ba0b40b9688cfb7ec82d4fe47585709f003a5de2ef7524161917c05b1d2af
SHA512c19c608061376a7e4cb9c2d38ddc9ff3a6cc579af9c453cad4fd5da2ba5fd08156108611ccef7edb98b1ac4d941649fdf15b5782c0ebe91550dca99d605e59f7
-
Filesize
2KB
MD58a620d01024b9de014cc734560f29469
SHA1261cc15ae8df794c60e0e103e9edcf7166120bc1
SHA256020f2987f322a6d7e2096cb97e17da46c26fa4955f8c58d16e5a34c57e2b6e11
SHA512879206eeb6b95c5f2d93aeb74d340d474d0d6999b4199a2d62b7926f45b4257c8c5fda5b63f1799267b8fbbc6d4bdeb14eee6f18bd999f0e78a791be1f8ef079
-
Filesize
5KB
MD522b6cee2271d7ed2ae8d66a1f2403b4d
SHA14ddd69900d50cbac5d748e12f4d54dfe0dc48221
SHA2569b2d130803e574537b26ff2be31c27cf6e25cbe68db7cf8d142fda5936c6032a
SHA5129ac1fdb085f6f5178eb22ca3402a49d28a9e6f186b6e63aed540a6dcd40b8f0d1eb87581ae959cb8472e5d3f2a91560198670ded4aba6403106ddafd7fa8fb6e
-
Filesize
6KB
MD5e8da8ed4a10f30f1b3704083e4d28a28
SHA1b86868d43627c3f4d4a1820a49e656c99d6bfa28
SHA256307d1f976636713ea2a140597f86031b9d8f1ebba0d7672cfea12e7bf3bcf326
SHA512f49966fbcf1c03cd290db50e6e8a25177ed2fa15a2591aabd7ea74ae005d6f572a0814dde252e04389a7a435bf36758e9f907a9c83697a6b7e8a02c3c13c609d
-
Filesize
7KB
MD54a79e9e89c3c1c62202f0665cd70120d
SHA125273d214835bafcba2f91a51be578e783866c11
SHA256197e91ad677a7c4946ee4879c55d0e507fd303329ad45847369fa7b25624bf99
SHA51279c1df26581e2e9d35092e966d5dc2abfdd42441bacef3bc42a7efb9bb7880a5ea933d8b8662b4cd83c16942281f2dff40097edafe888dd3bca691eb78605f94
-
Filesize
7KB
MD5f14633411fd0970b626dd7075407abcb
SHA1b54f7e2a9d0b19a62be0464f3726703c6ac60f76
SHA25656c392973145955ce73a1f82ef34c39d895d726bea8a0cbb93bf4e997fb067c2
SHA512bbbacb7c8494351d509e54eb1bab554aded9846b9d15e3d9e4fab7966311f060d9024879522dc2c3126595323c5f395cbd24e0d96f2967931e6845daf88e3422
-
Filesize
6KB
MD5195678c95144b9ae12826355e072978b
SHA160c8d8e65a1a71426b1d7ec21d51da2fd900cb15
SHA256c6e592d1c1a6b42285ef5e091af28b7d6e4d6ec19326399556c3b4ff01c4a708
SHA512978a87b8d00280fd7b26dc3eca6203bf13ab6104dbb815153a7b29f894145afd6fc2f8d1c1665876139b42565132d408ffbc46522015f745cf098b06169fed77
-
Filesize
1KB
MD5fa1848081935e8f1f3acab562c6c1215
SHA1d8dbdaaa004ca4d3380e01333893695d8e3b7462
SHA256a73d5a20078865befa5c0acdbbc9feabca3a7fbe4e6a4a8618e80103069ad2ac
SHA512ad9c31e92fe207f85ff2fd04d6fb0ea907f6ddd2a883703d4b2fc8422a5e8b0a2645605720b1d9c85472cdb6b72f4c23c084821f0d06b6979d2efc494a5ebb41
-
Filesize
2KB
MD5198e249e794a3984026c708c5354ab8b
SHA1e95181e2e31dc02ae5445110ae77300e689adc52
SHA256ccb045f0060ce0b7dfeb7454990d4e40beac20924ff81a7f032e29fdd3c3690f
SHA512b65024c26afded6b8504490bd865389c1c76d789245518ba8990249c9fd2e1af8ca171d0c53bb7b255f4bea6866b853d97d68c59bc265f9efdd5868436b2be9f
-
Filesize
2KB
MD5178f8995f08a0a2ce5f4166fe087273a
SHA12eaa3e6c0e502cc54fd87e002c67670119042d97
SHA25689be038382fb1a3f1c1cd72b6b9c3b181b3d7a4c9295d37615de939ce2bcecc0
SHA512ba547b36c8b67d1ca6eb5611ce869a206f164fe875260b75cf16565c6ac1e4013036f933d42f3e9ec15d4b96fd62273818fc956a395601152225a716b06dde22
-
Filesize
1KB
MD52f6b75f2f40363bb24cd197dde9a93af
SHA1bf93dc4444aac9e9e0cd843e1ea72cac790f6d8f
SHA2568d5919a7453db6ebf556d2ff4820d021749815de6b821dc2a13b9b424fa060d4
SHA512643a9ceb781f7247373dbdeb825baaca668241acfc659e9d85b152863f46ae01c5bc27b14588f1286ade03891efe5136d705dadbae86df09b7597ae61997615e
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD51f19fb89e6bb792d2d75ff5a8688c225
SHA16b39e5fb52a450185eb4dbca5201dcfdb0732049
SHA256d62232087125b5fbca2f51f3de54d7693b4edc447fe7846f5cbf2729a5044c23
SHA5122af37bb26f7e41bedd466ddad9edf3ee0b71ea5929032b9d36603faaee1837170ca468dea2304127973585627695e2f8b9223961da555715ada4b93df0cb51ea
-
Filesize
11KB
MD58c1532606ec0daa06a1574ea8c1f10dc
SHA12cb826c59482a79fad5a491ee36af95e89fd610f
SHA2565da388fa15cbbe38eb7f9a176ec021421a86d385ba6eb1b22b0c77234037982d
SHA512fe4beeb8e12d168ebd57473bc43d58f88540ac8445d813a430faf4cbd66b3abc8fd72cbfff9aa50fcf52e06c3dc5da80456d762a10d02810aedbdc1225fe8d24
-
Filesize
11KB
MD52fe2a304dd5d9900b5ca1525c3fb6103
SHA18db9297547efad4336e5a374f98d2e1f114e99b9
SHA256ae041f99354f52429d0aa76475dbabc9ae7ebc38d3c1973cd35ecfa5534eef88
SHA512786ca306fca9f4c7ab2621b8b1fd406ceb523f2316c3f00e300a167dc5c3f764b918e664396fabc995e41395aad20fc8214bf122ff7768ee1295ec967c382f64
-
Filesize
11KB
MD5a9e3fddb5a9157e67a6504f8cc284130
SHA17249ac3c19f8c3f2a7484aca8c9ebb7bbffd999e
SHA25696bd9a2ef05b0f5f2b74503eca8740d40c29adc11ecb7eb1293d6f4ac3e5bd70
SHA512ac38469b6314589d0bdacf467af0b354de2a0b4a091ab54296a52388607a84ae4241b77912b9c913366bcca19ec207bbaa5d6d9cb172f67551b94cb81981baf3
-
Filesize
11KB
MD506d832117eb6188af0d7d156492aecc0
SHA1853a46cf6d0668969d08f7af1c2192bf8d8f712d
SHA256a53c277a43bf1a5d3af5166e80c71961175c541a11d19d54b24e3be562f3d77b
SHA512887a6b9294f68978cebdd800225dbaf743834ffd8ec715bce07e8357612040a60ea64d4b5abd450d9bb50d8510548d6c76e84b2ff23accf158850f67a6e69ae2
-
Filesize
1KB
MD53d49f42b8443f2ac21a6c527a564520f
SHA14d8cf87404130658850906d04de470930accda86
SHA256e41ec4d596a6dd05db2d08dc1295a71e9aff647ba30de5269ef1854b207e7e60
SHA512cfc4aa8bb88371285d54bd4f1e797e78470d988cd6825d8ac09d2af5b07a3f29ce66b2d5322ba238060ec0c499b77c99ce6b2b396354c02caf70f0301a7a192e
-
Filesize
1KB
MD5ab8d945d941f1f28ddb4359b58d76d61
SHA1109d0435f9ef2b05e8fda2d40c0d40b7b6f3f64c
SHA25684f26f84a8b1ece707144ca5584628c4f1f87c37ef3c055bdc6e218ba93f5fc2
SHA512ae78f827aca9c8079c51abb7758db771c40eaea25ac02a50703c0614c9e888cf5da4e3d081a51e8b8e8abd3d1ff0d3aab3bba51e31ba87760b6a1e65465c797a
-
C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\ClientsFolder\A6253EC2AD93FB8612FA\Recovery\RecoveryData\cookies.txt
Filesize583B
MD573b8bfc9e5e419e32f7d4152246d25cf
SHA123a05db70f1a023a416df703f0ebfb0be1642593
SHA256c0d656b143620d8c4a4735cd2e20bdd71171e017edf9827712ebaa21285aee63
SHA5121a59ca12614fc878193d66125ed884659c78a4802495ec836d6d410747456d00db590d3a62e58b566f0287fa20f751a5fef2c1a0ec4c2bb39409d9249f85486b
-
Filesize
78KB
MD5cdb1a163c09e8e2b3697bac98c0d7679
SHA1c25700aa635ea371598fa2b9f59f90e70e06f44f
SHA256cfe54e9d6a0235d962dccc716220aedd25cc31789d652cea150abf3f2d7307d6
SHA5125fb75d2fe8d0b832ec24a78d2399db5bd13402e2e4c2cdcc23194604ffa287999604689127eab125b6b3f7a34d1075dc35be221d8de1801741133d66d94be9de
-
Filesize
292B
MD55f1226a97eb0f53a0cbd1b2cecd302a4
SHA1e2c51f834992063bd88638cff811f64bcf9949b6
SHA25640e3bbcb2765430d84800cc46896433873f23d4c7e4aab6f11f3e74eb417db6f
SHA512ce08151f998b06925de46e2d76edd3af2d152760237e328d7bd34a3bdc347abfafef8445591df0e832cbd95750237dd95c823d1f4f885665dab6cfa0aae2f9ab
-
Filesize
78KB
MD5c7fdb461c4bc08199d853468381c790d
SHA15c8ae11d71a90973605e21214fe3364cbc8f45f8
SHA256ea1b7800a23c5cb8d545a1ee7322959fb3c1d2d5a622350e12391607ed69ad63
SHA5129d7ad0ed55dbc20baa2697183ffe795ed3369c5741d0d9103cc7796816ce4ac90e0238955668e9c5abf436660d071d21ac8acde0839c03c8026ee9411973d485
-
Filesize
299B
MD5e9e34ed19507328e00d410790f0adfbf
SHA1f39a204d410220dc0a1eaa1e8004bff8196cc278
SHA256b6532b4711e2222af79b34d1e48992a905b1592296b42ce2c3df159218e74ef3
SHA512837197569f5e410f0ffcf2d19a9fd2fac5f3d12079a37cec99deb8dffe42682c6cfeb2fb3a517f2455648fcaf44e5e314f2028fd02b7497dc16a346be2612a70
-
Filesize
1KB
MD579f487323daa8e05769d10f06e864a43
SHA19179ffbaedef2384a65d12e1fc1679bc94db180e
SHA256b5ffdd8e421379d7c22323bcc2395d9041af4a7943b5af1a07c6941aee076309
SHA512b35a643daa836921108dcdc7bb92ee7e82713ced3cb1e802fdd52b618a2caa421bc7c507343f31dfcb8b46499a6c22922b93912d17eaaff0360a6b97a4db15cc
-
Filesize
1KB
MD5d40c58bd46211e4ffcbfbdfac7c2bb69
SHA1c5cf88224acc284a4e81bd612369f0e39f3ac604
SHA25601902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca
SHA51248b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68
-
Filesize
639B
MD5d2dbbc3383add4cbd9ba8e1e35872552
SHA1020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA2565ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66
-
Filesize
32KB
MD59d9fddda31a6b399bc586da2015a68d1
SHA14c78349be71d37a796fd65d2a59d8bfc9167b976
SHA2568fda43443a2fb28233cc885aba8e4a738d1a8bc540eaa6140d005c7a7e4422a7
SHA5123e57850a7384cc8d8b4f434f7ab40b94332fe11915cf7826e1b4e6e9f805db1f91befe0f3a161ce6928cb25f89862c95b3e75e9b8748579dc80cbbfd2c81c8b9
-
Filesize
32KB
MD56dfb2d805d3f8d5a95e9265efe6e6fe6
SHA114b8b66f0e5e8890bc824d38cabf02af1d8604dc
SHA2560735f13f228afe03fefd98b2d8d59c2f8a72abc8867eca4abdc190a55be39fe0
SHA5121eff5e4ab381cd56a09a07fbcc816214906702110ec595359cea9e407c97b157690eb1cfbfd8f5a55f13b66593e1988d3b191da25c6a91b32c882c46732e3d4d
-
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize16B
MD50521d8fa3bbc1572d1eb2818004a455a
SHA1b70768aeccaa07bf847a770670a4dd8244f93bd9
SHA256bb25bce5d7e191ac664a8253c7beb5fa60e2bef47d86507c83bbe45579ac527e
SHA5121e4c19cfb6f434a7975907e9268b1207eae99bf99217ca1d02cc0671dac431ca9d6483eee658d581e33ef3268f922498ca573684fc45f42f5191434bd016671f