Analysis
-
max time kernel
536s -
max time network
536s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-12-2024 12:06
Static task
static1
General
-
Target
XWorm-RAT
-
Size
286KB
-
MD5
3e93b5fa005b274eb84d23478ec99b48
-
SHA1
a0952ac33f53143430b3d95f8d040fe43244b107
-
SHA256
bcd1d83e9ada9ee87dc4b81ae89bf9ec7ff393291498a06a6fdd1beda496e947
-
SHA512
5339e319df657b7b366129b27141ac6f2e668f668e6916977f9506127df3777b68e64d587757525bcdcfc4f5f4236a0433923bc38819d84226aec0a0892dd313
-
SSDEEP
6144:1yssgpOL/saqkPV9FemLtcIDSsmwf9KvZJT3CqbMrhryf65NRPaCieMjAkvCJv1j:kssgpOL/saqkPV9FemLtcIDSsmwf9Kvs
Malware Config
Extracted
xworm
127.0.0.1:7000
LDr3dSUbweENStU4
-
install_file
USB.exe
Extracted
gurcu
https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.21%20kb
https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/sendMessage?chat_id=2024893777
https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/getUpdates?offset=-
https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/3428-828-0x0000000000F70000-0x0000000000F80000-memory.dmp family_xworm -
Gurcu family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" XWorm.exe -
Xworm family
-
Executes dropped EXE 3 IoCs
pid Process 2340 Command Reciever.exe 4884 svchost.exe 3428 XWorm.exe -
Loads dropped DLL 2 IoCs
pid Process 2340 Command Reciever.exe 4884 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdater\\svchost.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" XWorm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 34 camo.githubusercontent.com 35 camo.githubusercontent.com 39 raw.githubusercontent.com 48 raw.githubusercontent.com 1 camo.githubusercontent.com 36 camo.githubusercontent.com 37 camo.githubusercontent.com 38 camo.githubusercontent.com 51 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3120 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWorm RAT V2.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Command Reciever.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Command Reciever.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Command Reciever.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2368 timeout.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 56 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 660031000000000085592261100058574f524d2d7e3100004e0009000400efbe85592261855922612e0000005cf5000000000500000000000000000000000000000023ed0101580057006f0072006d002d005200410054002d006d00610069006e00000018000000 Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Command Reciever.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Command Reciever.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" Command Reciever.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Command Reciever.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 680031000000000085592261100058574f524d527e312e3100004e0009000400efbe85592261855924612e00000006a50200000003000000000000000000000000000000062c6200580057006f0072006d0020005200410054002000560032002e00310000001a000000 Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Command Reciever.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = ffffffff Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "6" Command Reciever.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Command Reciever.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Command Reciever.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Command Reciever.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3732 reg.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\XWorm-RAT-main.zip:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe\:Zone.Identifier:$DATA XWorm RAT V2.1.exe File created C:\Users\Admin\AppData\Roaming\GoogleChromeUpdater\svchost.exe\:Zone.Identifier:$DATA Command Reciever.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3428 msedge.exe 3428 msedge.exe 2436 msedge.exe 2436 msedge.exe 804 msedge.exe 804 msedge.exe 3820 identity_helper.exe 3820 identity_helper.exe 4048 msedge.exe 4048 msedge.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2340 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 4884 svchost.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe 2024 Command Reciever.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2024 Command Reciever.exe 4884 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 3132 msedge.exe 3132 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2340 Command Reciever.exe Token: SeDebugPrivilege 3120 tasklist.exe Token: SeDebugPrivilege 4884 svchost.exe Token: SeDebugPrivilege 3428 XWorm.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2024 Command Reciever.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe -
Suspicious use of SendNotifyMessage 39 IoCs
pid Process 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2024 Command Reciever.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4884 svchost.exe 2024 Command Reciever.exe 3428 XWorm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2436 wrote to memory of 660 2436 msedge.exe 81 PID 2436 wrote to memory of 660 2436 msedge.exe 81 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3380 2436 msedge.exe 82 PID 2436 wrote to memory of 3428 2436 msedge.exe 83 PID 2436 wrote to memory of 3428 2436 msedge.exe 83 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 PID 2436 wrote to memory of 2508 2436 msedge.exe 84 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System XWorm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" XWorm.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\XWorm-RAT1⤵PID:3504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd96f53cb8,0x7ffd96f53cc8,0x7ffd96f53cd82⤵PID:660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:3380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:82⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:12⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:12⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:12⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:12⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵PID:2660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:12⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:4740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2524 /prefetch:12⤵PID:2604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:12⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,16522541635094806453,15761703290983559935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6544 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4048
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3092
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1020
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4928
-
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4576 -
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4xrw0d11\4xrw0d11.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:4496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64CEDC2089DF47B697261D3EE5E8D72D.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:4556
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF13C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF13C.tmp.bat3⤵PID:1588
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:3508
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2340"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
C:\Windows\system32\find.exefind ":"4⤵PID:728
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:2368
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdater\svchost.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdater\svchost.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdater\svchost.exe /f5⤵PID:1608
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdater\svchost.exe /f6⤵
- Adds Run key to start application
- Modifies registry key
PID:3732
-
-
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\InvokeWatch.html1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3132 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd96f53cb8,0x7ffd96f53cc8,0x7ffd96f53cd82⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,4732410472378637033,9334150739446145041,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:22⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,4732410472378637033,9334150739446145041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,4732410472378637033,9334150739446145041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:82⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4732410472378637033,9334150739446145041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4732410472378637033,9334150739446145041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:2352
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2992
-
C:\Users\Admin\Downloads\XWorm.exe"C:\Users\Admin\Downloads\XWorm.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffd96f53cb8,0x7ffd96f53cc8,0x7ffd96f53cd82⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,6916997660796438971,9677813340087674990,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:22⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,6916997660796438971,9677813340087674990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,6916997660796438971,9677813340087674990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:82⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6916997660796438971,9677813340087674990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6916997660796438971,9677813340087674990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:1640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6916997660796438971,9677813340087674990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:12⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6916997660796438971,9677813340087674990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:12⤵PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,6916997660796438971,9677813340087674990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,6916997660796438971,9677813340087674990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵PID:4988
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5068
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4652
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54c1a24fa898d2a98b540b20272c8e47b
SHA13218bff9ce95b52842fa1b8bd00be073177141ef
SHA256bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95
SHA512e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e
-
Filesize
152B
MD5f1d2c7fd2ca29bb77a5da2d1847fbb92
SHA1840de2cf36c22ba10ac96f90890b6a12a56526c6
SHA25658d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5
SHA512ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14
-
Filesize
152B
MD5384fd5eea7b0eb3892e6649d6d16446f
SHA1c5d1dc7f15a18784d0d671906f9745b18911e852
SHA25630610f2785eeff0aaa4eb3daf173324ae18e75da3d7fa18a4b9c706df0b48049
SHA512ec6f330ab43b8fe2d3820c3370b4c9cd6799fa9e04a7e254d4bb4c490c539525a3fe59975175e6ff9aed81f0f7f6b65120aca630ba8ac0fa6ac5f76e8249511b
-
Filesize
152B
MD56136c8743c26c0539e20768df4ba4753
SHA17d887143c1f1790da7e07ec5abbcf357697bda1f
SHA256a0ee2a65bf7a72918af2954cd72f034d2933403337d460646967f648fcb0b026
SHA512fdfcf7fca06541c2d26e438321aba800c5afd4897dcafa4bb6d83cb52fa3b000969db547580492f4bb89d1f848ae8c5b32cd9b88de32e408c4001255f9454137
-
Filesize
152B
MD5f87e4f8d298ddeb5f67053423c090eb4
SHA16da6ecc7cd5b5a8135173e46e039392a5e7b6a30
SHA25687bdd842d7691b6149346cc5bb9e6468ead7ac89b4008b90c081f0bf9e617f5d
SHA5120abf05ccbfbe53828de70f5b6ff4892449f608adfc48ec071554de66126c368a8535305c2f515fd4c5e326777243d3507bb70d420051770fdda4b9b5b61a644c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\06a0a052-bee3-48c4-85ec-9a9cbec8d95a.tmp
Filesize1018B
MD561da4cc8108def8f79cbefff49676f6c
SHA114b70207735236b4fd0e2136701477b6bb6c8014
SHA256c35cc338ee4c51ea81e42e8ab7540873513982fa0d6017c2728e547d74974f56
SHA512d71f62f0884bd3c70e660cf686f5ec35b8eb93e6905546bcb0d6ef35fff5513d9d68d235525d9bc800f4e5a5cf7c9b7b599f12554bb88b1e08ec14f6a036a36b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7e981936-3cde-401c-966c-afaebea3ca95.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
179KB
MD5f69a450902ae6bc96d3f5876f0484290
SHA1ba352bed8ac9b29bccc1aef038886ce4c19b0a1a
SHA256e530aad91db15339f6be69696c78e82cb01bb86f5ba4a98c7a76a57d66819171
SHA51259b4baf45c6bcbab2cbcbb470f7a24b53ca8a55210f646d706fce8ede05c4e7bbd836307064623e4a441a24092069b9816968bec00bbfd98d2edd3901b1f0488
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD58bc52ce5f679f63d8806c99c65dcffac
SHA1372e7ed9a4b3adb6059a01ddd6a8cede77b894a4
SHA2561b403f61a24a3d49e6107b3e17a8f7d5da379f25e032847f0511f3ef3516c928
SHA51248f839bb137a0bc679b7bec9d7c982233852af477dad0b846e180606f8aafecda971fabafdfea1daddc08f229736df0f4eae2736f00c82fa8e9b347128220fa0
-
Filesize
28KB
MD5208e61187d086c4bcd59cd2437dde1da
SHA14060a3a83bb61575a6dc8dff1589966b6c321107
SHA25654aadda4614d6fb3a889dcf98212511c313b6eec76fe0d830c3cfcccc9b49089
SHA512d951382a301900db842d36a57cac1bab0eab0faa21fe769f858620e95f0d04793a547a661d9aeaa377410f83329a5a298167ae065cfb5034041996fc363cada0
-
Filesize
264KB
MD573285e53e8a630443648222365e1d9b6
SHA10d69b67e4e45ac3ff1dbd3e2f01dc1456a249a61
SHA256491aa4ecda85318b73f6fce8d8efb083bf7de03d0dcac4070f0285157022d309
SHA51212fedb8d685491e792318e994cfa9189987910c7a054fcd744e29a18a786de5d8b077657a8ac9a91e60727ed54454d4938f8a7220f476e1c89df620b74648629
-
Filesize
116KB
MD5cade51eb5c87109722d0703e7584c43c
SHA1d8a9c24f44e7d2ba3190cb0be7be2086011111a5
SHA256ca66a03708ad877650029afb04732f6f24f933965c7f21720bf4b84b6c53802e
SHA51295e4055362f77fddb6db1eff1a256b68cfb6661375eebfd57f1d1e441b9ca52e0279e5618973e263c34bf79bb893248b9a8a605031ebfb8a786f518f398aabd6
-
Filesize
4KB
MD5df85bb68e5d529125590498127b9494a
SHA1ee6e0cfb4aada312eacbaca69e2423205d7db035
SHA256145e4e44c8f84caa6c6f34d092f541ae57932fa79d0d5fa216527e8c59eced04
SHA5123950fc4f8c6e47413d28f32757c233092910cbc2be6edeef460ef52035e174f41523e230d97f1c0500238dd662fc8c55d4a4be0c38ade75077446eb079bb90d0
-
Filesize
28KB
MD5a63f313d8622df6fbdb58478cf064939
SHA1d47fd3255e9d3846450eb300357d2f3eacabcc0d
SHA256ff65240d384fa3a3df9c81892b5967a060dfdb08fd0a92caae64153cb6b2b9d6
SHA5120a36b6233110800d3b388dc15b701389455bce7f87edefc668925c758f2497ce6ed16565f7433c7762dbdaa810fdc9ef82160a7923c4b28703b1fdb63b7244c2
-
Filesize
12KB
MD5d00e2971248ab2456b66571b1b97967c
SHA17bd403712c56f0e31b2ebad066eaf25f6d735cd8
SHA256cff6bedb56a52a16b73afa403fc419d967216b753f9942f5b4736f0754a921f9
SHA512f6f8b14350e04111de5b36c23599ed0446c9a0579a6163f3575edee273ee38ead288decc00b2a393da9d1d62d67f5378b42ece9af42dc386a0948a2d3c5b5c93
-
Filesize
334B
MD57ac1cdeccb0ea732c52a211e383b73b6
SHA174095756328e13f16fa99d7a317b22eb2eb90114
SHA2568beed5efdcd37a0ab1e528325cb05967cd983042b51c754c9ba97fedd1747288
SHA512f8744d4531bd1d431780e0b7ccd6b949f2b57a07f5cd2190bda112174f870d47ee7acffcef1e445e5a585516b02568986e479ed454bed5c80fa2da8c00f48b89
-
Filesize
941B
MD57f6245f1c6e54d20cb8afb6462835560
SHA1bf5b42b0426ad7c5f516106385f90e8ee02716c2
SHA256e65c8e47c438cd4a73199fec8c2e8e3cde50bf289600e949279097d7d6308a34
SHA51291daf602beec49dfd2d4f9b0ecfcc5fa8f26662b466a83e41861cf8162573b4640bd4b9164621dd3466c2abf279b5094a32aa76bac739605554487b169e50ce1
-
Filesize
1018B
MD51142d80a8f838c568f49358601d936dd
SHA1e38d755ef078f3d76fdb12f4001bd4a652e89751
SHA25672f8bf27fd23af1c266072514f74965b451eac0fdb1fbdbe5aea5a8cfbdc367e
SHA512943353e78935c1c03cc11cc918badcf545fcec1d91da0cfa7e3b093225a2401f64ef479562e39b0bc506f363384eaaf442ca3c8a546c0cba959adbf410412d75
-
Filesize
6KB
MD5231ce52e108ddc136caf985dad6a75da
SHA147e20375a0423afaf76bb42d419e6b5672e7111e
SHA256fb11c1501c07dbb2c3c700a64f77c0e2b7a36fe1be67347c0cbd57ab864a520f
SHA512284c13fc74b00c539fe284172ffa1d13d8e462779253b7f05ab49cb35ea515024937092d2f915d41653535169f10c444d29a29f5e9eee7ecb89f81654f47c3ff
-
Filesize
7KB
MD56dc26f4f8625e2dc9dbce0b20a9849a0
SHA10719983bbb03f9a33ed7da8e0633f0a52aab8db8
SHA256565182e23eef3595cccbd52fe63f0ac6d9a92a2ce0363f5c7cb6576fc1fe3d40
SHA512eb3d532b5b3a2bf68808d015b9ef4c4fa2eede055b625ae6dfec524de7ac5877b57ee4827de0a4ed24d2134633a2ef76775defd2ea3fe25d661595d6546f516c
-
Filesize
7KB
MD545bad21261f0210d298e403163e97129
SHA18fd80594ddc9670904c99f14c44d14934f6bd850
SHA256b67410884aace69e408da18bfed17ce5f81e2fca4a266c80fb05f61fa82c412e
SHA512c3c3ff828189e6acf84544fbdf774a4c6f8b829c8f0ce9847e482785581ca10f8ba825dd93623f4a0f546b4aaddea3a87e4b81c2c89d64858c465723f6f540da
-
Filesize
7KB
MD565a1dac19b8cc777f8021879577f0036
SHA1fd638d56b018796a722f2e25c051c0b8c5b2007c
SHA256a25215e386249cbbaf38872fe47db9e57cbe3d95ec620974e5000a1bdb17add8
SHA512fc40654ef44a3e3eaf6ec411a196621dab4c9820ca42bdf6dfc761192d8d299e247e90e2ba08062e77f2a135131e86b73ed52f41d81134fb8d203c6c28785814
-
Filesize
7KB
MD5dc173db51b8e711b54d6e2d5ca5f3336
SHA174568a6ee8e56689404680c72dbe791e268acd7f
SHA2565610a0c194f6c079bd9a7b0b9a35c60ced6af36dcf51eae17eaf693feb342ddd
SHA512ad5e966096d290104791b28d14818433cf1b2ec8a389e3847703872c2128d0ad295cd4f1723dcb22eaf8905a35d006d122ffe8c00bc1bb931bce7b065451aa48
-
Filesize
7KB
MD5c01306f32a882a1f110cd59d0f6067f7
SHA1a1ec2b92986368e41dd9383268ae6a6fae26d577
SHA256c34ce2ecfc0e10a129836e9975f62828a67d1ffefae805d308d8e581bce92515
SHA5128434f308e0f2c5af80bb962cbb6c3b98af530eeb99bb7c9b167079d4b227ea57be2c2bbfb8569783d0c66f38f94ebd26453a77e410eceefd61359c8ca735b2c4
-
Filesize
5KB
MD5a7685823e51a433a6a93b078a54dd721
SHA19dc48b23591f1959638fae201d0adde7ad13e990
SHA2567063ba6d4a5d0c6ba837a620c2867ff42ea816dfc5282725e4096264d4691f55
SHA51206fac2d7e31681e1b85ee19d149f3e5d70af41d7b6ab05c47b99f72aeec471b4ce1503000e9aa61b01f59d77468d866fcea4089257b5d8c7038e6984ea52e9ee
-
Filesize
6KB
MD5d3c65d20b99a5b5721467193def7a654
SHA15c1c83b11ba569b64c0a4821948e94a69308de16
SHA256292549d838d7711ad4ba4f4e54e0ca1c3bb915fe0d18a844d0ccaae75e9dfeec
SHA512afbc3b71d1ecffb8021996ae2ae6a20d7958372a06db6e30642f5d70997b153a7757ce37d0949d403b6b0d70574baf33beba139874a218943789ac532741dcde
-
Filesize
6KB
MD5233cc126e58a04706d6f100fc645fabc
SHA185705914fdcfad449a7a1ec0c96cece2e97f0446
SHA2569f38ef1056f45212b75b9dcdd0eadec056be0ab520904274f177dff1ff394d4d
SHA51286606b00fa84e4075d41e0fc028ced68a312296745f767f8ba5637725854145d9e35b17550559c831ef2157bdc34c91557a56f8f7e96b8a9b32a914ada8edeb6
-
Filesize
5KB
MD52c94e0d5dbb70c4fc41264bd9bab7ee9
SHA1745b351a02923edafb83022965c8af42d0c66be3
SHA2565ab2f37f9ca2b70d899fb317a807924b37ea00b433a109ebc853913e42e8feac
SHA512dabf0381ce3f5a9bc123433632ae45581854654b944b065f9d8c1e1937bb1de8d623d64d49a7e4a1e7dd7992775c1bcf34581333fffa4c0c790b1e2abc128e1f
-
Filesize
5KB
MD58c08052681f671bf1fff00c9cc2cd028
SHA1b804596a4f78ca99993879edb35427e2fe04b2a7
SHA2564f24fbfb44d6817b877e4798e8d235dfb095d1382d1d14d3ef7d56f4c27f6d19
SHA51290092ce67bc5f4883f1a59c5002b3ab8ae8387c351cffddeeec2fb729b24fd615a19daad07adb1090d0678daa856a16671b1f39c45a1735f7f5b5e46246cede2
-
Filesize
982B
MD5cf007a8134000a781109d1b6a21cda4d
SHA18ef787856396ee37d389a769eccd84a96c6b8b56
SHA2569a81d5eda233e359eef33f86417b082c4bde48dad2406ed52bc2ad793a8b8b9d
SHA512cfe9cad141c63347b43b37e72f1549e50fbe38f05db58e0e12aa3465c5ff140bc543950e2cd351620a50d599f676c826e772294833af38be374b2dd75cd94af5
-
Filesize
319B
MD551efbfffd892452d91c1e4a72fa6bba8
SHA1f683d589dffa6b910e9ebceb76ecd2f761c09e46
SHA2564d6022909b9a2344344d7a7d17e0a936b3808fa1531fe50a366122d9ac5e5e32
SHA512d7bcfa09fc4fa12183872f98d4c1da310f9fa40c1ec9916eefd31ac3dd14a37ae8a59f633d93f002c1924ab5ad108f508a25000dfdddf7d7417d2dd2a35767f9
-
Filesize
16KB
MD51f78bc682a983780cb07837af8fe1fcf
SHA1572047aad544dc4459178d98736ef50fddf023e5
SHA256d959c65f0549cfe60c861d33f21fbc652d4cfdba1b2043e12bb735736d5ec76a
SHA5123d7238a82c2138bfb874b959cd7cc08a02bd5309de8caefc6c97b6cb112b889a384fd275df43aa80c09d9ae275ba0cc44f60f1dc8962c73f08f758b2e8426b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize184B
MD5d6b3b45b2600327c6c2b14b413619c3f
SHA10a006e79bcc4f6afb3ddf2c42973a13197b7b162
SHA256c75656a4e51ec25436d19dd0153e05e6177009357e443a7e9350a778a4a1c8aa
SHA512a712f19fa3a22add4c7ffbaa6e85e044dab78039d8828e2a9dbbb8832f62cf4469f076cc0b01408bf518619666a53dee10770f96de2cfe598a8fccf6b3c4fa36
-
Filesize
347B
MD5ae29197f8fa43c0d1ffcb049528508dc
SHA1592ae5a9a00df4ab67d217c641e02ae17af10f54
SHA256be3d361c4bdaf94534d95359c668c68494103f0529c331604dbc5d2f58776632
SHA5125a03ca7680fac59bbd9f7de3498d5c1622ab7cb847d540290558ccb59fc566929b8b80ef446de9337f5165bac34d22a551aa49c06b046d291bf297ea82645149
-
Filesize
323B
MD5ae97320797b0d33d445e0d06f77e9d17
SHA1c177db8a385c50d298e1de2444b98fefb160395b
SHA256da5927bb3c362030600ed5d2f74bf9b17cf29f657195a3a644d6ed60831a1b59
SHA5127428ee1b0f2b11d13cbee3bea6fe3b3313c28296160240953b8828c4e5bdc4a01e335f3b44f2ad7f368388acb3ce3881cce74d7a906f035801d8d62d90c99c32
-
Filesize
1KB
MD5d0b46e499d03fb5bf22bbee0654ef5b3
SHA16df7aacd9493510aaa4c42d216e7fc75d7b7ab6a
SHA25648461cef1813135a0ec88bd060936c3c4c2b2c3e31191d7c9966947e2fdafce8
SHA512c52375000beff776f277b886f6d1b025cf5b6fd9a34cf69e4b4173367083820e9a51a95d367e9c6f912ea37beb5d756f1321ae22693803ed625ad7b9d1cd9663
-
Filesize
1KB
MD5b2b7ea8e515bf3d110c45122f0316e49
SHA1ce622c1c4b327c053d247fce591fb391260ba78b
SHA25695c60a45b3456accc0dc723419321001f6d4a44834de46f86c38ffda3b5405d9
SHA5120e96760cc609369670032a6d59a61200bcf21222c6623fa9d161ef374ffae91c16551e67c525858b5b6d9a8344c22a423c3de8b9e7dbe942eaf8742486e4f751
-
Filesize
1KB
MD5a8198042ab6e860c286f3407102e558d
SHA1881c1deafb261f1c221a80ae50575f2ae18d15b4
SHA256c972aeb2bdc583d633a9f547ce85a838e98cdef11971b35d6311ec73addcce2e
SHA512e619da0d7505f992d1addde424051e331a520b6af5f49d3e2951958c42086e23f7fe144371744e066fb8168fa24a15a7270644bcb02e8956373200dcc2efe2ec
-
Filesize
1KB
MD5e6700962e11b9bb3643d1b5b26056080
SHA1f10eb154518b1412c350735fae43bbda32f1a280
SHA256f872778f6ab07ebb83de92ac84931ec589d8c8d2c6ae74b18f582da6ad7ebb27
SHA512bf1677445b21cbd50301f29f6309a066515d3f3fbd5b2db034b19c6b8565176346d96a19bed9eb5fe06d52306f198d15d7979924ca0b503cd311f1e5831b7bdc
-
Filesize
538B
MD52afa012cf8b43d89b14d42396a6b051b
SHA1d7707611f1d21e4c43a544247fc3f9af494dbb10
SHA25622e958a4e92364f2b6fb2ec24ae66b90b1ec718a777b3d4c458e1b45d331e642
SHA5123fe87291936ee315e780cbeacfc6b1d203a9b0e3a1cdadf58b1b19622912dd30f5dc7c18b5989cdecdea63f2d4896487ed24d17bf7194ad7d0beea2957a2c378
-
Filesize
128KB
MD5141c1a840a614af02cdae271afb272b1
SHA11f9e741dc55f6fa50696f882b4622792af546243
SHA2569859a04ec674ae92bab212b9478af927c0245cc5f438ed9417b1afb5511eae7d
SHA5121d0f841e1c05f5f8ef5e44e5c2372ddd9076ea121799f011699e707de676d8544836739ba2effba9ca29a69314c06933fcd2a056432393efc0733c16bc342159
-
Filesize
112KB
MD50335708704838f819442a966b18973be
SHA13cf4a2d146e481682132765f90d2166cd9552369
SHA2567d0c0a5f805f52eabf5d7cb5e872cd9fbaf4d1c50ffb48b8f6c8a63e7740cebe
SHA5124ebe030e963970071e438ed66f9641ef16c9c56235ebd2cdc0af38e92721321aa12eaea552620088b112c080b39a8251b07ce7993610a41966c09eab5597a023
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
76KB
MD59d8ff1f26a185c0ed2b739f43c624b31
SHA1ad25d303bdb2b5ff4404a26a0619d9de6e3342d9
SHA25640e09a48418609472d79e2e8cf07835c26b615af813968c2883638279ce0fc9c
SHA5129dcb738902903e65670d92b45904d330759b3cc7ba28384e39f4dcf42b260d546e47de617e16ffdbfeb3e803e63789594ee844bb9e14042880086f14db6c7036
-
Filesize
14KB
MD54439c08de1bd9e8575c9d0afd60e4309
SHA17e7812242bbb25103cd6cf93f888d4274b843f51
SHA25659f4991b14f67905caccd23cc522a6e13d305908e328818b0c1472e61637af2b
SHA51245b264ac8a3ffe4bccedad1d22dde0e9383ba63b1b94fec1d0533f755661e77dfbbe67deec4d01b770c0e9c4e85819a227933cbc60b68d71982918858f0e654e
-
Filesize
319B
MD567859a1c427b5a280efa993ce69b79ef
SHA18ede33bec5710d7c71ae0d08ba2fa0eea89438aa
SHA256e8c232130a1979964e743e595b0e1a82b8e26023ec6e5d348a6b123781bad087
SHA5124769e523065bd39f7a916813b39c83756a685621c1cd17898cc9f9111377d8bb1852afb639a9c6da255af6af1b6520a80825ba4cf04a86f66c8c85cc83ba85dd
-
Filesize
318B
MD5cbc17bb48b28c8d0752a359e46e926d6
SHA1c9b5abde39d0eb13d64225faf38e43c6dcf7f542
SHA2565cb50a22d12ce65995c55f6a490ae995ac850cbf8caac58540f01ce8db40c19b
SHA512f1cb51a1ca1ab0d19633ef07879e5f58dc1394168c3003bcdbedbc5968a9bd45e53cfc48a35951dbc9b15e62c40f64e5cde8add60784e70d17d5d5acc059e89b
-
Filesize
337B
MD5abd724afcadb4267e26394fff4737d72
SHA1a0c97b2b49d0a2c86dd243ea70c23215001da0ba
SHA25697771e43a7178a12962d58c98f00123d5ca0eac660d2105c6f1a450a54213f51
SHA51231fad6bc9cca5bc4abdda984bbda74b1d3f812db9694a299df41128cd6437068327fe924b1fd865860a96c08a032b4a498847e7ed75902ea2903b108b71f7502
-
Filesize
44KB
MD54085be93db822a7d8cc682ad3a6d44a6
SHA14f7a77fb1ddf240255cf4cfc16080e7d50628371
SHA256d450539212a551b67bfe3a7a3e5079cf82e5d9451414c75ea0a6066a3e5dd612
SHA5127b85745f2a875a500080c1293ac9b532607267c69fba54cd85c44678e17b9baeb1e72dd194af35d26866347951e939f1b3e14348e70a366b8a6d08337626a4c1
-
Filesize
264KB
MD5c6ae618e55fbcc49f21471749418bed7
SHA1e74eb5a5624eed37bbe813338499985ca21053a4
SHA2568cdf77e7b4936c8d7587978f6587a9e14f9aa32c611c1e099528c3b58fe90a9f
SHA512b051938cd1de8859410fe189381dc03f9a5aa220effad8dd461eb63032c9b7a03492aaa43f04190c12bcbd29c0a9069fa58585bce10e4d21ecfefd1a411ad67d
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
11KB
MD5dbf40719ad2c337ac6526e2443842f64
SHA18b62d4fcc7b4a89cfe36998f94aecb69f4d187f3
SHA256fff0f59416630100d3f42611f1a15bee547bf52aed4b3575d9e0367d556dd5e7
SHA51283f06ab7e673b1b29947ea1222df9e9584d0ec40a98d210c0c385305b7ce319ab9cd92730b38dc97062ace7662d81bf90413456441c73aedff1216b12e386b6b
-
Filesize
11KB
MD53ac887496162e1042bdff3a900243aef
SHA16cf5240bf23b331b41c068ca243ee664c2ccf363
SHA2561f1c69e0911c21883b5f5b39405989e56e451121b85bd217d09371cdd3b5c1d7
SHA51273c75fdec131020396ce3ee1b1167ab1b0e6a845dbc6eedcec87458ecaedace5a8ad5553fdfc737ea32bff274c4ddc9a864d83194bb4989a79476479b82c626b
-
Filesize
11KB
MD55c933dbd325eaed235bfe6c8f2c88aa0
SHA15a91c7d9ec36c25ac66f97185ac6217c41a9af4d
SHA256001e53df495f0afc4e28c0a469c4898f996924f6a7eea168cc58b20d0137189d
SHA5128cf9a76b702f419899227135175b7b276305166ac5e3e83858547a524b35c2efa305729654a99b17e25b5116445a283e8f6e41ecc80a7e5b017090ef24d9cceb
-
Filesize
10KB
MD593536b52e34e2b3169575e6cd9314d2b
SHA1ac4310508651c507d66808182784a0107ae7f27e
SHA25667f5e4d2afa611dc9e3ac485dfd37ead011f631998da0d2e75fe013cc0de01e7
SHA512c9e1b01d838e47042c794f67ffabadd7f2d0405f55fc8d3e45bd0c4916d5cc162090f11ad0cbd2525569a2ae376903849826b658bb91a19ff5ed293589ab6f5f
-
Filesize
10KB
MD5667d467bacfe052e48d76aaf129dc2bd
SHA11fa29889ace4ca095799893c21079c620d4e8ea8
SHA25635f278dc9e9b17d5a7817325a36da3bf1a441f3d436c1a3574fa23e8859e4da1
SHA5122c5c9892edb00f5469be8651e34a1fceead2877b5293caec4863eece525422c947cf41556c49da229c87bb4a9b57a5a882a160468134f9d74127514ddde4ed25
-
Filesize
264KB
MD5a6e3251550c2685b701706e6755b7936
SHA1ee0b764cb49f8ad874f0aefe70e855b5787b20cf
SHA256b60b056e054ecb1388cf29f7a21be30a016849690ff25c1cd1509c4abc138c78
SHA5129f4a17e2c0a67479a6a95dda973cd2ddb849583e29214e41b67fae55af6d724be6f0e097b68977d46484a7d6cfedb7a221e58d73c3fa5f0eb1aed5fdf4ddab34
-
Filesize
5.6MB
MD5b613ad1f34e8ff6ae6facd1d756a0f74
SHA1edb5c49c20f6b3cf4ffa6520f1543b8121ebfba3
SHA256dfa12edd80f7bd4a5f5f4b4634b018caa91088fcedbe1de3a83ce748e2299d9b
SHA5125e4d603db454334db36014ee0a0d8ac5c9d4f1c04c4c211225cc2af4ef87900f30a80b24cef42cea6494af062dd8a7f42c8a7ad231974d25b38857b76a9e0035
-
Filesize
83B
MD595bab9dd14853aee78129288e8c45f28
SHA1563777d569a67ad38ce522dd82fa8bd854126b04
SHA25673133a3a8bc13080ed4b6c22e7bc9126a9fd343436e09ac2a83f3f8bc578fc37
SHA512201473a26a2099b10a58b2a46e70ec4c5388b497f76b53e0b7cf742576cb46676aca76a5452c4f6a109f92490192bd8eaa0b47d7cd563db45880b36d3156c6b6
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
283B
MD53e9e4dcfb6bbbba2eafae141d1ac434e
SHA17f8a8b7357a1878219a4185ea2c015ff0aebe1a9
SHA25605348b39e813008843fd994127345c24fc2a22da575c03cbcd7646e669819bf2
SHA512efbf7b9908fee9c7aff3898e65b0182f5ac18ed7e85152cbcd1144d9aef525756f68dfd7ae7c0de658f140a97384db3fb2621be0c42aec62857e33be1550a249
-
Filesize
34.0MB
MD513b7a09fed32886071e355f65409b611
SHA1dfdb06e1790ba99ddae213fb20ed1b885fa34f0c
SHA256df02ba520c9055eeb44e0cd7c0b9ccb7b0fccafdd9471569eb63268d45244c22
SHA5124baa13f9a00f7d80c0eead27e89118d9c688e7cd3d471cbfb88c57d2020d8e8f2459b50609839e892b0a6e75a63d54112ae76e59dfa14b032f8dd688af3a04c5
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98