rhadamanthys | hxxps://github[.]com/QZwaRT/XWorm-Remote-Access-Tool

Analysis

max time kernel
336s
max time network
338s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-12-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/QZwaRT/XWorm-Remote-Access-Tool

Score

10^/10

rhadamanthys defense_evasion discovery phishing stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

resource	yara_rule
behavioral1/memory/1736-1224-0x0000000002350000-0x0000000002750000-memory.dmp	family_rhadamanthys
behavioral1/memory/1736-1225-0x0000000002350000-0x0000000002750000-memory.dmp	family_rhadamanthys
behavioral1/memory/624-1246-0x00000000023B0000-0x00000000027B0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4204-1346-0x0000000002430000-0x0000000002830000-memory.dmp	family_rhadamanthys
behavioral1/memory/3732-1359-0x0000000002400000-0x0000000002800000-memory.dmp	family_rhadamanthys
behavioral1/memory/1668-1363-0x0000000002370000-0x0000000002770000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys
Downloads MZ/PE file
A potential corporate email address has been identified in the URL: 67C716D751E567F70A490D4C@AdobeOrg
phishing

Executes dropped EXE 6 IoCs

pid	Process
3384	winrar-x32-701.exe
1736	XWorm.exe
624	XWorm.exe
4204	XWorm.exe
3732	XWorm.exe
1668	XWorm.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
25	camo.githubusercontent.com
13	camo.githubusercontent.com
22	camo.githubusercontent.com
23	camo.githubusercontent.com
24	camo.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\7-Zip\Lang\ne.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\es.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\it.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\gu.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pt-br.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ug.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eu.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hr.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-tw.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ja.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mng2.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ta.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fa.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fi.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kab.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sw.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ba.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\id.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ro.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sa.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\readme.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hi.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\vi.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7-zip.chm	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7z.dll	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\History.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\en.ttt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\az.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ps.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\si.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\is.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ky.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\va.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7z.exe	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fur.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\gl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\he.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ar.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\el.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ga.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nb.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\cs.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\be.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sr-spc.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7zFM.exe	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\an.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\License.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ca.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\yo.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ko.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lv.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ru.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sv.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\descript.ion	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eo.txt	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DF4DA8C65C4ECF94C6.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBE6C1FED9A906711.TMP	msiexec.exe
File created	C:\Windows\Installer\e5ace23.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF152FE3A3667B5CD9.TMP	msiexec.exe
File created	C:\Windows\Installer\e5ace1f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ace1f.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEE7245FD428D2734.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{23170F69-40C1-2701-2409-000001000000}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF86.tmp	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x32-701.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO4B13B30B\XWorm.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO4B14715B\XWorm.exe:Zone.Identifier	7zFM.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar-x32-701.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm.exe

Checks SCSI registry key(s) 3 TTPs 13 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fe04b3d77c703a960000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fe04b3d70000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fe04b3d7000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfe04b3d7000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fe04b3d700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	XWorm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724290000010000000\Program = "Complete"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724290000010000000\LanguageFiles = "Complete"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724290000010000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\SourceList\PackageName = "7z2409.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\ProductName = "7-Zip 24.09"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\PackageCode = "96F071321C0410724290000020000000"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724290000010000000\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000\96F071321C0410724290000010000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\Version = "403243008"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724290000010000000\DeploymentFlags = "3"	msiexec.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 876633.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x32-701.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 680181.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7z2409.msi:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO4B13B30B\XWorm.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO4B14715B\XWorm.exe:Zone.Identifier	7zFM.exe
File opened for modification	C:\Users\Admin\Downloads\XWorm.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
2564	msedge.exe
2564	msedge.exe
5004	msedge.exe
5004	msedge.exe
4880	msedge.exe
4880	msedge.exe
2804	identity_helper.exe
2804	identity_helper.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4476	msedge.exe
4476	msedge.exe
4448	msedge.exe
4448	msedge.exe
3156	msiexec.exe
3156	msiexec.exe
1736	XWorm.exe
1736	XWorm.exe
4532	7zFM.exe
4532	7zFM.exe
624	XWorm.exe
624	XWorm.exe
4532	7zFM.exe
4532	7zFM.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
4204	XWorm.exe
4204	XWorm.exe
3732	XWorm.exe
3732	XWorm.exe
1668	XWorm.exe
1668	XWorm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4532	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4424	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4424	msiexec.exe
Token: SeSecurityPrivilege	3156	msiexec.exe
Token: SeCreateTokenPrivilege	4424	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4424	msiexec.exe
Token: SeLockMemoryPrivilege	4424	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4424	msiexec.exe
Token: SeMachineAccountPrivilege	4424	msiexec.exe
Token: SeTcbPrivilege	4424	msiexec.exe
Token: SeSecurityPrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeLoadDriverPrivilege	4424	msiexec.exe
Token: SeSystemProfilePrivilege	4424	msiexec.exe
Token: SeSystemtimePrivilege	4424	msiexec.exe
Token: SeProfSingleProcessPrivilege	4424	msiexec.exe
Token: SeIncBasePriorityPrivilege	4424	msiexec.exe
Token: SeCreatePagefilePrivilege	4424	msiexec.exe
Token: SeCreatePermanentPrivilege	4424	msiexec.exe
Token: SeBackupPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeShutdownPrivilege	4424	msiexec.exe
Token: SeDebugPrivilege	4424	msiexec.exe
Token: SeAuditPrivilege	4424	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4424	msiexec.exe
Token: SeChangeNotifyPrivilege	4424	msiexec.exe
Token: SeRemoteShutdownPrivilege	4424	msiexec.exe
Token: SeUndockPrivilege	4424	msiexec.exe
Token: SeSyncAgentPrivilege	4424	msiexec.exe
Token: SeEnableDelegationPrivilege	4424	msiexec.exe
Token: SeManageVolumePrivilege	4424	msiexec.exe
Token: SeImpersonatePrivilege	4424	msiexec.exe
Token: SeCreateGlobalPrivilege	4424	msiexec.exe
Token: SeBackupPrivilege	1708	vssvc.exe
Token: SeRestorePrivilege	1708	vssvc.exe
Token: SeAuditPrivilege	1708	vssvc.exe
Token: SeBackupPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe
Token: SeTakeOwnershipPrivilege	3156	msiexec.exe
Token: SeRestorePrivilege	3156	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2564	msedge.exe
2564	msedge.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe
2804	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2384	OpenWith.exe
3384	winrar-x32-701.exe
3384	winrar-x32-701.exe
3384	winrar-x32-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 3428	2564	msedge.exe	77
PID 2564 wrote to memory of 3428	2564	msedge.exe	77
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3400	2564	msedge.exe	78
PID 2564 wrote to memory of 3444	2564	msedge.exe	79
PID 2564 wrote to memory of 3444	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80
PID 2564 wrote to memory of 4644	2564	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/QZwaRT/XWorm-Remote-Access-Tool
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa1dd3cb8,0x7ffaa1dd3cc8,0x7ffaa1dd3cd8
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7024 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4884 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Users\Admin\Downloads\winrar-x32-701.exe
  "C:\Users\Admin\Downloads\winrar-x32-701.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,4073187738766394882,6203160889907399640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6936 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2409.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:72

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3320

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\91fbd8c33712453082e7aee131ed73ee /t 4512 /p 3384
1⤵
PID:3572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm.rar"
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4532
- C:\Users\Admin\AppData\Local\Temp\7zO4B13B30B\XWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B13B30B\XWorm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\7zO4B14715B\XWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B14715B\XWorm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:624

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2804

C:\Users\Admin\Desktop\XWorm.exe
"C:\Users\Admin\Desktop\XWorm.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Users\Admin\Desktop\XWorm.exe
"C:\Users\Admin\Desktop\XWorm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3732

C:\Users\Admin\Desktop\XWorm.exe
"C:\Users\Admin\Desktop\XWorm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5ace20.rbs

Filesize
20KB

MD5
ac0ef456caa0b91eea203eb280b27ecc

SHA1
0bdf9af1e64a98b93a54e5dfa503d6fcd17ba573

SHA256
98d512441dbfc5a9486c446873c889e9497ae413f122f3a4cacad7e41c004ceb

SHA512
3b95ffc1fec1795d5363b23392d130f584f6cf4934b3293b5ddec8dde515f7bed6b0369a9d45159746a053e7c1ab46921c79cfa48202a7f2c19e4425f6c80f8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\488171c8-5b06-44c6-986b-2ed5efeba07f.tmp

Filesize
6KB

MD5
f657b085290a637340d64e3f0120cb1e

SHA1
5b8771b212b288988d3125c899bd2d007c84e965

SHA256
e619daa5626d67f8eb427928e01000550d709d3e36b4b7f95339b0ad13e41c91

SHA512
053d5aefea475ce51f69f13647119080d808fda91858b4ee13c9487e2fa2f0ef44cd7d1adc34484e396216a9a8318255cf2666e172f7b6ec69c3c1b32f69050a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
47KB

MD5
9f96d459817e54de2e5c9733a9bbb010

SHA1
afbadc759b65670865c10b31b34ca3c3e000cd31

SHA256
51b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609

SHA512
aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e632c2ef67a333fab94c006b83bbefb8

SHA1
51b9c641dc3ac3f08d295c2212945fff03fc1e9b

SHA256
56829d73c2619f3b3dad7cf40a97c53c092eaff526cd9f9501d8814990902898

SHA512
a06a5a90baf17dcd237c8e1cffbe04b0f3911dc67a0ad89dbdb1459deeca8af5fba16bf3e05704472c6677622e0c8dd182b42f7c6f1f596933cc53980354821f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
67c9b76ef2fe91a019ebf944813d7a5c

SHA1
e46bdb0341a8db516310029252b58a864e3a295a

SHA256
e4aae278a1fa005cde37b072a987e293de7bd1e3bd2ac18d9339784a75601ac1

SHA512
7e5a487ba4c30f3286fdda1846d25e0dcdff9d4be711b4f9536bb6c0bc6e4dc0f52a9d93ff707db0bdfc9c8f7f4a7e141f411b60efaa4c291b1e31592ecaca6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
990460414d5e5b86948c051cd2221fa5

SHA1
a16c1b31afcf40c933d51be872cd8ced1ee7ef5f

SHA256
f3c21691fc0696938099b0c4bf737a51387795684e4570d6436594e229002a06

SHA512
af2fb71a559bd42693e590280ca17c678fbed6f628d856d4c3dc006e9e7382b34ed2293ee9e745dd67a2d9d4b65ec3476e2020bd15433d2691f274f4144c1c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
18d401be9f407bfc9be52725aacfe54c

SHA1
07870ee2a35c31d3c2724fb27d3fcd1da5625779

SHA256
da48fdd0aa793a99fcc8e4d39edf339156d1eeee83250bebce2030fd182ed218

SHA512
defcbfb8bc4efc9ee04e12312f66137f3d711d0858944e450df29e3845ef65a264b52be0529be8d305fd8edbab48c405e035c99300a369f241d743bb1a2b0c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9f0337458675140cd8c8763e864f6b1d

SHA1
533fb03561780371658c216054e3ec9f8f8309d4

SHA256
201f16d571edfdfbe3c75707c0073a5cc0627f273fcd7a593c1f0c3274ee17e6

SHA512
12100aae9eb38e7914ccc4f13c240c32d0a73e259f26580e9f752a6c8b472f39fa399d6f18367aad40df80ea2a55f74d4a3e5d12c12da1eb4e9dc835a85c61d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
580B

MD5
29465d2ff67d8a226acbba80847ff947

SHA1
5e508884a4886cfe3abe3891b2767b896b29bd7e

SHA256
7e43b1113c64371a0bf0332d7c1f8ea829209da158a9be17a724b60b2b289843

SHA512
89c819585698085cb16228f367c54fc030cc710a9633f65768c24cae1dc56a84f8b6f9268a43912d223555bf816c994d5c20745f21b5d46bf13075c722221ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
945B

MD5
9dd73cbb3e07643fc74b1cf75c2192a1

SHA1
23c7773e1cfae4671064c281e38b1e456362dd75

SHA256
93f65a75411dfed58396e591ed4e7e37f610fe07756f80d7f46524751b914281

SHA512
2a421a922a3a172d7b3ff9313167770c15d7aa3c65bcacf367ea72489344220a21945a319d1a09c83b30427401d080f2b52ee0c20d5a80d2b9d5e40fc37e7986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
5ee2127bf106bfe69674f850976fe482

SHA1
af6316f71e825da465c2106e53db2c0836175756

SHA256
3738e3b29b04a8f9cc62546ef2c3dcf30f0c146785060d942c774ffdf3ba8693

SHA512
431a435c1e294cf864f135fb23d9889cbbe76ae0b67de851ba5b6b78611d178b458989e7334043c9656086c34844cdbb405b8ddc231a02e31924422af463d338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d2e6918038b0c05954b88bf7ed06327a

SHA1
c6d20a38dfae0deb45883a24aceb6d15d95a85fb

SHA256
b535b0d62a55b083b58b14084f22e40dfd3f1e725a916ae511b21b4f5ee716ee

SHA512
bab4c63b834357446f87ca8c22c2e8a3d0e2c5fc1411bb0c07e76766f6f8e7760b47b552219f7e1e68718f3695a62ac4a19ee8a3594be3ed245aa01b611c448a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3adea9a3ddcf6aad37d372e73d4ba38b

SHA1
658d00507fb836ab1980a6eaa8ec1a0629260df5

SHA256
6550634e86d47634c4177174c144a44c5ffb117891d657652f0d9e829b8cc5b3

SHA512
47286377598a8af668aa80f4fcb16f380f82c3460eed15ec35431bf8e2705f922d9ce54742ffa307d6c44972ac492e3ee27e8ceb17b37d1be3636a133482ea5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80d50092eec83412d86dbc7c17d857dd

SHA1
97176db87ccfae2ce51b4364b6f8c162f40190fe

SHA256
d9a92af985ca3442d8c00ee5453060a68ed8ca07f755d6cb9c6be3702d4351f1

SHA512
2af1194e6be5c9ed7a697cd62edaf0842c5e85f3975e6a1c620bd45a282e246b3e712f7c1d030bb346df8c857dd621839f61c24167116e27d8de298ea9bd513f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5cf4e4a0726531da485dd4c74e417340

SHA1
7ee4199aef257a650b1b51e9d526025e3d3f0c3b

SHA256
082ac608cca6302362dce996ae31936f971e357b1984297a3d00e45b15d8b7b6

SHA512
7779e1df013fd72e3eefc48f7fa1ae958d04849f706cf455dbadc5fd76d6ba03cc4d29db0a4e752d141ba6553fbe8070fb2633d0334238107303957d77f19357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0cbc5f7fcfc8044dd89c9fe66dcf189b

SHA1
96385e64f2ff2c462da2b64497be169d280025b3

SHA256
17f7c58cb8df09a75caa458262840093f9487d9d070fbdd105c89be8c5279161

SHA512
59c1da65d90897fc3cf76a43f65ac29e5e535c98fc58bba09c12c311f7e25811f2072d3fc88dc497e3a2d15bbd104e8926d907a56c7594430d5169bde33c5c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34f0dc719adba90e6b1949f5434bf7de

SHA1
f57e3563a04aab6e213a973e8cd896ad6544f8a3

SHA256
7af51044800ceb5570115696bd559d388238245b855049a3bc55c88c80361a8e

SHA512
e08f6763cbaa089223f89e26defb2170e5435d954e588747e7f3ab18af135c089bd2b34af801e5be956c6c1ea249892fc330f21b7947c9a07bdf9fa3d65bb007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ba46a804cbd71b6fef437226d599586e

SHA1
facc844b626c58bbc5b7b9d3c8b1f21a916135ab

SHA256
d5c87fc7fb9efed9f0a72005b7029565ebd1ff6d940e48f0f2abe1d00483d4a5

SHA512
0eba4bed694db8bbfa03f4ed635a3b7dc164b34ccbc97262526d6a0d0ef0b1d3f67cf42d904dcc0a6b9c20f553374fa2938dcc3595794d2cb332244609f99b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b05c80bf427cd908bcd671038789e0e8

SHA1
67b54bb1ee0a7fb01b4dee6cb4c2b49f8b8b538e

SHA256
a1f0c50011c29a3f7f3bcf9894f913a382f1ebaf7325ff4484353e73fd42ff16

SHA512
00313d48034040679b6c4751bcc707cf229bc123b6d293147e5c2ece5861594de48e8d958f7fd34f58d775c431e9ca48bb91c71575d0f94b1ef2909c7a294408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8cc00022a2abbaf3f41658e30aa7c25a

SHA1
504838bd4a13895bbc3d723bc6899f120070746e

SHA256
decd0fe7b1efd61b006e2fc539f6198fd98262b7821f81d1653943c42f2580f4

SHA512
ae88c49658c4ad283f524b1a2e1b4aad41dc74a09d16d3f98a8a63bc6424480eeaa61bfdcc08c19a6d7e3b6973d85d4499b9c537eaa4ef306ce2c7bcc7cfbf58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cee224db4158b9aa7f441e3c3157fca5

SHA1
2e7e204ffe205d76578f331f12d41c821ef80f3a

SHA256
5a63194688759bb936f91e9a693ae26905f4993f7ceec27fbb97a2f5a8a101fa

SHA512
a29aa0643087cbe26b90f99ef7e3bc4fb563ea8d11170ba2e2021187eb277142208e1536fe736a54d82d101a625caec75f1d657a2fc510ff892bde815edf1f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f78f8005c608908efaa1b9bea77e4d49

SHA1
da074c47d81647e5f98365c92305e5a10bb56d94

SHA256
4370d65b78036b3357514a74b73f1a928385a68786abe45e540b054e0978086b

SHA512
1a55326bcdd28816dbd21d078ddc6bf91b3e311bc2f1a4ae6d27dcf331d2a2e2bb56680daf581dc114a98c65071b2d66482437f7ad839a8c4c1e833e15da464c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a56bc.TMP

Filesize
48B

MD5
552a40631eb2851e67e5ed076447b051

SHA1
aad28e2095a76774575f0a0adf89db54a418ea12

SHA256
cbe07c6c39e7e1b93c19df93f359ba6c59707dd51a56cb9f4d88b09e439c5137

SHA512
4fed4125df20a53495c1108aa84f24da8ff19c38a0f057844a7dd985a8e1c9a4cfe9df58213d08fdc061762f995e65c3a4a0b3d89b7d95142a366f00a29add36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7d6274837bae40d48ff6fba852a5f8ef

SHA1
b8456b33eac09462dcebc206b2ccb6c24d430216

SHA256
f980e2909b87e83d88b3780bcfcea1052ba2478d3cea90375bfad123bd5a72c1

SHA512
febaff36df193b01cab332f96b3d4a9b317fd9d91583f9bb96e1c17e55091886a31ec65c2656e342963d20ae8a70baf712c0e6e6b5d53d236d1a8ca076aa0975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ef299ba20849f891027991db8b4c68ad

SHA1
be1fa8343bae6db1022451378e2ea1f909dcb4b2

SHA256
1f944598ada298e9c45312bcc478e9cafd4c9e05cc0c562eb51d6b53dad4e9e5

SHA512
eea153dfc3f5209c2bd1262c5b55e5be56ce81cebaf5f3526610b742e9e0d5268c01b316ff7f7ce41313c483e2a707cf066688d5f21312bf9f72499c7916f93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
afadce81cf524df070ded78afd4461c9

SHA1
5bbd22446fd960e31d3837eecd721636edec637c

SHA256
649ad5a2a7ac99fde8d77876a5b462112abea8e0b8ce6eda309aa6aa18563e73

SHA512
a73ee95b66992a44dc75dcf38c555cb013acef9e6546e8a4c48e5b03bd4e7ff1b0838685c06dfdf80d95d8e4bd16e93021beb700e91d6940f85c8e9d258d9607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e7a164edff803d0f86dfa2e9958d80e1

SHA1
dca5fe33c1fd463d45e59201af40860d6c6afbc9

SHA256
c44f6f53aae55bcb08f749e0f16037d6024cbe6f5bf6a97b3f2298f731569fe2

SHA512
71fb6fe107c7a233380d2f3313084ec8d213a5b80ab42e605d93128c3029711b113e1261202412c8f0a6f6b4598ab504acf53a0c1ce484ee1f9882b8f84e2bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6cde939d17cc9927e53a9b9ef7038de6

SHA1
1d59ba9de971a1dad50dae854aa156c27282d6ff

SHA256
d0716c6b256f4bdbdd79f5206515092b207e15f34d9adacc44f9cb1a15e331f5

SHA512
b0cb2b8a164a01662e2d1b18f13835c6a0242155dd6209e45307e6fc1d56d9932f71226ae947ed722e67ebf66aa1adf18a6b4f81d6a344f2d420fd96e75a8766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c5ac501300f516a850b913ea093928a8

SHA1
18fdbf19c25ee4f7f1ce8fc9cc88f9da2fe54584

SHA256
50e60227d2be4b61c8eb2bca32965f2d55f7a0f3181db002d769e69c68c44a36

SHA512
ca4bbce69389c35b3061c44155ec54052485320e2e96b5911296d281a8f00c85de4d334297fbec5b4bfdf62b66eab36f03ee48cf97a87ea2c3fe3bb6531ce05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d72bfa9ec88e89fea426c5ea5a68e32f

SHA1
2c4a18f3c6e9911ff410e8baa1651228dbe6f28b

SHA256
d7d49271f92427e23f8f5ffc07d4cd00f2ed83803f66487b246aa6bf1c6d131d

SHA512
4b5b1438d32bffaa88c80fbe4d8afd001d798406387ca4e5ed056c1956014b1134d1be32b4077ec52147d22d2f25ccabda68a1e82e853a1390c0ab65cfb43d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8d4d42f1db5a9c9157607ea109866092

SHA1
246484cbdb015c05a1ff77e7e1519cef375167de

SHA256
018c32f64393307942f3201f8bd99cae2ea957c321be993fbc4562d3ca37c8cc

SHA512
43c1f80358aa2e0596a45af16022effa601eadf8a9fc2c2a7ba118e05f0ce96d8d0604afedc7319aa1aad6a5dd381cf583a1b1503ff3c4b73599bb67f9a1eb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c4c7.TMP

Filesize
1KB

MD5
74ffb3edae798b66605d16c337e7e955

SHA1
34d8e7b75e3fb19230ba2a0639ef64b0a98a8665

SHA256
075c9acbd2b6a6b49559fc66fd08601e9e3d0e13b4eebec29302e6674d613948

SHA512
6a3b9881b2bf1422434082ad5321b46d5fc836a6f8ce90ef1a81c94434765cf19303989dcadcbc1b5b7b53ca55f5769dd1977919297736c106e3c25e2b90dad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
03f6da3be595d3410b31177354b8de9e

SHA1
54ec0877c0d8703d1edf2ed9a713be009bfec0e3

SHA256
2ef420df3f455320b5da5dcb2901513dbc29d83935db64b7357a29acbcd625d3

SHA512
3ae070742c4d8d5b8d78872960ac484ec77c68411aded85e6c5908a5addce15a597b60dbfdf6e7fa4634b8d7d04a5418d7d1862013df39f22c99fca7e93ac92c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
915d3d6cac2c70c8b587472e464e14e4

SHA1
6c7806402801c61645c13575791e6367492e9677

SHA256
3b90b3c05c9cfcdfa1987968a8a4bfdd8291b7ec20cab58574e09ac57b783ad4

SHA512
d19881a16401845f4ffa0c3fac8b1c3a06423436cbd2b183f9d38a084c71a1ab8536d48d307c419eaaf750a7df5d5031d74c01295d665bf7a9bc3f073210d8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e50e2e4ab14bc103e309d06a97d91a54

SHA1
52dc1381b210bb3129c81f7d17cc6baa6edfad6c

SHA256
096d8dd440020f055c917fef16ce92c80cca756451d46c4a91c1ce711c7aed49

SHA512
eb08111de07a437fde462c2ab1be123a622999546d252972aaaca6b89b76dd41d8d2dcec75626894a4fddd37a51fde0d5cd0ded30e0caab4ca364c3a61331ef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
908bca6973beb45768754237501c380b

SHA1
39bce9fb883d0b076da7acba2f772ac79f029688

SHA256
a478b7f36282b202b303c69087f4a5ed0e9474782fd37e87860bd3682b0dde49

SHA512
fd29fc988ddf200222f89b2d9c398b825bb0f695b7fd535bf7998e346f03ffc1a437e182df1e871f2a33f014786c75524bea6961eee4fd5719f7f50fcfe8c94f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a5797f18edfc33782be5992d60109e76

SHA1
ee20d6e9bd313518aaf1d30714dd8cddf3a2717d

SHA256
c17ec9b5624ad07c0ab3baff2224a5ced4bc91d05a7c1ccf72d1a8e62a408732

SHA512
373d9b82eaa8eae329057d4d310ca0dec26b3e7d21e665db11336588ff82fe0580437a2cf63503d8052fb3fe74bbd6ea9a134529c12058fec4c9aa315d04fdfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4B13B30B\XWorm.exe

Filesize
456KB

MD5
515a0c8be21a5ba836e5687fc2d73333

SHA1
c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

SHA256
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

SHA512
4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 680181.crdownload

Filesize
1.5MB

MD5
5bc73afd2b5ccf7bdafee603b85466c4

SHA1
c44506a016e9d31de1bb7290580e2d6d5e53f077

SHA256
c7f182dad21eebfce02f141d6a01f847d1e194c4d6aa29998d9305388553cf6a

SHA512
33448cc4edb2550f1fe6c4bac27c6f8d3e0d1985f7c6abcf34ac83dff650fb90b926f65a4553da4e92868f507de4dfad87e5a38b3ed8c68668b983105bb39224

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 876633.crdownload

Filesize
3.4MB

MD5
3e5f57ebff875d2e675f122348418057

SHA1
260a934824203fbdbe199591038c28ee55ba8de3

SHA256
a911bbfab70c7545307b9dbcb06273d899ca03aad928f0b66d55b41c25cb4f14

SHA512
7b75eaaaca495cd0023c8ebad028b3cd0a72024820cdc4fd37e3fbe15cf66a344b5f34e9a049fd430fbde1567585603d9e98f7058073dc2b67a8aab3717bb9e4

Download Submit
C:\Users\Admin\Downloads\XWorm.rar

Filesize
3.8MB

MD5
72ed99d6168329b94021eaf282af0552

SHA1
0be0ad479efa7b5d3021b06ab5f6b71f858ba08f

SHA256
463eb31b863993ffc7ebd1e67a593c0fc01bfcef367a988191926facfb93d93a

SHA512
b11c5657389e8e6f5af5bdbef2b22daef62e26484117c9a30de184a63980e6108cd804e43db7494f24057eaeec32ced7ab5ebd6f7aedb6467a207a209a2bd2a7

Download Submit
C:\Users\Admin\Downloads\XWorm.rar:Zone.Identifier

Filesize
625B

MD5
3bb349e6c3f59bb8b624cbda70ee0f83

SHA1
c12fedf1b4a9bfe51367b862e44e17a2855b03d8

SHA256
575d3cd867d07b8923785199b4aa7fa8ba34cb2974dc4bf2dad921f630449b80

SHA512
fe437e48107f973685d1ce8058c2b1fcf6b91a0fb928e17c674bb0e5ca4ac97e0896b748748d4547898f16896ef279ca4eaede2b6eb9d20062fef94da9043f24

Download Submit
C:\Users\Admin\Downloads\winrar-x32-701.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
fe39462c931123a9e03524154d57326f

SHA1
6cf9ee882b94e6e5e1bda3e029b7b27f76e782cc

SHA256
851a51792798c975b1d569e95a042fe33eadfa648c6f6b79a076df2e7bb5fac7

SHA512
25ce4ae3b2ceadd574dd6ea59da66998e777f974df886191c06184f50f92bc068fab238fe367a10ca50554279599e0461ae2bf181c8968695670e8382ea6bc54

Download Submit
\??\Volume{d7b304fe-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a7816cc4-9b28-464d-b159-0a24816cbc3c}_OnDiskSnapshotProp

Filesize
6KB

MD5
dcaaa88ab3ee89a746406d6536171fa6

SHA1
91fe4ddcf044186f57af26dba1767c7c91cd2f6f

SHA256
8d7311f58c897414abaa9a79d8b75762119bcb14a1658e0372c594d087ea5d32

SHA512
a0de3f301868848c969596cfe594803fdfe10e1d045f84a9ba588f4427954486864906a9c43ef97e4487a5d94a6cd1ba37d6acb1b06c5f0747c3be3b87dc46f8

Download Submit
memory/624-1246-0x00000000023B0000-0x00000000027B0000-memory.dmp

Filesize
4.0MB

Download
memory/1668-1363-0x0000000002370000-0x0000000002770000-memory.dmp

Filesize
4.0MB

Download
memory/1736-1225-0x0000000002350000-0x0000000002750000-memory.dmp

Filesize
4.0MB

Download
memory/1736-1223-0x00000000021A0000-0x00000000021A7000-memory.dmp

Filesize
28KB

Download
memory/1736-1224-0x0000000002350000-0x0000000002750000-memory.dmp

Filesize
4.0MB

Download
memory/2804-1262-0x000002A3E48A0000-0x000002A3E48A1000-memory.dmp

Filesize
4KB

Download
memory/2804-1267-0x000002A3E48A0000-0x000002A3E48A1000-memory.dmp

Filesize
4KB

Download
memory/2804-1266-0x000002A3E48A0000-0x000002A3E48A1000-memory.dmp

Filesize
4KB

Download
memory/2804-1261-0x000002A3E48A0000-0x000002A3E48A1000-memory.dmp

Filesize
4KB

Download
memory/2804-1272-0x000002A3E48A0000-0x000002A3E48A1000-memory.dmp

Filesize
4KB

Download
memory/2804-1260-0x000002A3E48A0000-0x000002A3E48A1000-memory.dmp

Filesize
4KB

Download
memory/2804-1268-0x000002A3E48A0000-0x000002A3E48A1000-memory.dmp

Filesize
4KB

Download
memory/2804-1269-0x000002A3E48A0000-0x000002A3E48A1000-memory.dmp

Filesize
4KB

Download
memory/2804-1270-0x000002A3E48A0000-0x000002A3E48A1000-memory.dmp

Filesize
4KB

Download
memory/2804-1271-0x000002A3E48A0000-0x000002A3E48A1000-memory.dmp

Filesize
4KB

Download
memory/3732-1359-0x0000000002400000-0x0000000002800000-memory.dmp

Filesize
4.0MB

Download
memory/4204-1346-0x0000000002430000-0x0000000002830000-memory.dmp

Filesize
4.0MB

Download