Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17/01/2025, 14:43
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4392 XWorm V5.2.exe 4680 XWormLoader 5.2 x64.exe -
Loads dropped DLL 2 IoCs
pid Process 4392 XWorm V5.2.exe 4680 XWormLoader 5.2 x64.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x0028000000046384-523.dat agile_net behavioral1/memory/4392-526-0x000002D4ADEC0000-0x000002D4AEC9E000-memory.dmp agile_net behavioral1/memory/4680-982-0x0000029DEA850000-0x0000029DEB62E000-memory.dmp agile_net -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b9109e64-ef6c-4efd-b653-d1b05c519a03.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250117144319.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 21 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings msedge.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 4860 NOTEPAD.EXE 1496 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1172 msedge.exe 1172 msedge.exe 1408 msedge.exe 1408 msedge.exe 4928 identity_helper.exe 4928 identity_helper.exe 1604 msedge.exe 1604 msedge.exe 2880 msedge.exe 2880 msedge.exe 380 msedge.exe 380 msedge.exe 3984 identity_helper.exe 3984 identity_helper.exe 3808 msedge.exe 3808 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 2292 msedge.exe 2292 msedge.exe 4940 msedge.exe 4940 msedge.exe 5112 msedge.exe 5112 msedge.exe 1004 msedge.exe 1004 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 1972 7zG.exe Token: 35 1972 7zG.exe Token: SeSecurityPrivilege 1972 7zG.exe Token: SeSecurityPrivilege 1972 7zG.exe Token: SeDebugPrivilege 4392 XWorm V5.2.exe Token: SeDebugPrivilege 4680 XWormLoader 5.2 x64.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1972 7zG.exe 1408 msedge.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe 4392 XWorm V5.2.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 1408 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 380 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2736 1408 msedge.exe 80 PID 1408 wrote to memory of 2736 1408 msedge.exe 80 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 3256 1408 msedge.exe 82 PID 1408 wrote to memory of 1172 1408 msedge.exe 83 PID 1408 wrote to memory of 1172 1408 msedge.exe 83 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 PID 1408 wrote to memory of 3652 1408 msedge.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/SmokeLoader/XWorm-V5.3/releases/tag/XWorm1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff87ac046f8,0x7ff87ac04708,0x7ff87ac047182⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:12⤵PID:4040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 /prefetch:82⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:3400 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7c57d5460,0x7ff7c57d5470,0x7ff7c57d54803⤵PID:1608
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6204 /prefetch:82⤵PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:12⤵PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵PID:384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:12⤵PID:3284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:12⤵PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,1401646383399026886,13376156682717229079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6688 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:760
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2968
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2460
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\" -ad -an -ai#7zMap100:108:7zEvent118811⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1972
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe"C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:380 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff87ac046f8,0x7ff87ac04708,0x7ff87ac047183⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16270079831982038251,8361915650468426658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:23⤵PID:1668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16270079831982038251,8361915650468426658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,16270079831982038251,8361915650468426658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:83⤵PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16270079831982038251,8361915650468426658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:13⤵PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16270079831982038251,8361915650468426658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:13⤵PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16270079831982038251,8361915650468426658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:13⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16270079831982038251,8361915650468426658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:13⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16270079831982038251,8361915650468426658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:83⤵PID:1880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16270079831982038251,8361915650468426658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:3260 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x14c,0x150,0x120,0x124,0x7ff87ac046f8,0x7ff87ac04708,0x7ff87ac047183⤵PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,5268281899431690734,16886418294740717895,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,5268281899431690734,16886418294740717895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,5268281899431690734,16886418294740717895,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2996 /prefetch:83⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5268281899431690734,16886418294740717895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:13⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5268281899431690734,16886418294740717895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:13⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5268281899431690734,16886418294740717895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:13⤵PID:4508
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4652
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3296
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1716
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x150,0x154,0x158,0x12c,0x15c,0x7ff87ac046f8,0x7ff87ac04708,0x7ff87ac047183⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,4330820711889650223,17076851733356613582,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵PID:1448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,4330820711889650223,17076851733356613582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,4330820711889650223,17076851733356613582,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:83⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4330820711889650223,17076851733356613582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:13⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4330820711889650223,17076851733356613582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:13⤵PID:2880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4330820711889650223,17076851733356613582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:13⤵PID:2276
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff87ac046f8,0x7ff87ac04708,0x7ff87ac047183⤵PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11909792268178983140,6530085007386687821,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵PID:3292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11909792268178983140,6530085007386687821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2584 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11909792268178983140,6530085007386687821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:83⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11909792268178983140,6530085007386687821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:13⤵PID:2356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11909792268178983140,6530085007386687821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:13⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11909792268178983140,6530085007386687821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:13⤵PID:2408
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:624
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4336
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1768
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\Fixer.bat1⤵
- Opens file in notepad (likely ransom note)
PID:4860
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\Readme.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD547f6bd8af70afc82951ad69e5abd96b1
SHA10d13559c430664a5af9ba49ffdd368500720ae3e
SHA25670f9ebde4f378b84b8bac2f93329de0b3be6e94ddf2418ee106ff94d55ba9cf7
SHA5126a03de607e8f76dd141558cede94614ddac16e90ba36f0c0705c0a11efe3db67b0d8f10b9fd34352380f4d46c399bdc16a5f677589ce4667feeb93d64a992984
-
Filesize
152B
MD58b16630717cf81f638bae67ab57f5e76
SHA15767a40e7011584c074743df3ddca48d05c833aa
SHA256687f4722fac01dbddcee3ad0b9bb4c5483d21a83538b049818fb3ea9f2b52cfd
SHA5123718b25f887b0112db461060ee647ad4240bad91d82816e48659e15b9f1c94b4a637665ac258b025fdb6b3ae0349bc26802e4b6d8215846ebc01777ed5a6f771
-
Filesize
152B
MD51ab523be0df47b9c44c0863d39e9402e
SHA1a41f981235db6719a25988be3f650f0dd44c5803
SHA25665223a518625d4525c42fa0a46e7bc62cfbc9f4eed6570a7c10f639ccbb907ac
SHA512865d0e948b80b911c029f4782d31bed455d6ae405823db137fe5582674f556312db9182f04417f876a4c04326183d97759abe5b114230a939417c9fe87449e6c
-
Filesize
152B
MD550a139aba944ca85ab4a0c154b01bc63
SHA1e5b50e94fbafe168b3ece75fd6b750565c54f5df
SHA2562653e90df1430a4f72648a6244c4477cdad72b6cdf600915ff6901239d3ff470
SHA512cb041355dec7d56f1e1d3461aeba3ff54ab02bfb5249920e7cfcf669a4ccf72b66c0126abf867059c2886f0b2d0ca8764aff65a97e610b6ef33ef94b992333ea
-
Filesize
152B
MD5c8f58b755b220f4a634551a5797b3b8f
SHA109435372e22f454d940cab49884a779408871286
SHA256bb05bdcde2b95d1f66a3e8870bfe2102995868c3d3bec48a0eff191810d0e38d
SHA5126d92dd277fa36a0a6f1ea5d7f6569342bda164c27636ba645e69f205f16561fa754f16c5b1030abadf120fa1288cfee51a0ce267406df2721af7a6e17311b933
-
Filesize
152B
MD5e81ae6c0bb28d763fbc9d0e01eaec1f5
SHA1dd78a211613217f0039479e53cb124f14e5a9a13
SHA256f3f64b3f05b451b4356a97d7e597991c7764691cb9389dc871f14ca9fcfa4e9b
SHA512afd8d8e7ed18680bcd414e7f21f397c4b4c1867d1be5feff867f81c0f0874feec508d9699be0c649c89485d7fcf1606cf77aad62296d2c36b06ebb2c6cece94a
-
Filesize
152B
MD50f7ab6789f3b5c763bfc58351c780cf1
SHA17e2a81fe100643923a03d9d01335c13a1fc11df7
SHA256edb7bbe0ed169dda775c86ec329305749c5fc8de1bc8e0f157e4b75a27969f0b
SHA512bebf487efb9fcd81a7ae93fa0d3d7b8fb95817209ab3f9204fd1a535dfbe0de0161b83c553f7445d9db40a32ceb26a8c6b68beb99b2eafb51003432c5602bd1e
-
Filesize
152B
MD5b994faac954ac3908be66b399f4f6287
SHA1cfd6899bd52bd1ecbee522deea602f5135ad63f0
SHA2562aed861d6cd36ebb262f8c677c0efd5440552ae2df484159b587df2c797e8fe5
SHA51249cd2f59ea2ad71d0735a19db0ebe63f53ee1ad65a9eb03e3cc274fc8eff75f338e83237ceaaf93f4625b590cb6c5e0d165ca1cb06dd48093d4a41e4b8ac7506
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3af25bcf-2315-4cc0-9820-c946625369a5.tmp
Filesize1KB
MD543031d787e1698847218b4894bd0b760
SHA1ddcf0448e6de70ba2eba2082683ef7bf98a83380
SHA25637000feb06b7f4f9a6a927b9fd203c7cedd85ac15a1df887559e317958e7dc14
SHA51207ee861b86695292115caceda4574537fca14e946e0cd926cd3d5c5f4b36b823a9d6bcf47683381f1ae8941813a78386a5a89d58f5084f56d637d35d8de986e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5e1f1166-2ded-40ae-ac1b-a5feaa4562f3.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
44KB
MD5db66cc6b6a806d57d74d9004431d262d
SHA15d5d5a693f6569a5a89158358cc193bf76aac488
SHA256ad6bc11d58af1e6e84d7c88e94309a565d18a2b3a153e75262bd057b054e74d2
SHA512e54d972be4fe847e8531a09dd0bb1cf23a8a91ba3d9dafae191f837583c6507acd74d0e87a81cf0ff7eb6f47df0aa9cb69f445f54728b5768a0fa83336a420e7
-
Filesize
264KB
MD54f93092e4491807431f0c5527906e3a6
SHA13f378963d383e3dada8ccd898b18b1e8d092efe1
SHA25602cd0cbdcc3507a411567106261d10765651520e25217b5b72ca6104536d3471
SHA512c711ea3c4a44e579e9a8db94001bdaf0bb375d675ce9c0b3ae888618581bdf4cbbc016b10753210e185d6e698419112b0a16cce81269ea3819cc452641c075d4
-
Filesize
1KB
MD5c046a11b61b9ec57b4a9266643d58cc3
SHA180b83dac189c6d99c62daa46cea8fbc24eb73e61
SHA256cd2793f63765f79b7f36f3e10240ac186227b9f44c540df291995952446f637a
SHA51212fb95ec3bcfac97c605019a365b287a96fc73701486d634ae28b65958071fecb9950aabeea28983b91d3aee9e2ddf6e8cfb07dc566f7a839d508b6575610db3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5d2311a69e97f15952689e2f3b346d7af
SHA188cda3d912c31d71f5801b0e90322fa2d293534c
SHA256af62117aac544b7228e2c1fc5fad9436ca9c6ca6df83aa9a038f0b40a13d595d
SHA5121011993896790d66b4d8aa9cb49cbdc6eb9793b470676faded01cd3284e7ebe561caa46d7d516472770514aec11876557aa4cc2d6681e02c7b0813fd3235e9fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD567b09b1bffab7cb8015bf76bdf6d4796
SHA1d353623601b1e20c0f1e4fca363a50bb87aa0341
SHA256b8978523e88b33ec38f39634cc9c57d85d4280f016732feec9513fab04aba2d6
SHA512a08834e1a2dbd63e0e349ffbfdee06d3af60e112aa7536724552796011c82142c282bc16e53fdceeb46645a3d119507fb3c6fbf877777d42a14051850e80887d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5dcc6c4f5405f1331f3f58b68ba6fa77d
SHA12a51d629bb63227c6cf2fd02e478e617a3c4ba5b
SHA256e972817ebe8ca37dd398dda11e4641c11356182e8485d43fc473dbb51efe8abf
SHA5122b4fce45fad2d4b0e5d3c627ad2e0684964b1ada81bd02c6b06becd43601c6c0aeac215f0ca966afb6f87b10c91ff226b078ce85bf6c6257552b37fd1352385c
-
Filesize
20KB
MD58c93f7e92d17dd349cea168ff511eec6
SHA1067281b8983bd35d393e179c302d0bb531f2a687
SHA256f094ddc765ff895f9bb43d8a7984b0bb57f0eb47e6f36402669a03716d67d082
SHA5125f9930d5a25a7d6850891722ae7c76a031bf1fa2e769b7e170b9350e8c23b3a3abb84bd7dced4ade8d2f6d756577a2aad707e613429bed49d68cb390098f7336
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
20KB
MD54faa604b0a34956c898d2f3ad20f2f60
SHA1f226b89e211c3c615d43d407f2d7667a1de5b348
SHA256263e1a359aec7ac15257aba940dd9c2bef86e79d3b09a03a010d0cecd3f1e822
SHA5121f38be7ab64b1a1b6aab5b63fea159d8d4601430609f654fad320c5882016a51c68ebd778882e3f950606dffc6305dc1d111f164c588fd783e47ec95ac4f4152
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD502899d020d8361f9084f37652458e7d3
SHA12197570256484472822afaa43f63cc8df845ba9e
SHA256a26ee6e72417cee8d9de96444b49b34690d6d45cd77e9a4a6a15eebeb5f5deae
SHA51216fae6071dd2158f2d2acea647447778d85b06c45de0232f9f67219750111745c55792b3655ad365d5f7a838c578a64e5f64a4b1ea8f56529b20067ffa1f1181
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
256KB
MD514daaab483872320e079b02498d8d3b9
SHA19e4d1ecc6e82b5592a910c32a90af5c466e82c88
SHA25624791dce31dd3f1f5a8fa5cf7cd1ec7c5400c770f8e3a07be7eb344aa1092851
SHA51202ee413be0c2a0c711df0335fb1c24618a33727200b35ab48135ac643e89444d23844bd21b8a3ba8a26ed1930354e7068ba997f8f38fb41923b79437a38a8197
-
Filesize
124KB
MD5da6da6248bb05403e0d05de63dadc6eb
SHA1b8a42bc42ec8aed39dc930adb971e87d606bf24e
SHA2560628c2e7456977f0ea17f65344c4ae0e79ddb2e2e7eef1b889e6533076f8935d
SHA5121b390b90c841f60f805510ee642be2ab66a9d152eaf51ecf2f061e39285e7f94957f7501a732744583a00ca308fae976768faf5d20a9f9d1658d42cd4fb12918
-
Filesize
913B
MD5c5f9744f80635ed2360cdb742c1b33fc
SHA15b2d415d6e3e6424b251c56c57ceacaf26f1b9cd
SHA256fecf2ccf9fa483cb34f485132d30cb34b8ab51fdd5337acf629cc6a4ada8e45b
SHA512437b12d6055faa6a6d948e84ff92237c3b1b09fc3456066143245ae19c146c96d0753d332b5ab8bcce9f2831cdda6ea30b64ab512234edcee41ad6a252bd67d9
-
Filesize
9KB
MD59c5b901eed6cb992e86c88e436d2be6a
SHA1b793d20fb060f2d0f0ce2f3e79f56584af69f6f9
SHA256544cd68234a9075ca9a14e13ecac0b7b9b4eadd2098081a41b155bb48fb03ee4
SHA512588206241559d998884c16f38478e760d1d8c22574e802185f0cfece28c5e5838419c1e6fb6c668e42ca683516257201e2dd63dd4c47a7f829de767743094d86
-
Filesize
291B
MD5ca997314db1119ccb285e19da0266fac
SHA1e329f25b22d1de8eb6d9024f41acabdf0e0f6395
SHA256cc16e4faca8acfbada02da1a5b967d225f73a21c1d5db8a2673828204f1b6055
SHA5124742e060afa3a4c5233c23f5540ca0ed69503391257fcee92be38302143ef1e0b7fa648833d6151646c02772cdfc5e267d50bc060429292d32d49dac1647f0a2
-
Filesize
496B
MD51b92794633aaa7d8ca83e408ef516a36
SHA14ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6
SHA2560ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0
SHA512698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb
-
Filesize
922B
MD5feb37f4b0c2a395658f261f5dc5ed8fc
SHA1359acd08833fb5c38e4bcbe685a7af274d8e3805
SHA256357e0e57a232a50da8e9197466bb4fc61295d5b6b05d93079472d7c3ee4e498b
SHA5122b631a219358f1c440420e753cbc7333a361d60997c8abd6709a2ae7758a17b4b8cc645ede268f491a54fbd24f8c3205fb3fbd40abc3e7a3d60699a2e9609a7c
-
Filesize
922B
MD531307ce3b032cb6468040a001ef472fb
SHA1a8404ecdc0871f45ffd9b2d02add9cddfb62f3bf
SHA2569594fd2654f9e07006167aba1aa985f1968f5c9831fe6acd03c89e6fbeabc775
SHA512d0e7f16e717f13fb93b949d291b74751809c08eb4ec4647d7f747d854f8778291e1e63681a3832cc616f8f6c2474124297db62e0390923ad4541ea7ba2ccb768
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe588fd7.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD50dce5dfc41da9702653d2a982c4ec72a
SHA12b5fa873732c14e5d28a4014eaa527d659a616da
SHA256d32a83fb13d60def6fa3a812674ff535510b9291af9a17e773d3e60f637f4e65
SHA5122b331f57a4fbe06d7b86d83ddf72e1bd210fee2622efe6271621461ab0dacbedf51b5f631f3b764d4ced75de34260db5a55867f440b6b79d1844c1af1dc9df55
-
Filesize
6KB
MD59d4e9af5284cd965c34fd936847e764c
SHA1a4931f95501620f9bb1bac6488e6c23ba55f6963
SHA25618684e24d79441db1467bab7ea79d53c0d4d5ad184830c2bacf656d6fee771fd
SHA5120d8feae88397243f0cebc0c7be8a81b4e26d016e2cbcf5b4d6116beefee28811e450f9ac04cfa95eb1a6a227f52ed4b1e59c11530ee59f8f709d33343bcf9de5
-
Filesize
6KB
MD53da894db549e1da4d76df54f9fb24a08
SHA194778f2c46b6545c1bb731b81b5495a5b86e84c6
SHA2561c7fa3d0569b4b7c6fb264d2b05a7f2d191dbcefae62cc7096fa1c90b74282f3
SHA51285e152ef6677ca73ab8d6e28f458d3739258581d13490d12491b163e73f4725b058f06a8d4b1dab9636935d436c5dbe2f8056e9158ce57b7f2e609e77ccdeba7
-
Filesize
7KB
MD5dc18a75a9e62a6fc3eb54fcd44e9c2c1
SHA178345c7fc7937fb9e6c22b474911c767e1833e8f
SHA2563175ecdb353a6e82839e69f8835e74e2a78ceeffdf42f0ee9e9261546dc9a98f
SHA512fdc1229b59f25a7500e698ce65617fe1d9bb17610ef39d3938c9cc5c93d708839962b85012416714ad08b99a904ccd064f14dde86e213964c5b478fbae65d636
-
Filesize
7KB
MD5940daf519ae7443b476d372400925c22
SHA161c825da88c5c56353f655fa27699b5c4c7af1b8
SHA2565a6c2d2b09cb2f918881ffd22d493faeaf27206287ec84ea8ad4082e1dd5d0ea
SHA512f109318e1f7f8dbe098386744cbf5bb2a1b970850b6563080aa3878a12bfa52af3fde81d869a5058205228c119cc6798570f139af5611d939e8a6f6473e34a7b
-
Filesize
7KB
MD549f59765616e94dca631e4869a4ee1ea
SHA1cc84620c49574bd633ec3ef38f4f4637da7e25e5
SHA256af3918908469978af5d8369d794005b79b5bf1e3f373cdbba68921e67a7ae75a
SHA512457b2ea6a5bede0578f6ec5ffc5a751b40a452a9182ee8a5a09e0990944da17cfd9557ade32aa14de96d086508a98bc1b765844d88882e028e76274d1374bf75
-
Filesize
6KB
MD599396cc38e3373bc68bc0ee991d9e5cf
SHA1d6ae26e380d5716a9f0e700731e2ff943f1f6d0f
SHA256084161e85c0b65cfd18e8b47e762d9f4308077fb3d251fd41e1dcbf5a1308ed8
SHA51280a3d3ad68eb24f90966ed1c73dbe19f724c9df6881a8aad54d2a8e1c51f6065f855b49305859aa1b55afb006756db87ae9a173df1bbf80048f05dae44c6e3f4
-
Filesize
7KB
MD5598050472afe1792d72e58cd051a0058
SHA14b7238719450d34d5fe78605211ccadacaefa6c7
SHA256a687065cad97c09117cab55527fea7a2ecbe3bacd00c40b6c4caaeceb282b9bb
SHA51233cabaed450a8bee1cd4af0d368a58321318f45b64d622dc173ce0939e5c561f9ccaabb44175fa8900ea6a5ae1584abbb3e74c04c68135cfc00ba7104e01005d
-
Filesize
6KB
MD5b981d6edeaa55a2acb50ce8353575446
SHA15c68f13ac3a8fadb422466809c86b9fc4236cc59
SHA256882559a814c890795c990cdf85c3b57dc6b0294ca73b8968e9f033170346642b
SHA512b271df5334bc75f539e228f9d46d2b7110b5fc889863072a198e056475184b489b66d848ac229278d0f1f8d05b5339a47c2624d661314f17edbb14e6c0e03c6b
-
Filesize
7KB
MD55d215daa2f23402038d371ef5c1bd0c5
SHA1cc7e091736913caca5a07396cda1365ca2809091
SHA256658fdbb90ffd23b16c3cce2e92cb16476331f4976681c3d91988b125882c887a
SHA512d22fc1790b0f7ef581c9f0df17db81c42bc41e00fa6d66fcdd2a77c49ad488bdee02988d40b0d72d1ac6459a6bebaee7aca43bdb1f006b5973d7dec4ba2faafd
-
Filesize
7KB
MD595cfb9013d7af061791150f55eaf707e
SHA16234c18e16ff92ee79f7694fa22711a43a022764
SHA256ab37719ce4831267e417d5112ac602e1a9a52cd09de382488795fd173800cb63
SHA512b97f5bc8c93b70a591f33c51eec595d229a32b2b75a5b451a562f9922fe6a294de4130fc37765596cffc111c0d223aeb900e676533ab43fb0ed7d7aadb183639
-
Filesize
7KB
MD57ffe49dd6b37258251eeb0fd2fe04b9b
SHA1a2a2c9793c7f5d03dd0f2441e7e37aacea90bedd
SHA25691085c33e909c8f3bbd268d02ba4baad5dc4f992da9b8691f4b5982a9953c284
SHA51228bb581d0c174b3b7b07f3f66b0b8d3ae4b005dc19c54ec0012f89e9643e4c113346dc4b95dcf9b91c0a7c38a85d5d7f08876a0cacee0184f61774428c4ad5d8
-
Filesize
7KB
MD5c7ee15fac79db9f34379a5943b4d53f3
SHA17304d2f7213fcfca2a6d45a409b4de70a757f288
SHA256608b717a0bed1cbc604e0f862f2f3590a2319006e8f93263179d0f914042e257
SHA5123e810993899e4e51104a6f74a2e197405d4998ad5d1c07aca91029a0083259717b2ec186b97e22584308c33e1cbe4118cbee282bab226f7110a4490ff58f38e9
-
Filesize
24KB
MD5d590b705436b349074c9730516c56716
SHA1545dae2c594f8dd63eebc19fabd55900b7a001cd
SHA256da4e0974a427913f72174b1fa4fc560396d987ed41ed691409916cb42d914413
SHA512e11e7aa45fe3b931bbdf7956379dc61f845e19a087eac8e5ebe4783c5ca3d2a602016271e8f1ea4bd2ef9dacca444b93f1fcab0373921246e2ed7350f48cb9d3
-
Filesize
24KB
MD599315c72c0078122aea1e2e0e41a26e8
SHA11d04494fd6fd5bc394405c02e23f8df323394d4a
SHA2562dcf01b803332137a3a4925f7fc2878c3c6b8be4be77ef359e7f658811446b97
SHA5127a5404b86f6b5cdddcc12fb9c0f23f4264049ae784faf0be2ff16277eddc09759bcd4f62a6652c87f956255de49f12b12c32dbb5dd228cb99574a963c26ab605
-
Filesize
24KB
MD5ac53f799eac28e0d89925ee5d17a6546
SHA17ac662a77a2eea52448ed6e619da951a4ee2b702
SHA256e3819909204d1e99436296302321516b4136bcad09858057ee35a9467d49fa64
SHA51233141517e756db3cd99d0734b8944bf75b7a7722f8ce52a31b739e3047264da130248d7219075593fc4e6216cfaeebf59659cb5e8b22a2e4749cf31e246347da
-
Filesize
377B
MD5859f9ae8260d213c6f476943f5104cb3
SHA1be03d5b8680f1ebeb98bcbe9a4f8e05d5c8545c7
SHA2561c67cb840b49ae5e0eb1498b73d7ef3690acf665959878354f237b254e1feb1e
SHA51263a5a96b35068bf700a15c1bbe096929eabde2b0066da2a9522d6d5f62ac8a1211683d33c2da5d0d1de54af5cf27c23b0fbb6c0dac79eda19b0bdd66ad4e8a41
-
Filesize
279B
MD5c14df533c2df5cbf184acedba0efcb2c
SHA1d6e2596ff8deb9a84f6809048b271d6a888928d0
SHA25676e643836388c407a686d7633e293123246ccb478627c51844f9710529f8a546
SHA512612148ceac1984e5cccffe268b7d2338d59f967ece0aa1893831e55a3ef26acf6f0b611155fdf23d759d32fb84604024b4b2ce9bc966ca05c3859a5ae8abe83a
-
Filesize
2KB
MD5c64e40c600b12a1d9ef20b116e3b78c0
SHA143b44d6705f9c6b3f8061c2e07623273059e7608
SHA256a46e19c0eaeb84db61049fc14f95f377612759d6a7f8b38a3d87704c9d6f9bb3
SHA512e17fa103ece92cd9fe00369f4f4ca7dadaed1761e7b808287f5bce94d97cb2a9136aa6f67687cab30a2a9cc007f0fad57695d6c6961643e6336d5a0b392e3eeb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize112B
MD535f6cdff62214c0b334b3387642a6d40
SHA1cff9085556ede5d3b463b10272822bbd506886e4
SHA256ec6e39ff5f7166c164a310ca620f067c9690a11ad0d025894d45ace92d3bb545
SHA512a613fac87b88a53dc081573a286e91dc13175e27bb95ed7fcd3a4845908ec485eff8f1df3486881a44e5ea79636e6a232e2ab4d3f0d6ad0272f39152a0305dfc
-
Filesize
344B
MD5ada1182348330fb75262400746250ecc
SHA153d2c7973468516fd3e6e2e04f23697b6eea758e
SHA256d69566e1a5ff6b0647f39612a7c9a9b67e79c9037624f94f8cd1ef1b94003a49
SHA512a058a86983c55ff2bcd82372137a91df75d985bb85ce334883b0f948dc617c72a0745d40571380b34e3fb3968cfc97c5fdf607ffa1a89aed7e774dcafb1e742c
-
Filesize
323B
MD5c64c4276e70417bedbf12efbbe5c4cd3
SHA1dc046e3547b142008531e6f676728e7d41e681ba
SHA256fb20eb854ae41541f61568f9dfbb61af5c33fa03fd649360fb2ef4e6273bc050
SHA5121a214db43d3ccab5e995b1078eefb613b3c8587bed1db69a32fcf914c6cbd0cbdaa20d5328a43aff1961a0db0d05e6a9a0d0611e10ea27aaf02fe755d3384605
-
Filesize
20KB
MD5f44dc73f9788d3313e3e25140002587c
SHA15aec4edc356bc673cba64ff31148b934a41d44c4
SHA2562002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983
SHA512e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7
-
Filesize
874B
MD5565de294368b7211da1fbe6ac0ca3598
SHA1f2a4b9f2652268703a66d9a7d4a8a207ff421800
SHA256c9cd2a718db17d1d6856f48a1dd3a57b0cdba4548b0a00f344a19b46d074145f
SHA512c397ad69682b91ab589dee8298479e73964bf15a24f7d8d80fcffa6ef8dc0407341b45ab24c3c25fc50e18cbb475a4bc8fdd3756ed8ac0c14cca826e7ac6a8f0
-
Filesize
1KB
MD5d83a6575aa4f3a19a4151095f1ae0082
SHA1cac3bb7be49da0e2069bd22a6b524249990c47a8
SHA256a6717606c0b46aff1ba023eda152cfb4af3c438a8895c252a9697262cabc98bc
SHA512d85116bfe2b830b4b996b3861c51f82b2d1e7b5028c4af7b80c9b4d84d7a3aa329a3cfbe9f7ad855368c33e8330a28c0cabb281f9d52e9a343d7530df5bcc3e0
-
Filesize
1KB
MD579e0b3ab4d7fcb927bc2c0b382d3ecea
SHA1b70a73cb01ca1bcb6d4e5cf85385db8caa4385fc
SHA2565387b1f353d606e26a61008849a208024d5fe1464e4823a7dad6b0b831480813
SHA512dba513bd28b7b36b6d16ac3a0c906f7e5a62864418297e9956b5f7131a7e0588dc29d26dd7bdfb0876beb7d7a81e842767de9222dd1fedd96615c348f42996ab
-
Filesize
1KB
MD56b063ed0255d87b2b33865230661a97c
SHA1cfcd6db709ee98ed63b99a3ada13bec844b5d901
SHA2569c9e35defbfd2338a5b3a597045e0587be6c0a93734bd2a4f5dfd01cc914d8ab
SHA5125ce3841168a80ac17f52129ab5bf5c29ba46820bb3d5096a84dfdff49fe4be95241cda7fe47019c7ce7802e6e6f7247be47dbb34081728ee395bfd29cfb07d41
-
Filesize
874B
MD5989859e9d0cdb38fe3f6229e9b273690
SHA12c08aabacc3882a2a4464249cf6ef829d7b29f7c
SHA256ba271f1e1f73d257d988aada3b5f46256061d4bff84c538a03ec07859266ff20
SHA512af45cdb327c932863c3a028e1dbfcdafc4c992db38d9b2f1c841f08c7bb045b8db30e01ca9a31c776f0b158ea8b207c792fded3b1ae9759585a61e6734bb6f4d
-
Filesize
128KB
MD5321971e1f4408ee3b47b0482348d438d
SHA1a7154ec604ade27083112a3b18cf1cab6b91f46f
SHA256cfa683a364bc849081d32e6661e4ad2c911eb626133afcafd84c003b8fc54a1e
SHA512015e2e774a9ed0fe11e2c06fcfc61c5aae1b71d4b45c0236480cf84c1c1894b195bcf783cacce8d3cc857ba15b07dc247d3aeaed94443c54f7b4b6df16e2427b
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
60KB
MD52ff92cc0f3a5c921dc90dbd4cf33b253
SHA1cc07d036876658e2722d4d1c76f027f1503dbca0
SHA25698672e8adb5fd4f84303f2f90c3a334d2e6889347bd7ad60d6fa279488f50b1b
SHA512df08a2c6e713d86d50e598861bd2b1f4cf1dd6128f85be958ddcf830af46b1dedd9561f3fc509b30ded30b72a0329c8595e398854cb03a6f51c3ceefe2587afe
-
Filesize
60KB
MD5b1271542a61e6c2cb7f59dc5fd564366
SHA1f8be6dbe5976234b87b2d1fdae9117ae0adb7ce1
SHA2560958fc53ae6088bf3a174ebb37de431f516f662f66b1962d1865de311c5d30fe
SHA512ab502af2e4a8a55e4577468625fa0d420a436c477c46b162c0dc6ab0e12667bf5c67247ca356891f5aa0cd50138060fd28d02d41157a6efad91b99bb888737b0
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
44KB
MD5be1f2fa0ac903973f71a40dc2b40653f
SHA11f3fa3fc75d663954e0e16d150cbc12bad5c138d
SHA25634365e482f97ca43d0549d46fa4032bde2144a274eca0209b416510c6ac7715d
SHA512ddf25c78319088363d2b5ec40197b3880764c9ea7a6a42ef3aad2395e9f0fac005fcac2888c5715a7825eba6dab842b660912257f6f79d3012c67a53ecf9bb0d
-
Filesize
264KB
MD5cbd58f8cfdbaa4d67a1d53451e51b37a
SHA1e4a6822a5f4fba72ac062614b0ce595412fb847a
SHA256617b37868f1e67e4c73e27ff665ed2931484d581f38c1db52870c2018737e3dc
SHA512031567e259878789b0972cae31019ed64c416e946fbd1ca8b50fa3c429afc5299b9a22c6fccedee692b64c95ed41fa2691454c64d5a41e937244c6556c3a1df2
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
8KB
MD56b6794359792d17f2f99cd84c06988a5
SHA187a69650ec671c65627914a020d47960cfff0e73
SHA2568f15b98ea1604f92d759738f9df267da42b6cc68c65d69f63132a94c340b8674
SHA5123ae6db69322d537e2624dd58e386ff41eecea445b33b310c38dfedf20850e797f91c3d9b651863e24c15396a38285b8e1d66ad3f446d2fee1d15c8f75040f204
-
Filesize
11KB
MD565c3b64240b9eb6ee2486b54ab248f25
SHA1f022ed1553009970213b7408d183705e0ce1404e
SHA256d9a170b5b60946029382a261ac9904a6e3a64fe6841d383555fd962c863b81b9
SHA512e27d7bd1b65e1253b7d2ee8c76c1c1649a374289174aa32234898a8a6afbb23004a6c86c744b8c0b0a5fc37eff78ab2efcd0e8f9a2392940ce768e4f979ea6c7
-
Filesize
10KB
MD5586ebdc1182497245902f825610bb301
SHA17a868bc340205fdca9e9c68fa86a4463c16154c4
SHA256060f4b1144f7a26873391a8dd3bad51518160c98d3c19cddc063c8e37d404fed
SHA5127e76f09aaf93e6510f39112ac46faac6d1c68be9781725fc1a845460801e6a713639125f897df8bcbd25492b1ed5a5e1fb9e870d5d7dab7181e268329d137ac8
-
Filesize
11KB
MD5f1f1caf2fc80220dec7faff86e1f4c74
SHA10933e57dae4378eb66d9d43ed63eb8ac6b355c16
SHA2569588f1795d8e71ea97722aed7c2eb00bca1b45e3e90d56fdf4037a324a0e618c
SHA5127951815e7014b4b6983917e280f0ef7f91b2efa62460498b6c2ee835f76c9ca2bbdb40c6d03899552f27fbba0f73d0bdb697fc34c686702ff0187adc9550560b
-
Filesize
11KB
MD5b9cc8d18597e4c72a13ef078eda62dbf
SHA1d16ab611aa48139630d6a351170d378cad463017
SHA256bc6a37c09644560dc536193fbbb01e20d3199597ae7f3473eadc40dadcd1bc94
SHA5128a4e6214cbd7735bdbc2f602e6df02b48b6f5ece8049e62bdc655c52878f4cce4101146134a010235a06fad723772e01c8e418a6e9840e2c63631c6436a47f5e
-
Filesize
11KB
MD50630e650a03afa2722ddd0a746cbbbd6
SHA1d51f5cb56a8a5f2bc3c3a45534236fc1235cad01
SHA2564dd0a196cdcc1041cd7c3592a99e3e8eb638c72a093f906b2647b0bea76d7d3b
SHA512913f224fc4eaacfa8e0ecb59c2d9bd1c58ab84662b2f118f1cab96388e9d4e1da1756d7861fe58163ccc9a34845c78013bafaa81617b2afe8c93a803a7ba6a20
-
Filesize
11KB
MD5ed827e7e8a71f9d3391b1f46be81147c
SHA1db6cfb0bed74341b8cf4b69614c75b5dede14e14
SHA256643563518db35a84ed194f838c7939023273e247124f914b98d8a70e90947dca
SHA51248bb3144b685fd14e9e9e5bf4c04afa55bc0586a7fb3e5d998a3b3ea72ab2575f4579254eb43541b18430766eb0f26382edbd17affa53feceaed9ecad49d1f27
-
Filesize
264KB
MD5c229d88ad4ddf7d9c29d635f27a6fae8
SHA1475301d56b04075ffe14df17d8f43aa71c5b1d1b
SHA256e40456eb8123f0a5978c5315f4a6ad12a471c6005c03943162717135cb728e89
SHA51254f2df296e375379befe61e834a31315b99512752aa71ac3b33d2cd112f5f303a9014e3d080f3ad6c25870953482cb1675aa7e424c8c1fc2635602a2734c8bbe
-
Filesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
Filesize
40B
MD56a3a60a3f78299444aacaa89710a64b6
SHA12a052bf5cf54f980475085eef459d94c3ce5ef55
SHA25661597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f
SHA512c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468
Filesize57B
MD53a05eaea94307f8c57bac69c3df64e59
SHA19b852b902b72b9d5f7b9158e306e1a2c5f6112c8
SHA256a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e
SHA5126080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0
-
Filesize
29B
MD552e2839549e67ce774547c9f07740500
SHA1b172e16d7756483df0ca0a8d4f7640dd5d557201
SHA256f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32
SHA512d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982
Filesize450KB
MD5e9c502db957cdb977e7f5745b34c32e6
SHA1dbd72b0d3f46fa35a9fe2527c25271aec08e3933
SHA2565a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4
SHA512b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5208a73a2c2b37bd699a70c17e7f214a7
SHA183632fd0908af4acdbaf9f51f5445eb5af70e293
SHA256fc3f41d93ab73a36da52e7cae67ab4aa833c8f4c7ac7f8cff39bfa5ea0fbd8ff
SHA512009800270263d81e7f670387c0be0a4d96153a51b446da9d82959210a94ed2bad48c984c9fb5ac755096f2024ceb867a740a8394c499252db55b6dcf5ecd65a7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD52fcfd6dc52a0300ba15708de82ff64b5
SHA175feff30cec9cc8c29fd50c79512ea8a16bf16f2
SHA256a09b4344b7c373ca06126e718ed88b0bf735b9e392ea02ed7ed64d6f422591a6
SHA512bc7c531b8cb1cf59dff3a7152008a2e39d7e74afa63707e4a8b9e1cae2091d34f81917b913b6d1c6b244ca2a80d3adc6d6e27cb97a2b15f332dfd2d3b697ea89
-
Filesize
29.5MB
MD5187b25b9e02c2b5d01a70d9d1855dd7c
SHA1d0c7d39012ad0507239a3b060ea42cc13b22eb65
SHA256f26803b764a54a90852b7fd274d5ced7a8a58f1715d3ab4b96900ad4f9dd0410
SHA512bea5cec59d0ebee26a71c78dc38da47a25ea7932d119868caf82b5e4bbbcecd8969abea80ad41b65352f264ced33c457a041c0d9f321c272a8f913802ee254ed
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
13.8MB
MD5897201dc6254281404ab74aa27790a71
SHA19409ddf7e72b7869f4d689c88f9bbc1bc241a56e
SHA256f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a
SHA5122673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed