stormkitty | fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d

Resubmissions

20-01-2025 13:06

250120-qcldbszrer 1

20-01-2025 10:35

250120-mmq5savlht 10

Analysis

max time kernel
848s
max time network
902s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm v5.1-5.2.7z
Size

54.5MB
MD5

76219b3556e25086fc52f8e2b93fbd0c
SHA1

066a0f875820e51a60c3552a06b7b97f8bab6bbc
SHA256

fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
SHA512

ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104
SSDEEP

786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE

Score

10^/10

stormkitty xworm agilenet discovery evasion persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

Q0Vfr0It1WD6YvBs

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0007000000023d46-434.dat	disable_win_def
behavioral1/memory/5048-618-0x000000001C110000-0x000000001C11E000-memory.dmp	disable_win_def

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000300000000074b-390.dat	family_xworm
behavioral1/files/0x00040000000162de-400.dat	family_xworm
behavioral1/memory/5048-402-0x0000000000640000-0x000000000064E000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d4c-440.dat	family_stormkitty
behavioral1/memory/5048-621-0x000000001DFE0000-0x000000001E0FE000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	XClient.exe

Executes dropped EXE 3 IoCs

pid	Process
616	XWormLoader 5.2 x64.exe
5048	XClient.exe
4568	mynojb.exe

Loads dropped DLL 5 IoCs

pid	Process
616	XWormLoader 5.2 x64.exe
5048	XClient.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0007000000023d5c-357.dat	agile_net
behavioral1/memory/616-358-0x000001EAF62A0000-0x000001EAF6ED8000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Enumerates connected drives 3 TTPs 13 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	XClient.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2696	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\AI041040"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "MS-1040-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ayumi"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Hedda - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Julie - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "5248260"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Near"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{E41B756A-4003-45F8-AB87-271411500567}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Laura"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "407"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Elsa"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "16000"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR es-ES Locale Handler"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "409"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - it-IT Embedded DNN v11.1"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR en-US Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_HW_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Haruka"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "5233694"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Haruka"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ayumi - Japanese (Japan)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - fr-FR Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{81218F10-A8AA-44C4-9436-33A42C3852E9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "C0A"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{31350404-77AC-4471-B33A-9020A2EDA1D1}"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	explorer.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
2112	msedge.exe
2112	msedge.exe
5100	msedge.exe
5100	msedge.exe
1572	identity_helper.exe
1572	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2892	7zFM.exe
616	XWormLoader 5.2 x64.exe
5048	XClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2892	7zFM.exe
Token: 35	2892	7zFM.exe
Token: SeSecurityPrivilege	2892	7zFM.exe
Token: SeDebugPrivilege	616	XWormLoader 5.2 x64.exe
Token: 33	1300	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1300	AUDIODG.EXE
Token: SeDebugPrivilege	5048	XClient.exe
Token: 33	1820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1820	AUDIODG.EXE
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	544	explorer.exe
Token: SeCreatePagefilePrivilege	544	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2892	7zFM.exe
2892	7zFM.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
544	explorer.exe
544	explorer.exe
544	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
5048	XClient.exe
544	explorer.exe
544	explorer.exe
544	explorer.exe
544	explorer.exe
544	explorer.exe
544	explorer.exe
544	explorer.exe
544	explorer.exe
544	explorer.exe
544	explorer.exe
544	explorer.exe
4536	explorer.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
616	XWormLoader 5.2 x64.exe
4412	StartMenuExperienceHost.exe
444	StartMenuExperienceHost.exe
1988	SearchApp.exe
3684	StartMenuExperienceHost.exe
5028	SearchApp.exe
1832	StartMenuExperienceHost.exe
3112	SearchApp.exe
3852	StartMenuExperienceHost.exe
2060	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1224	616	XWormLoader 5.2 x64.exe	102
PID 616 wrote to memory of 1224	616	XWormLoader 5.2 x64.exe	102
PID 1224 wrote to memory of 2772	1224	vbc.exe	103
PID 1224 wrote to memory of 2772	1224	vbc.exe	103
PID 5048 wrote to memory of 3756	5048	XClient.exe	109
PID 5048 wrote to memory of 3756	5048	XClient.exe	109
PID 5048 wrote to memory of 5100	5048	XClient.exe	112
PID 5048 wrote to memory of 5100	5048	XClient.exe	112
PID 5100 wrote to memory of 648	5100	msedge.exe	113
PID 5100 wrote to memory of 648	5100	msedge.exe	113
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 3056	5100	msedge.exe	114
PID 5100 wrote to memory of 2112	5100	msedge.exe	115
PID 5100 wrote to memory of 2112	5100	msedge.exe	115
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116
PID 5100 wrote to memory of 2796	5100	msedge.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3380

C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\endavk3n\endavk3n.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94571CAA42F04583B995CB1E197D523.TMP"
    3⤵
    PID:2772

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4728

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\mynojb.exe
  "C:\Users\Admin\AppData\Local\Temp\mynojb.exe"
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\etvqku.bat" "
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffded5946f8,0x7ffded594708,0x7ffded594718
    3⤵
    PID:648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,766483070465160774,2783734285851928321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
    3⤵
    PID:3056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,766483070465160774,2783734285851928321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,766483070465160774,2783734285851928321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
    3⤵
    PID:2796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,766483070465160774,2783734285851928321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:4404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,766483070465160774,2783734285851928321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:1812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,766483070465160774,2783734285851928321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
    3⤵
    PID:1528
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,766483070465160774,2783734285851928321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,766483070465160774,2783734285851928321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1572
- C:\Windows\SYSTEM32\CMD.EXE
  "CMD.EXE"
  2⤵
  PID:3112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0gi4kr5y\0gi4kr5y.cmdline"
  2⤵
  PID:3168
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE51023DC15C84ED1A17772AF33DB1DF9.TMP"
    3⤵
    PID:2300
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:544

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:1084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4268

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3112

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3852

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:2616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3980

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4232

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1088

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3504

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:724

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4800

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4860

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4124

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2272

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4144

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x64\System.Data.SQLite.DLL

Filesize
1.6MB

MD5
1b1a6d076bbde5e2ac079ef6dbc9d5f8

SHA1
6aa070d07379847f58adcab6b5739fc97b487a28

SHA256
eaadfbcafd981ec51c9c039e3adb4963b5a9d85637e27fd4c8cfca5f07ff8471

SHA512
05b0cb3d343a5706434390fe863e41852019aa27797fe5d1b80d13b8e24e0de0c2cb6e23d15e89a0f427aaeaf04bf0239f90feb95bfc6913ca4dc59007e6659e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
339c154274e931147e0d3755814a5a37

SHA1
44baae29602f89279cf71a532cfd460c4b281515

SHA256
4435fb5cdf0b285e7a6913d285f9bc384da824df5877689553d557b988fb8e42

SHA512
406867eab9121bd7eee041339a04efd78dc33d97ade2eebdd4512f3d8138cf8523f8f15492538ee9f2b0b73940636e0cae6f2a913637a46696cae74bd2023678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
814B

MD5
7b2edb7df4f9e813d631dac1c7b9b99f

SHA1
3f5fadc89f0e0fdd6099cc73b93b274f211fb00b

SHA256
4607b9894515b90f2c4d948d972208d5aa079dd3d7a8012721a769be9ca3b3ad

SHA512
187a7fb67c472a5d7857d2729742c82f60ec13b684c7f412ef133ebaa73da5f3184072839d1a410d3a94c4eb75119bff93f5c82c735bb0fc6ef2ab24f416d2cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c3f0ef17921170fbd52c7ce21125ced

SHA1
af49cc996c7a87bbbc030e00d9ba1bc831913d3c

SHA256
6353379fc1841f843f7761ac329803e0e4a3bd41309fb5ce8203bd50b3766ba6

SHA512
5175d576af56bf77f6e4c4bdb01f6e4ce4043fdd89e010852fbc48074f0af545316f7c7ceffe7288e1c0545eb2a29f2d8652dd96392aef5b513b6c8626547e51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b966a0ec78eef37158c27f31f0382a57

SHA1
871af2f99112e844a1e9904f6916adf4418c171a

SHA256
511b1ce5f69e62bda2c5b95f9b756d94d07775f833efe70af5008ec09e9bd425

SHA512
6f3df70f21eb4858877f33ee23e0e965a25a956387364550d38b50120aa80edd274fae1eb29f53975869fb79d5e87ba8cec2a041d99579fd357240b01d9856b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f4f68eac8a9c8cca151c4c6afebad727

SHA1
38e77e6539f7a14da451be095aaca180845143b4

SHA256
f708c88a06df7bdaa6376d930709c1c363616c1bc6827b134d5593507019cabc

SHA512
b14b3fbcc768bd6da6630d7cce55d30316b878ccffd1d3d0f6afc102d080d8b140daa4805734857ec72c719ab8cba97a355dc2235846e8d698db4855389a6a17

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YOZOSN6K\microsoft.windows[1].xml

Filesize
97B

MD5
e6ba99d8293b4c7951bad0a2c6761b8e

SHA1
87aaf2d975cdef4db219e4f9f2b1469dd05a6b0b

SHA256
773b2b8b752a5bfd3d93b7475dbb7f659bad014ffd06292ee0450c216892ac29

SHA512
e6861e87688861f4c43d80f9e98996fc476a11d4e147eb3c55f66d6f1abc065690e2662dd34dca32c0284b64056b95142d932697aa1fa6d6b755ef0f57031ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC4BFEAD7\XWorm\XWorm V5.1\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC4BFEAD7\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D9C.tmp

Filesize
1KB

MD5
1cfcbdd7aaa6d1136bce38cd19d945be

SHA1
474758e66965e51fd0b396d943af56287996fcf5

SHA256
59e124cd4519126356041f9ee2aa34f0aa70ec974688255a52a68bf6ae01c333

SHA512
56aa44cb5482e97b17236c63322e642ee0c15114e25e62f5d2a276c1664f2741fd219dd6a2aabb17c7faae18cdd08dabacc2665ed2667952c4a47929747115ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\endavk3n\endavk3n.0.vb

Filesize
77KB

MD5
ebc45e5becf51365465080ea9cfd36f8

SHA1
26607dd70c098adfb87041b1eab6b52b73341498

SHA256
c8a99a937d741df4cbe0a6790c214be370e6476d62018ddd2b0b5b9fb55d9aa8

SHA512
024f436413af4ccf20b904436eb3b0aa30339ed9a85eedec10be614db76baa51218b09091d9a80f90f550d49a4df5d05ed4e81ae74093f7f08f1f6e986f42dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\endavk3n\endavk3n.cmdline

Filesize
290B

MD5
0da2957088a7dcd2d5f689410b006e00

SHA1
76c85cb004e71ac46b53a5b1837e5825b9e6fa5d

SHA256
180f758329e80f84a3a0b3d978029655ce92907b80e7146fafcd1f009cf069fc

SHA512
fadfc50ae34963dd8ac1e71faa73c50332d0033a931c5a0c5dcc551daa885a620bae59115a1f68967abe89b89b7d992521e3e762f57e53de17e61b25aa268023

Download Submit
C:\Users\Admin\AppData\Local\Temp\etvqku.bat

Filesize
571KB

MD5
55e7540d8e955598bf5451ab776ac6a1

SHA1
44dda654b0b1e69623ccc9f85ca785e06291d95c

SHA256
d78b4b0ba006323e98c8fa098be7e4edd84d8724e2c351ca804d54307ca33a51

SHA512
1b8b1ff83de05331142fad8715f935bf2972b6a3d50bac7cffb4d05fe843252c55de7223a25030f41fa2815b19688244fefc3b4ce6e4268904cb8586208b802f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mynojb.exe

Filesize
3.2MB

MD5
ad8536c7440638d40156e883ac25086e

SHA1
fa9e8b7fb10473a01b8925c4c5b0888924a1147c

SHA256
73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

SHA512
b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc94571CAA42F04583B995CB1E197D523.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
33KB

MD5
3ae48f5a70b10b55b1e4274ba622f545

SHA1
54bc2909ee1e4183a8162c030198a1089fd04aae

SHA256
1d4d49598b57ef91baf2a37f15c71b28775325fdfdce7dda4fd16fd776382bef

SHA512
5d190e55c9ca81c16dabfc6ba7a90899db40878c091cfd9b93b53e0c7e5a7970c1d43087615e06687cc8159fc24746c8d31d1121026042160fd1b71aea01c258

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\ActiveWindows.dll

Filesize
14KB

MD5
eea1f284c21e67f9ae71822798793c28

SHA1
ce3187b35a736a3c18f10f449dfcb793c95dca26

SHA256
77ec3eee197d5c4b9ed3d6c059061c52615276360fe11f13f8a6bb6ce429f42b

SHA512
5b3f72d803f250668b9ada77b1a03ecd8662787b8e51c01a4e334503a5f1545ac9dc341804d0d1552e9c35596443e1a610553e3d1ab80aaef6e0f5283384def4

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\All-In-One.dll

Filesize
4.8MB

MD5
f24552f5f604c80ba4cf7afd2143df05

SHA1
98883b7bf9b996c788bb501336e388177b9b19c2

SHA256
e050a91599f3e6a89dc84a4825fdea6c4d66e970472aabf48ff586d79b67898c

SHA512
1edb1f6cc4bdb3b69204fa724b2f8a5205b3251f475ae7cf8cb015220a26e9a976c1baa3c938e8fb9df1470795ff579e21b339b58c79f96af96cfdd17eba6c15

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Chat.dll

Filesize
18KB

MD5
66e4c3a843b1076b96c48cfa0b467bcd

SHA1
2768257ff7ddc6107a576c4b739eeb09689772eb

SHA256
6b5beda1f2423aedaf83f210f8cb719d3f61f9d2cd489690fb0066ff0895ab80

SHA512
7912e5806b169a1da88ebf92842ec410ce3dd8d98578054e77cc4381e90ee174a497ea1f38a54c5c65c8475a7928cfc79ae8dd58b979c18f7133c5c83e145879

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Clipboard.dll

Filesize
14KB

MD5
6ea5b16696c2f2d265c9f864d0c727ba

SHA1
030a0bf757767869428b0a7e11cd40df7a0cfe5a

SHA256
301ab3fe52f974dc5bab98bd127c93d755597fb58a0756539cde7ad4580725b1

SHA512
2426b43886ddf9896d9f27862de08ba9eada25b432c715259b71b000a2b474bcf29ba224ac0f3fad3224ef36b17b250d593f907ce0c18703cc37e152a7321203

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Cmstp-Bypass.dll

Filesize
11KB

MD5
cf15259e22b58a0dfd1156ab71cbd690

SHA1
3614f4e469d28d6e65471099e2d45c8e28a7a49e

SHA256
fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b

SHA512
7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\FileManager.dll

Filesize
679KB

MD5
b9dea988042c4d9878931cac41d61fb8

SHA1
82885bd2d01d27f4ce3741885256d7db418038b7

SHA256
29b44c17c85f05ced52004db716a156fc9e50b52debc8e061e2ea96957cc0d07

SHA512
81192c5b1f2e67787b569218c03e4c274a2184fb0e762afed6e3608995e3e1d1987306f32f64f28bc287fb09746476b4c7c60479fe0a5cefa186e5b208d8bacd

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\FileSeacher.dll

Filesize
478KB

MD5
fe625a7c51e699336f9acc3108437134

SHA1
50099ae8c3679930400261c80ade073157fe4f80

SHA256
68e4e6f42ffdf5ed18f1849e30f83b1baed1cfa57c68f57178bfa875e247c2b7

SHA512
26b9bf3c0b31fe029201c884f7d220b0bfe589d33dd6aa0dfd665c38af07c2352e89859198e0e9b18339c0e6c8f1e9c44358b222106531659aeb0d6f6c6c0c44

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\HBrowser.dll

Filesize
25KB

MD5
79f13be3582c42df73033819d093e1f8

SHA1
45c25633bfd0ab3c4f95b7137eb9671b911ea595

SHA256
f38e74a4bee2cf29d710d7c58eb83e548d92604621a8fb076bdc1e79714b9938

SHA512
e6e4331d26f35ac52d3524da0c6cdbb4bb36af54b57c61bce564bfec8663245bc7e5ff192c44a3c731e9ce7b83fdff40f274347a5241f6322833a92df944adb5

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\HRDP.dll

Filesize
1.7MB

MD5
4f16882639fc029fc367503eb820c298

SHA1
1e6b1314507e954649604dd9f80b4c45a93d7e89

SHA256
ef238f294111804c44f465d090a1634b6529d1eba85720b2e373d57cd59f75d6

SHA512
1fc02358b8347fac1acf751f7fe9c5d4d17cc35ee3df2052b69fdd518939092b54b8d29ecbf112d53604c087b01728d8961005d3946880df896998526a578ebf

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\HVNC.dll

Filesize
58KB

MD5
b5ea6d82ec2d4127124eb9467eb5ce16

SHA1
0a27f08f94a80024854721c73c7715af95581da7

SHA256
ecb1a845bc2e813193e628eea48738f2354eb1ce8902a092118aa48ea2ff4bc7

SHA512
ab459d26ce689d5c7fb533fb754b875896c214e0001ecc6e8b061f7cdaf1aec06400f66f506822775337a42b80f4e1e9ab008a658cfacc873cfa83eaab6f1880

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\HVNCMemory.dll

Filesize
39KB

MD5
14ca9b8f7993924b77078e08ec0d5df5

SHA1
fb2b5717da357f6d13bb1127980c22bada68836a

SHA256
8ab3391fa5880be5991133416bae0d5b76daa2d43c8ff92ff44d6dda23386e57

SHA512
64aac1a872666bce5bb86144a6f96bb6905a2d900d76e8d2d6f1cf8b499baefd35c7fb4d6b5150d5717451c5ad632d677ae6f85737d334a7cebbd9d725c9964f

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\HiddenApps.dll

Filesize
45KB

MD5
c5efa70a04a026b9a2fa97b1ea43e840

SHA1
aab2de0ab74c12e04256ff2b113b062dc93179e6

SHA256
f9ef7709f34e944d99ca5bef6af1524d7cf3889894084b7ae61e9202f267a728

SHA512
1348d4ebd3ac5b56eb32820ee14f9aee20a43b7dc3d06dd7fd62c8f227b12a27d0c0376c7d858e78315cd92d17e588bc2e37648c04d146530db706e8b3c4ff1d

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Informations.dll

Filesize
22KB

MD5
310ba7a07953ed7f783e89bcff6197e3

SHA1
147aa53e0d7cb027e6c67fa50fcb0dc0c770e157

SHA256
b10616eb3f5e4b0ceffc696179cdb616c78ef970dedbac10845a39985c91a38a

SHA512
554ead0f700dd617eed6055a84ecad288c4779ab20206e7434a8f3443a03a95a501014cd52390eb57570c25ea2bd7a298b96e88e8550d10b2a5db4f9633af529

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Keylogger.dll

Filesize
17KB

MD5
40ba99b80654259d0428c7e4f3645948

SHA1
8fa93e0f035694cd8e420aa2232aca859b3a2a6b

SHA256
3361bb2309e4ee31f14081bc170ac530e2ae9d1336026e736190a0304e2e77e4

SHA512
fc1deb29eea114e5a472102a51d49fa253a5c79821acffa930b30089ebecec4312437d4720b46e92149be2ce69aed57dc3939621a596ed6c413397363fa44ee7

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Maps.dll

Filesize
15KB

MD5
b74f037f6c6de44e817660922a3044fc

SHA1
eb5acc30d3f607193bd819e8c0cdaaf70295c5b4

SHA256
ccb32961b904a22c2531313ed7c3733d7288daab181074f034eb4c73a0958a65

SHA512
a547961b87ecdbc0f9bf02381f16e03795dc73eda744a86da2cc07c97d7f1b65642971347d1ca69f36ead63c3b9078b6e0f2ecb4b6f2178a3b9a62f3ffb76579

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\MessageBox.dll

Filesize
15KB

MD5
bde9c12607827e21c64e1d64033043b5

SHA1
d980614dda65f1f4c3a73d1f9c8162e597fcac4e

SHA256
2170fe155b56e362500ece32013bbf8d45d5dc93e689ab33d3612066c7450f75

SHA512
e015d9b915b748d1683c18621919161f9d495221c9bf788b661e3eeab60320ee0b0d9d64a393fafa47b521b484f0af2c9948f6dac0a9b7ef1e8910571e7e98eb

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Microphone.dll

Filesize
540KB

MD5
747554e4ca902a8d18b797c2edcb43ed

SHA1
508d7c9f0b031a352a1a1f25d4c6abf4167392d5

SHA256
1f135bc57ea4f44bf8a37d66b42788bed5aba753c5cbd0b4d3349ede64abfc59

SHA512
deb3f480dc7febb1d9ff4ccdb1dd04d83e9fbe7e74fb0dd39d103dbe85fa0c434407ab032e9bca027e38a0f482d08308513cd821b09dc08aafafd905e97126fd

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Ngrok-Disk.dll

Filesize
7.0MB

MD5
4443f2173682ef836df2f89e1b44296e

SHA1
1b0db6530eb5c5404af614143f464d663382c2e4

SHA256
01e170bc479dc22cec4658a39067e001a72a974a4e562aca01162f82decd20b6

SHA512
7bb8df753fc3636d3b01f2145c1df553b34a427a9e07d4c563a1fb2e23480ba2d609658d6ca2c4deaa386feff8af741397a3cbdb15c28157c4cf4ba8244fb61f

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Options.dll

Filesize
30KB

MD5
b0ebfc762fd2a7511e819336524551ea

SHA1
b3657c8edc6b9231d16b49bec11f01983d965495

SHA256
bf2978e31b7a1612255ff79217481374ea2ae976c2b8c270ec3eb5324251d8d7

SHA512
2adfff3089ac551ba057f2b4b2d208255a4558abb2761b39fd9cc10f37313386fdc1307fffb80777e0a1b6c1d1dbabf61b26cbff8592e77f982453679145822d

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Pastime.dll

Filesize
17KB

MD5
178627a4b30c54d20e5a59049b5af211

SHA1
5ae226eb92df19cb693764509b953bf1dbfeffcd

SHA256
c3ffa5aedbfe2c83e68d7b70afd1adb590801da429c3a5d4fd6da18116ab0cc9

SHA512
75e9684378f5155f228a75c03cb517257e7e04cddf9762e7e5b348f7b30482a9c750cb0285e28279dc9ef740c3ce759e4ebfb4e3efddd094daab7eb3bdf713c8

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Performance.dll

Filesize
16KB

MD5
d447b98bf277020e48a04d2771b190ba

SHA1
a9b312d1d858e06156eecab2cd97d246a37822e8

SHA256
57af9bb212361e2dbfe97a784beb2f978426b42f9ea0986f74c8fbfebb630f13

SHA512
8c58bf90c5433005d7e3c8a871171dd5fbc558947d5ce387351fa7625ed6bf2a6b72afa91f8d3c7243c5e950467855838f27b6356266074321204347cded15a1

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\ProcessManager.dll

Filesize
17KB

MD5
12630688eb6538b34e5a392cde76ec09

SHA1
add2c24ef79657f47693995b1ddb2c760520670a

SHA256
8dbffc8d2928cc2fe3dc67b071619419bd4e21506bf8d8b66bbdef54101953d3

SHA512
24da487f34fbad245f64f86b88db8c61041e80956c2befe859903ece46905ded09e90e08f2d148316947dde8a4990bd1c944ad36a96930b197769dab025689e0

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Programs.dll

Filesize
13KB

MD5
c730d22a23fb8ec58f51116e54ac4cc4

SHA1
45c4b19479d6e58736630db5405dd58450a601dc

SHA256
4bfe2b70271956dbcf08086ff04bc36a23928d974469ffeaca97ed5ad5b6dcfb

SHA512
da5d553e1e470958db4565699f0d2a58c9ab8a653b34003fd33758ed85f1a4f3c027064fcd0c24dae3ba88f7adc22f9b45ff55c22e2b29cbc0cf8f0b7293f7db

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Ransomware.dll

Filesize
20KB

MD5
e55dfe70871fb442f8b8eea790875a7c

SHA1
0f659147ad89de0dadca9d74abb0854ec64ae403

SHA256
b0ccb9a2bef7fd24d7f31bb70a8516129a099b47d2564f9f18cb0d87144fc5da

SHA512
daf5fc4a89d841a04b2b6fd8e516d7efa3baa08710af6ff85c57771d99a2ee07da4c2482baed9ecdae54e3eca2d840341ee3371a826cf26fb180dfba864e63a8

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Recovery.dll

Filesize
1.1MB

MD5
be590ee7d8c0366cc28c200308ba0823

SHA1
0fa6c6ca44893c45f115e446566f0d4dcf5168d6

SHA256
a81e4efc2c85a4f8fed46b9b0f3bd3c2a750a3047ae7ce5b29f21df52d85dfbb

SHA512
cbbb4c62d703bf8dd0e0e34b438401710c1bd62c82f71060483f4a84dfaa802a9b0d39b904d6f77cf4ef0b630f173f66f349497d53a6039c640e0f4301e26041

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Regedit.dll

Filesize
15KB

MD5
d92b2e7472ec9cb8b803bc039558c828

SHA1
0ca9e950b5ef64e3cdd23a31a2b51ad2b82581de

SHA256
1989885e6f4f459b4ef37ab11e97ffe8c1598a8189eb3a4110f259357af2414f

SHA512
ef4ded6ae8349a58a0745aa55ad96530d028f8137437124b02a80b332e2801447dde2e6e908e48151ee7102868676ef435fe5ecf0ebd980f497435e58e599171

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\RemoteDesktop.dll

Filesize
18KB

MD5
f4e00005c72b4331eb0e9243346d3e1d

SHA1
f8afb37fc362430b4045cd2f22e5a5cdaca43ace

SHA256
9bcf8dfc92bc643b9414a446da4632050de1b7577fedf4f7711d3b4b3d46e06d

SHA512
7e9be2c2a247a7ee067b156062098a2494113ca935c83a6c8723ee2fe3b7ae15ce5addac5630b8aaba9b12d52896127609f8d7974bb622b79d9a8dddd6c7a155

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\ReverseProxy.dll

Filesize
16KB

MD5
a4bd2edda7e214bc50ec559c15cf81c1

SHA1
1f268ba761ef9dd38d74d3eead9289a2a35d21a4

SHA256
9fd3621ffec11e0ad254b37ce4fe527f82461b67cc8d8827532d3573a011e2e3

SHA512
b3d8857b0fc31c5fafc8552e54c34b2e463f5dba2d167ecf41e5c22aca8a36ea352a4aa1baac73278c409f975e4c68ecc55e0c085280c62151e7898b59a4bbff

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\RunPE.dll

Filesize
11KB

MD5
e8f0b68716a0bc4459601623c5c3c757

SHA1
261e11edb2ec5b14d8feaf80d6a8e966da1817f8

SHA256
0f075f2dd5a41d601329c4bff57ff38302e1da2ad149399f7f2776e640063502

SHA512
5539be32acecb59e43eb35ef9971b82764ed6bb5cc50b02ca0921ec30ccbb4d49a743262350ec9860bc669000e6511d3b3dcba0a37a5360f3f6ff4af2bc420bf

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\ServiceManager.dll

Filesize
14KB

MD5
539b869c8fde6159f832e9b851bab6c7

SHA1
1e5b134d538d9c2eef53e4ecd04b806f4990cc74

SHA256
79ae4fdfc5edc08cea5520fe1e8fc448991903c493a02e9fda407bc825b330e9

SHA512
47dc3e66b4e32cb3bc1e2583e852cad7c211defe529d2ed7fce18587b4c1515bd5b5c5720f9ba0c1d9d022ff537abf827ed483e09fe63dfcf05bee4c07434631

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Shell.dll

Filesize
15KB

MD5
cb3bd9515eeccc9042757756ab7dd962

SHA1
c562da19fdc78c12685a0b1913bdf74067612b25

SHA256
e1cd982074254a8290fac19cd6d657dea80e4e70fb2742dae1137d895c3a09d8

SHA512
b1f5b6bea6ec21ae855c92871d396ae5139d028fd9f8e6d23706fc2abb97e3810b5b90ce70f2f399040436d5c4e47d64c5506464b26081fcfcb99dd91d1ac33f

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\StartupManager.dll

Filesize
189KB

MD5
cc42a1c35fa6857707755c4b7eebaade

SHA1
ddc1db3a8571e1d5da140f3500e26bf1a03acc03

SHA256
28533cf4dc5b93d9ec547c2a7649958e6c3b2906ddc43175af0a94439596bee9

SHA512
120c1481566b2c341cb9ffc90c821b1823870b9a671913ff5db9b8802f3fd120570dfe7c9928a038f3bf8a838a63a9ea5b3819a47bdbd9827f1024d79a70cbcb

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\Stealer.dll

Filesize
3.3MB

MD5
6cf3156c057817473d7d2239f71d2403

SHA1
36f45d7a326054e231b77b6021392d35898096ec

SHA256
3257ac3031047fcb719a8f82bd54ce42a6d542a97dd0149da08957a0c479e7fc

SHA512
3828f10081ef476cce1832ae8b3f68d7efaf539903f9d4f4e6fc4ef19feb87cb2d63409d5057e5d6d4b46e229d9ca10e39917a5c1902c55a3ce01cf18d67526d

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Plugins\WebCam.dll

Filesize
209KB

MD5
0f120604ef985616821459e5ff2feccd

SHA1
100bceb7d6c01b574b7089e999bc05ab3fc0847d

SHA256
a07f0452fc4b47b53ec48d6c790aa4407aee15ec67320c506ba674a1dae551ef

SHA512
d4127d42d61a93e5e02d2e68ca21c91c5ad47e4149e0eecc9902f1daf69a9f52499c16e42bb51993289f5afb7f6f73b76a0d7c4631e8a998aa6c731053385806

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\RVGLib.dll

Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe.Config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe

Filesize
109KB

MD5
f3b2ec58b71ba6793adcc2729e2140b1

SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2

SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

Download Submit
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
memory/616-356-0x000001EAF5460000-0x000001EAF547A000-memory.dmp

Filesize
104KB

Download
memory/616-344-0x000001EAF5490000-0x000001EAF54B8000-memory.dmp

Filesize
160KB

Download
memory/616-376-0x00007FFDDCEF0000-0x00007FFDDD9B1000-memory.dmp

Filesize
10.8MB

Download
memory/616-375-0x00007FFDDCEF0000-0x00007FFDDD9B1000-memory.dmp

Filesize
10.8MB

Download
memory/616-374-0x00007FFDDCEF0000-0x00007FFDDD9B1000-memory.dmp

Filesize
10.8MB

Download
memory/616-373-0x00007FFDDCEF3000-0x00007FFDDCEF5000-memory.dmp

Filesize
8KB

Download
memory/616-372-0x00007FFDDCEF0000-0x00007FFDDD9B1000-memory.dmp

Filesize
10.8MB

Download
memory/616-371-0x00007FFDDCEF0000-0x00007FFDDD9B1000-memory.dmp

Filesize
10.8MB

Download
memory/616-370-0x000001EAF5FD0000-0x000001EAF61C4000-memory.dmp

Filesize
2.0MB

Download
memory/616-368-0x000001EAF76E0000-0x000001EAF82CC000-memory.dmp

Filesize
11.9MB

Download
memory/616-367-0x00007FFDDCEF0000-0x00007FFDDD9B1000-memory.dmp

Filesize
10.8MB

Download
memory/616-359-0x00007FFDDCEF0000-0x00007FFDDD9B1000-memory.dmp

Filesize
10.8MB

Download
memory/616-358-0x000001EAF62A0000-0x000001EAF6ED8000-memory.dmp

Filesize
12.2MB

Download
memory/616-693-0x000001EAA38A0000-0x000001EAA3A3B000-memory.dmp

Filesize
1.6MB

Download
memory/616-380-0x00007FFDDCEF0000-0x00007FFDDD9B1000-memory.dmp

Filesize
10.8MB

Download
memory/616-677-0x000001EAF8A90000-0x000001EAF8AEA000-memory.dmp

Filesize
360KB

Download
memory/616-339-0x00007FFDDCEF3000-0x00007FFDDCEF5000-memory.dmp

Filesize
8KB

Download
memory/616-355-0x000001EAF55E0000-0x000001EAF561C000-memory.dmp

Filesize
240KB

Download
memory/616-353-0x000001EAF4AD0000-0x000001EAF4AD6000-memory.dmp

Filesize
24KB

Download
memory/616-409-0x000001EAFAD20000-0x000001EAFADA2000-memory.dmp

Filesize
520KB

Download
memory/616-385-0x000001EAFAE00000-0x000001EAFAF68000-memory.dmp

Filesize
1.4MB

Download
memory/616-411-0x000001EAFB030000-0x000001EAFB0E2000-memory.dmp

Filesize
712KB

Download
memory/616-405-0x000001EAFA460000-0x000001EAFA48C000-memory.dmp

Filesize
176KB

Download
memory/616-340-0x00000000006C0000-0x00000000006E0000-memory.dmp

Filesize
128KB

Download
memory/616-407-0x000001EAFB260000-0x000001EAFB542000-memory.dmp

Filesize
2.9MB

Download
memory/616-342-0x000001EAF52E0000-0x000001EAF5322000-memory.dmp

Filesize
264KB

Download
memory/616-352-0x000001EAF3440000-0x000001EAF3446000-memory.dmp

Filesize
24KB

Download
memory/616-351-0x00007FFDDCEF0000-0x00007FFDDD9B1000-memory.dmp

Filesize
10.8MB

Download
memory/616-348-0x000001EAF5520000-0x000001EAF557E000-memory.dmp

Filesize
376KB

Download
memory/616-350-0x000001EAF5580000-0x000001EAF55D6000-memory.dmp

Filesize
344KB

Download
memory/616-346-0x000001EAF5430000-0x000001EAF5436000-memory.dmp

Filesize
24KB

Download
memory/616-378-0x00007FFDDCEF0000-0x00007FFDDD9B1000-memory.dmp

Filesize
10.8MB

Download
memory/724-2022-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/1028-1876-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/1088-1727-0x0000027E284E0000-0x0000027E285E0000-memory.dmp

Filesize
1024KB

Download
memory/1088-1731-0x0000027E29620000-0x0000027E29640000-memory.dmp

Filesize
128KB

Download
memory/1088-1726-0x0000027E284E0000-0x0000027E285E0000-memory.dmp

Filesize
1024KB

Download
memory/1088-1762-0x0000027E299F0000-0x0000027E29A10000-memory.dmp

Filesize
128KB

Download
memory/1088-1742-0x0000027E295E0000-0x0000027E29600000-memory.dmp

Filesize
128KB

Download
memory/1988-745-0x0000017C038D0000-0x0000017C038F0000-memory.dmp

Filesize
128KB

Download
memory/1988-733-0x0000017C031C0000-0x0000017C031E0000-memory.dmp

Filesize
128KB

Download
memory/1988-721-0x0000017C03500000-0x0000017C03520000-memory.dmp

Filesize
128KB

Download
memory/1988-716-0x0000017C02600000-0x0000017C02700000-memory.dmp

Filesize
1024KB

Download
memory/1988-717-0x0000017C02600000-0x0000017C02700000-memory.dmp

Filesize
1024KB

Download
memory/2060-1155-0x000001D449D20000-0x000001D449D40000-memory.dmp

Filesize
128KB

Download
memory/2060-1166-0x000001D44A340000-0x000001D44A360000-memory.dmp

Filesize
128KB

Download
memory/2060-1144-0x000001D448E00000-0x000001D448F00000-memory.dmp

Filesize
1024KB

Download
memory/2060-1148-0x000001D449D60000-0x000001D449D80000-memory.dmp

Filesize
128KB

Download
memory/2252-1141-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/2616-1293-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

Filesize
4KB

Download
memory/3112-1011-0x0000022269140000-0x0000022269240000-memory.dmp

Filesize
1024KB

Download
memory/3112-1034-0x000002226A680000-0x000002226A6A0000-memory.dmp

Filesize
128KB

Download
memory/3112-1022-0x000002226A060000-0x000002226A080000-memory.dmp

Filesize
128KB

Download
memory/3112-1016-0x000002226A0A0000-0x000002226A0C0000-memory.dmp

Filesize
128KB

Download
memory/3112-1012-0x0000022269140000-0x0000022269240000-memory.dmp

Filesize
1024KB

Download
memory/3504-1877-0x0000020189A00000-0x0000020189B00000-memory.dmp

Filesize
1024KB

Download
memory/3504-1878-0x0000020189A00000-0x0000020189B00000-memory.dmp

Filesize
1024KB

Download
memory/3504-1882-0x000002018AB40000-0x000002018AB60000-memory.dmp

Filesize
128KB

Download
memory/3504-1891-0x000002018AB00000-0x000002018AB20000-memory.dmp

Filesize
128KB

Download
memory/3504-1913-0x000002018AF10000-0x000002018AF30000-memory.dmp

Filesize
128KB

Download
memory/3548-1624-0x000002358CFB0000-0x000002358CFD0000-memory.dmp

Filesize
128KB

Download
memory/3548-1606-0x000002358C9A0000-0x000002358C9C0000-memory.dmp

Filesize
128KB

Download
memory/3548-1594-0x000002358C9E0000-0x000002358CA00000-memory.dmp

Filesize
128KB

Download
memory/3828-1724-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/3980-1299-0x000001D53C780000-0x000001D53C7A0000-memory.dmp

Filesize
128KB

Download
memory/3980-1295-0x000001D53B620000-0x000001D53B720000-memory.dmp

Filesize
1024KB

Download
memory/3980-1310-0x000001D53C740000-0x000001D53C760000-memory.dmp

Filesize
128KB

Download
memory/3980-1330-0x000001D53CB50000-0x000001D53CB70000-memory.dmp

Filesize
128KB

Download
memory/4168-865-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/4268-1010-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/4268-2024-0x00000233D4C40000-0x00000233D4D40000-memory.dmp

Filesize
1024KB

Download
memory/4268-2025-0x00000233D4C40000-0x00000233D4D40000-memory.dmp

Filesize
1024KB

Download
memory/4328-1458-0x000001BA89670000-0x000001BA89690000-memory.dmp

Filesize
128KB

Download
memory/4328-1471-0x000001BA89C80000-0x000001BA89CA0000-memory.dmp

Filesize
128KB

Download
memory/4328-1447-0x000001BA896B0000-0x000001BA896D0000-memory.dmp

Filesize
128KB

Download
memory/4328-1443-0x000001BA88750000-0x000001BA88850000-memory.dmp

Filesize
1024KB

Download
memory/4476-1587-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/4536-715-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/4624-1441-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/5028-884-0x000001E7ED920000-0x000001E7ED940000-memory.dmp

Filesize
128KB

Download
memory/5028-867-0x000001E7EC800000-0x000001E7EC900000-memory.dmp

Filesize
1024KB

Download
memory/5028-872-0x000001E7ED960000-0x000001E7ED980000-memory.dmp

Filesize
128KB

Download
memory/5028-897-0x000001E7EDD20000-0x000001E7EDD40000-memory.dmp

Filesize
128KB

Download
memory/5048-673-0x000000001C460000-0x000000001C46A000-memory.dmp

Filesize
40KB

Download
memory/5048-469-0x000000001C620000-0x000000001C6AE000-memory.dmp

Filesize
568KB

Download
memory/5048-621-0x000000001DFE0000-0x000000001E0FE000-memory.dmp

Filesize
1.1MB

Download
memory/5048-705-0x000000001CF20000-0x000000001CF2A000-memory.dmp

Filesize
40KB

Download
memory/5048-669-0x000000001C3D0000-0x000000001C3DA000-memory.dmp

Filesize
40KB

Download
memory/5048-668-0x000000001C3C0000-0x000000001C3CA000-memory.dmp

Filesize
40KB

Download
memory/5048-660-0x000000001E250000-0x000000001E272000-memory.dmp

Filesize
136KB

Download
memory/5048-619-0x000000001C940000-0x000000001C94A000-memory.dmp

Filesize
40KB

Download
memory/5048-670-0x000000001C3E0000-0x000000001C3EA000-memory.dmp

Filesize
40KB

Download
memory/5048-671-0x000000001C3F0000-0x000000001C426000-memory.dmp

Filesize
216KB

Download
memory/5048-690-0x000000001CEC0000-0x000000001CECA000-memory.dmp

Filesize
40KB

Download
memory/5048-618-0x000000001C110000-0x000000001C11E000-memory.dmp

Filesize
56KB

Download
memory/5048-470-0x000000001C8B0000-0x000000001C93E000-memory.dmp

Filesize
568KB

Download
memory/5048-704-0x000000001CF40000-0x000000001CF52000-memory.dmp

Filesize
72KB

Download
memory/5048-464-0x000000001BAA0000-0x000000001BADA000-memory.dmp

Filesize
232KB

Download
memory/5048-442-0x00000000025C0000-0x00000000025CC000-memory.dmp

Filesize
48KB

Download
memory/5048-426-0x000000001C950000-0x000000001CE78000-memory.dmp

Filesize
5.2MB

Download
memory/5048-425-0x000000001B2C0000-0x000000001B2CC000-memory.dmp

Filesize
48KB

Download
memory/5048-687-0x000000001CEA0000-0x000000001CEA8000-memory.dmp

Filesize
32KB

Download
memory/5048-672-0x000000001C420000-0x000000001C42A000-memory.dmp

Filesize
40KB

Download
memory/5048-676-0x000000001CE90000-0x000000001CE9A000-memory.dmp

Filesize
40KB

Download
memory/5048-675-0x000000001CE80000-0x000000001CE8A000-memory.dmp

Filesize
40KB

Download
memory/5048-674-0x000000001C480000-0x000000001C48A000-memory.dmp

Filesize
40KB

Download
memory/5048-402-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/5048-689-0x000000001C430000-0x000000001C43A000-memory.dmp

Filesize
40KB

Download
memory/5048-620-0x000000001DF30000-0x000000001DFE0000-memory.dmp

Filesize
704KB

Download