Analysis Overview
SHA256
0c753ca939dc8c012bc327f6662e8ff3fa8a18e549b27b31be7e6a9a62a40826
Threat Level: Known bad
The file instruction.txt was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Detect Xworm Payload
Xworm
AgentTesla payload
Uses the VBS compiler for execution
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-20 20:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-20 20:06
Reported
2023-10-20 20:08
Platform
win10v2004-20231020-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
AgentTesla
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\lodctr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 60003100000000005457e5a0100058574f524d567e312e300000460009000400efbe5457e4a05457e5a02e000000772e02000000070000000000000000000000000000005d0ae600580057006f0072006d002000560035002e00300000001a000000 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3" | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\instruction.txt
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.0.1452772280\657892286" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96605ed9-e73b-4bcb-9c67-477e3e01fa67} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 1996 238852d8a58 gpu
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f45546f8,0x7ff9f4554708,0x7ff9f4554718
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.1.1413160332\1355975850" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2296 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2f8d2d-16a8-417f-a467-20deab57677c} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 2396 2388520de58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.2.755457372\1682818251" -childID 1 -isForBrowser -prefsHandle 1724 -prefMapHandle 1736 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7d271e5-6dae-45e1-9d20-1ff1b8d603c1} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 3292 238893fb258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.3.113905748\742965972" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17fd69fa-063f-42a3-bdc7-1a2b4626020d} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 3628 23887da8658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.4.1653326702\792164990" -childID 3 -isForBrowser -prefsHandle 4584 -prefMapHandle 4600 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53367d16-634d-498f-810a-72fab2a114eb} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 4580 2388975a258 tab
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6060 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x450 0x504
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5044 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe
"C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ggdmp1yc\ggdmp1yc.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5951.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35B8FB7C427E45D2B31BD24CE2BFCDC.TMP"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\XWorm V5.0\Fixer.bat"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
C:\Windows\system32\lodctr.exe
lodctr /r
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:52131 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:52137 | tcp | |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | shorturl.at | udp |
| US | 104.26.9.129:80 | shorturl.at | tcp |
| US | 104.26.9.129:80 | shorturl.at | tcp |
| US | 104.26.9.129:443 | shorturl.at | tcp |
| US | 8.8.8.8:53 | www.shorturl.at | udp |
| US | 104.26.9.129:443 | www.shorturl.at | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | 5.145.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.9.26.104.in-addr.arpa | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | na.static.mega.co.nz | udp |
| CA | 162.208.16.210:443 | na.static.mega.co.nz | tcp |
| CA | 162.208.16.210:443 | na.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.14:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.14:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 210.16.208.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.125.203.66.in-addr.arpa | udp |
| CA | 162.208.16.210:443 | na.static.mega.co.nz | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | gfs204n165.userstorage.mega.co.nz | udp |
| NL | 185.206.24.113:443 | gfs204n165.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.113:443 | gfs204n165.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.113:443 | gfs204n165.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.113:443 | gfs204n165.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.113:443 | gfs204n165.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.113:443 | gfs204n165.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 113.24.206.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3zxqty5.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 754523d771955ab4c041680eeb69554c |
| SHA1 | 15aff9c903f605d39e7ee8dfb5ac123f12d44e46 |
| SHA256 | a62b82647bea79e03673c97a84ce7f5cd3262c301e30c80d37ebba57120a4ed5 |
| SHA512 | 657e01e051dfa2567c927f7d83714578aea5802e03acb2924de08b74484cd97fcd885bc295cab0add97751dd25b1db3c31df907b525ae692194c5a87e5c2f520 |
\??\pipe\LOCAL\crashpad_1500_VJIPCCIDRGVICRMG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore.jsonlz4
| MD5 | ac1ac8345b5c866277cf747119c24138 |
| SHA1 | 64aeb9d9df71844070dfee3908c671635d308dd6 |
| SHA256 | 050d4485594ea97dea3ba9756fe87fdbfb9da577bf559282fd6defc52a7a2357 |
| SHA512 | 0932c1df51f008786442e16088c5ccff5120423a25df0286b9c3afdd8a12617853e039c7cb4a0ba5efefb351c17e677c4981877c7355e7e83a8953c243083c27 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js
| MD5 | 216c94bf64236c34e9dcb24e1178d34f |
| SHA1 | 3b0f7c54f1bb6da0fda910731bef69da35e1cea1 |
| SHA256 | b85eb5d66ca3c6aa46d4b309b5aa8c3b5c75450882529b0954cb99b587045693 |
| SHA512 | b3788e634baa9f83cc9e5403e3f361e7933874738e9a576dc6e203978cd4bc7b8d2b9290dcdc1b7db9d1b228a5ec0d1165697df06071164bfd54bc8c52329895 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/3584-174-0x0000000074880000-0x0000000075030000-memory.dmp
memory/3584-175-0x0000000000AD0000-0x0000000000AEE000-memory.dmp
memory/3584-176-0x0000000005510000-0x0000000005552000-memory.dmp
memory/3584-177-0x00000000059E0000-0x0000000005A7C000-memory.dmp
memory/3584-178-0x0000000005980000-0x00000000059A8000-memory.dmp
memory/3584-179-0x0000000005960000-0x0000000005966000-memory.dmp
memory/3584-180-0x0000000005B20000-0x0000000005B7E000-memory.dmp
memory/3584-181-0x0000000005B80000-0x0000000005BD6000-memory.dmp
memory/3584-182-0x0000000005B10000-0x0000000005B20000-memory.dmp
memory/3584-183-0x0000000005AA0000-0x0000000005AA6000-memory.dmp
memory/3584-184-0x0000000005AF0000-0x0000000005AF6000-memory.dmp
memory/3584-185-0x0000000005C20000-0x0000000005C5C000-memory.dmp
memory/3584-186-0x0000000005C90000-0x0000000005CAA000-memory.dmp
memory/3584-188-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/3584-189-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/3584-190-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/3584-191-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/3584-192-0x0000000006780000-0x00000000071F2000-memory.dmp
memory/3584-193-0x0000000007200000-0x00000000077A4000-memory.dmp
memory/3584-194-0x0000000005F30000-0x0000000005FC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dll
| MD5 | 230e9947bdacac72fa6556c32a3fd721 |
| SHA1 | c534758bd97f59782da939ca8c43e76df394f920 |
| SHA256 | bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd |
| SHA512 | 259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9 |
C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dll
| MD5 | 230e9947bdacac72fa6556c32a3fd721 |
| SHA1 | c534758bd97f59782da939ca8c43e76df394f920 |
| SHA256 | bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd |
| SHA512 | 259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9 |
memory/3584-201-0x0000000073FDF000-0x0000000073FE0000-memory.dmp
memory/3584-202-0x0000000073FE0000-0x0000000073FE1000-memory.dmp
memory/3584-203-0x00000000077B0000-0x0000000008366000-memory.dmp
memory/3584-204-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
memory/3584-205-0x0000000008460000-0x00000000084B6000-memory.dmp
memory/3584-206-0x000000000AC60000-0x000000000AE54000-memory.dmp
memory/3584-207-0x0000000074880000-0x0000000075030000-memory.dmp
memory/3584-208-0x0000000005B10000-0x0000000005B20000-memory.dmp
memory/3584-209-0x0000000005B10000-0x0000000005B20000-memory.dmp
memory/3584-210-0x00000000737DE000-0x00000000737DF000-memory.dmp
memory/3584-212-0x0000000005B10000-0x0000000005B20000-memory.dmp
memory/3584-211-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/3584-213-0x000000000DD60000-0x000000000DDC6000-memory.dmp
memory/3584-214-0x0000000005B10000-0x0000000005B20000-memory.dmp
memory/3584-215-0x0000000000AD7000-0x0000000000AD8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 33cd05e534ff62557b8f7311bcc381ae |
| SHA1 | 5b7e8d58b93a1d612430ee4c634d2209f6204c87 |
| SHA256 | 34b9fb264f16b6fb7446378bd84c76c887cf3d7b2d652ff017ac0a897c8bd703 |
| SHA512 | 1372bc8936ce4968c76e6dcd630962ce419bed31a61e67686741e2573bef04e8e44944a754865e35b52f39fc02f0f76f9ec1aaab05e3d6d7b5310ca36b34423e |
memory/3584-225-0x0000000005B10000-0x0000000005B20000-memory.dmp
memory/3584-226-0x0000000005B10000-0x0000000005B20000-memory.dmp
memory/3584-227-0x0000000005B10000-0x0000000005B20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ggdmp1yc\ggdmp1yc.cmdline
| MD5 | 6265a9021ab33aacb80505fe4acf04d9 |
| SHA1 | 2acfc11970a836b84a3b54665b7507205744d7b2 |
| SHA256 | 9e587a92973a27c7b49dc09de939e58d059f5781e3d67f76eb8218ce99cebc81 |
| SHA512 | daea6a034ec03bfd60eb57f782e535afed1a19e84ff2e1ecbc258880076c469c2e66160ad2b73da11233ef25c0a28e0665617ebf4a8dc8802cce2f36d2bca625 |
C:\Users\Admin\AppData\Local\Temp\ggdmp1yc\ggdmp1yc.0.vb
| MD5 | ad4c7b7cd17c722da8d8db13b5a8453d |
| SHA1 | 75456a9b25822fcf4c72cf99ac461a61c37cadd3 |
| SHA256 | 6b2bd97f5fa856a55b7c982950be53ba85645a4374b0281ebcb151594d2a2da3 |
| SHA512 | a0d38760a4d8295e5bd2b43f648ab0f68fb7da54b4e16303cfbf0fe86d326f5906c286527b41bd86bc9af91f2d44fbcb23be39237a3517c271d108cc7ce9f08f |
C:\Users\Admin\AppData\Local\Temp\vbc35B8FB7C427E45D2B31BD24CE2BFCDC.TMP
| MD5 | d40c58bd46211e4ffcbfbdfac7c2bb69 |
| SHA1 | c5cf88224acc284a4e81bd612369f0e39f3ac604 |
| SHA256 | 01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca |
| SHA512 | 48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68 |
C:\Users\Admin\AppData\Local\Temp\RES5951.tmp
| MD5 | 490b7bfc4804cc6dca382654bf54a51c |
| SHA1 | c8dab67e2cc615367be5062379bfbca16eea4611 |
| SHA256 | c1b08f749c0e3f4f7046ddee8cf5924ab5614958ad1087d9404ee06b1d7fc695 |
| SHA512 | 2683c6b4f41e64b2983403315b611fb088d439495ad143b03ce21b2072901bb14e31e87736ce9a5251169c18bcbe5d9b7c2247f3623c4725960ce39de094ebab |
memory/3584-242-0x0000000005B10000-0x0000000005B20000-memory.dmp
memory/3584-245-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/3584-246-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/3584-247-0x0000000074880000-0x0000000075030000-memory.dmp
memory/3584-248-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
C:\Windows\System32\perfc011.dat
| MD5 | 50681b748a019d0096b5df4ebe1eab74 |
| SHA1 | 0fa741b445f16f05a1984813c7b07cc66097e180 |
| SHA256 | 33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a |
| SHA512 | 568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e |
C:\Windows\System32\perfc007.dat
| MD5 | c6a00700213a4cdfac7b02faabc2fa10 |
| SHA1 | d1fab1803050a67c59dfce442c1f1dacb166d0dc |
| SHA256 | 987d276742eba82260ac1509adc8678651d30103162b44d4e62fbde1b2f28559 |
| SHA512 | e3c879502f91b7e4ccbd300372108ffe0cfd2e49070c54f1b27fb83d3c0a7344ea7393b619f1fd6b21314915e32c50fb93f5a1511a383098107c57f1a14faf1d |
C:\Windows\System32\perfh007.dat
| MD5 | eadd51b4e0a81aa0a1ec7392a1ce681a |
| SHA1 | f384c3bc0f16ccb5049ebbf7df776e684da84706 |
| SHA256 | 1a2fd21891c4055b2ee03ee06665f1a09a6503f7a4b57acba67820ec561d12e4 |
| SHA512 | de74112ed8f81f4723241102e9e493921419f836e7f095000a0ae34616db1886c22dff6ab4dfd5bd1ebbc9840498c3606ac0e5791f7fadac1b52c18043571ae4 |
C:\Windows\System32\perfh009.dat
| MD5 | 80496b7a39979146a130dc67571bb8bb |
| SHA1 | d64dd42402b23e5659162e777492b742f2616848 |
| SHA256 | 4ada882055aa543d45dca0b95c1ad03d19b1ec0629c3585070ef1e10ecbd5711 |
| SHA512 | 6ef96110dcaa82375c13ebc1dab6b734e5b363f79a553d578a4f8e6be7dcfbe242d00f01f4f800ae8b68a10c19bf9a93ee81bfb60a913e893d5559dbc0cf1e0c |
C:\Windows\System32\perfc00A.dat
| MD5 | 69c02ba10f3f430568e00bcb54ddf5a9 |
| SHA1 | 8b95d298633e37c42ea5f96ac08d950973d6ee9d |
| SHA256 | 62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e |
| SHA512 | 16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e |
C:\Windows\System32\perfh00A.dat
| MD5 | 49032045f6bcb9f676c7437df76c7ffa |
| SHA1 | f1bf3ba149cd1e581fe12fb06e93d512fe3a241b |
| SHA256 | 089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641 |
| SHA512 | 55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1 |
C:\Windows\System32\perfh00C.dat
| MD5 | 518020fbecea70e8fecaa0afe298a79e |
| SHA1 | c16d691c479a05958958bd19d1cb449769602976 |
| SHA256 | 9a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125 |
| SHA512 | ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e |
C:\Windows\System32\perfh011.dat
| MD5 | f4f62aa4c479d68f2b43f81261ffd4e3 |
| SHA1 | 6fa9ff1dbb2c6983afc3d57b699bc1a9d9418daa |
| SHA256 | c2f81f06c86bf118a97fba7772d20d2c4ba92944551cd14e9d9bab40bf22816c |
| SHA512 | cbd94b41fc3136c05981e880e1f854a5847a18708459112ca7eb0bdcb04d0034c42af8c58501a21ae56e07a29751236af9735b0a4ded3a6b0ef57d717acd5ff3 |
C:\Windows\System32\perfh010.dat
| MD5 | f9fcefdf318c60de1e79166043b85ec4 |
| SHA1 | a99d480b322c9789c161ee3a46684f030ec9ad33 |
| SHA256 | 9c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7 |
| SHA512 | 881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8 |
C:\Windows\System32\perfc010.dat
| MD5 | bea0a3b9b4dc8d06303d3d2f65f78b82 |
| SHA1 | 361df606ee1c66a0b394716ba7253d9785a87024 |
| SHA256 | e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927 |
| SHA512 | 341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88 |
C:\Windows\System32\perfc00C.dat
| MD5 | 8b4b53cf469919a32481ce37bcce203a |
| SHA1 | 58ee96630adf29e79771bfc39a400a486b4efbb0 |
| SHA256 | a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42 |
| SHA512 | 62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575 |