Malware Analysis Report

2024-11-30 19:22

Sample ID 240305-y61dcagd9x
Target https://gofile.io/d/QSTG2B
Tags
agenttesla agilenet keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://gofile.io/d/QSTG2B was found to be: Known bad.

Malicious Activity Summary

agenttesla agilenet keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Modifies registry class

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 20:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 20:24

Reported

2024-03-05 20:31

Platform

win10v2004-20240226-en

Max time kernel

418s

Max time network

399s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/QSTG2B

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\system32\osk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 2820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1308 wrote to memory of 2036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/QSTG2B

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0b5146f8,0x7ffe0b514708,0x7ffe0b514718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3120 /prefetch:8

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm V5.0.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe

"C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe0b5146f8,0x7ffe0b514708,0x7ffe0b514718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6608 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1

C:\Windows\system32\osk.exe

"C:\Windows\system32\osk.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x494 0x2f8

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe0b5146f8,0x7ffe0b514708,0x7ffe0b514718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{53362C32-A296-4F2D-A2F8-FD984D08340B}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0.exe

"C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe0b5146f8,0x7ffe0b514708,0x7ffe0b514718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11654520831061527261,10669677592235864062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1

C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe

"C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 gofile.io udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FR 51.38.43.18:443 gofile.io tcp
FR 51.38.43.18:443 gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 s.gofile.io udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 ad.a-ads.com udp
DE 78.46.32.91:443 ad.a-ads.com tcp
FR 51.75.242.210:443 s.gofile.io tcp
US 8.8.8.8:53 91.32.46.78.in-addr.arpa udp
FR 51.75.242.210:443 s.gofile.io tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.242.75.51.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 205.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
FR 51.75.242.210:443 s.gofile.io tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 cold2.gofile.io udp
FR 31.14.70.251:443 cold2.gofile.io tcp
FR 31.14.70.251:443 cold2.gofile.io tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 251.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 cdn4.cdn-telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.35.152:443 cdn4.cdn-telegram.org tcp
US 34.111.35.152:443 cdn4.cdn-telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 152.35.111.34.in-addr.arpa udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 t.me udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0764f5481d3c05f5d391a36463484b49
SHA1 2c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256 cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512 a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

\??\pipe\LOCAL\crashpad_1308_PVIRIHMSSXJEVIKC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e494d16e4b331d7fc483b3ae3b2e0973
SHA1 d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256 a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512 016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 300f41bfb0a641864bcf99f4b9e402d0
SHA1 36e10a5b56cd493df466d982fbefe0c11332012f
SHA256 318139d16345f8f20f89931b828663da0dda935cbff2eab51dc66507cec8b610
SHA512 6b605f2737831747160d8755f5932a0bc7990ffd78b33bc10a0bf6d1d606ff8db3e23f75a6eb29022213a8c14451135c7f135c920eb493a67306e124f078597d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 95552dbe92fa923f1fe0ff479db6034e
SHA1 a65a1af52dacae8537cf324425053ff0cf36888e
SHA256 2d20f3741b64f38064dc6d6bdee95c0f0c01a500d66edfc539bf04359125f48f
SHA512 ecc276c4b580d5bef735824e5411827cba97d1dc1547682c027d7b28fe33276aeb383d071e9b761c36afad8b6e037a93271d36ec917a615c343f1365bb7141e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cb6f9ca245f46b60867218e078c0429e
SHA1 0579c7c39c587c6acf045637a6bd9d8a3315c755
SHA256 a9b46de3ae81e9b63ea7a0b608eda954bcbb3c5b90d17c2b795ed39135325fc8
SHA512 020e578f69669ac8804c34ad680796725ed7752cc56f54aa5ee3119e9a0ae2559c9130b8499071ed341101bd69d1a80ad5666825ca9d732dc5dc3ec037b3d001

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7d07ad3f3398e5601d495c26fbbe9fce
SHA1 e0eb6f576070c90bfa1e1c21d2a6bfe22425cd94
SHA256 f9539551872875c1927057525aeeba41ed42d93e503e901be43b4581afe6a6d9
SHA512 93d8be77ce45858936369e3f497218087a0e9e356c44ec8dfd2f711eeb0ec8de6f71c2a6442df473d05346427a05884cbd182a3463e11e26e4c5ef5f9f2b0042

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 675ec5bb2972302b735fb0f72581e0b2
SHA1 e972ef4420f9dc254233a93715b25b4f19f6a97a
SHA256 8884f6a8c4d9840519f47d0bb6c9191bd629fde549e1b2541c0500fdb32acbe6
SHA512 6142659e9f95aec5c128141a0c0126288cfa959fe3322ba2b210170c9493b09ad73350c3c02826d9ec34e5506c93185076036a43e2c85f47f98ab7cca888e827

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2dbd76b0db02846881c9a8991750550f
SHA1 41f7fe646adf42e71b9203944d4c10e9d28b235e
SHA256 5db398d273e4437e4ad62ac68d82abad458830021e07cb177a50a22bb29e0dfd
SHA512 9bd414822eec481173c389bcb6b10274ea7e8e5559e696a72a4540381f8fe8efb1f31379b7e00206de9e8982c5764235ec7d4ed61b9c4a53f1f5c6be0b30e09b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d91a.TMP

MD5 b6e3cd1b7514cbd03d8b19afe96beef3
SHA1 b4a8652faae9b87020a3486fc72056a1a9519119
SHA256 7e1ec4a759e25d388373ea07fea57664fef59f053e11148a49e6f16517106ac7
SHA512 e50218e02679196ff25827dc8450a71e2cf7668774341ebd76edcf3ef7037ba95c72eecda4033528eeb04bc4627353401da2ffeb0a19750681df5c710dabe662

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 edd641cd4d80e955db98069225963575
SHA1 8718f1c2d5f611d4f800043932f1d49175c2900d
SHA256 899c52e1f7b8f29836ac604e4daf95259cc6915e0315c0f78b7137ae6dbe10d7
SHA512 af10949c0eaa0bc89d98b9e2e24e82bfdbbef344c164b25f342480e7c5f7457e54915c985eafcb32e610af2d15b2dc477ebb7adc28953d0523ac7ab7cab6643c

C:\Users\Admin\Downloads\XWorm V5.0.rar

MD5 1326529a28b507f825142778b2659d38
SHA1 26372c083fe7fa76e1cdb9c1829d29994153f7a6
SHA256 171f4fcc6cf4d1b3dfd6e1c901d20a811b671628e3c203bec9f5abfd85bd8c2d
SHA512 e832f2b6ce7f4122cb469af4802956821de91789198ffa9f5efbd344c38ae4b4eb7f09daf7ea15751fd4277a7d1a44811c51fc2a91749c497fc2c486e6601ef0

C:\Users\Admin\Downloads\XWorm V5.0.rar

MD5 0f147898965b0077f4c7f34f7d0702d2
SHA1 6c406139603a0f5319a24867b7c9a95540a97ff3
SHA256 78fe0a4773e14e720751c39ab45c0c74a2ebd0fe06111694c406a549dadad0f4
SHA512 34f9307405ca0601384c581f493dea8e4c8c5b5a054eb5ecdb53c6ebb753ed3642ceb984e2caa7b681bf2e39e91277924739e7d3026103de7f2ffcc26c09dcbe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 19b8e38a66991d3606652bd2a251f9d3
SHA1 836e767754aba5585ac81ad2b52e6d101272b34e
SHA256 138819993cf17c40e003d66cf5fb3cc6df8131e45af340c6a98050d232f3f7ff
SHA512 467240638f095699c99f6bcbdd53b500b494ffa0f6d27ea09a09b3cb665a728e78c4dba73eff0b99359bb08a4d395d64bbecaf5cdd3e2514d661c0f5d8fbf7fa

C:\Users\Admin\Downloads\XWorm V5.0\Icons\icon (15).ico

MD5 e3143e8c70427a56dac73a808cba0c79
SHA1 63556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256 b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA512 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1701a89a-4b4a-40c6-a0cf-e22cdc189912.tmp

MD5 2a35cc206ef3e0a546b96f6d8720857e
SHA1 c9876de55f85b1e376e8fea9926441b88f8c8239
SHA256 eb9ed0fd1691bca731cd673ecd3668354f621b8d74e6a891b2f97e268b3ff7df
SHA512 1aefcdda51fc1eab08aafb4fd6e0c02c94eb1285f6862c8e2134146f38c3b3823d6b5dd289fce5007f32edf95a28549e8d38cf73b61384c1f80d1ae1bc2e63c6

C:\Users\Admin\Downloads\XWorm V5.0\XWormLoader.exe

MD5 39d81ca537ceb52632fbb2e975c3ee2f
SHA1 0a3814bd3ccea28b144983daab277d72313524e4
SHA256 76c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA512 18f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 68bffbb3ad620242c143bf27777a0cdf
SHA1 dc7ecf7b88340e1f6cd2d0bd5547a30350b250b2
SHA256 aa206e8d280ef0fbbc2aa3e5af16c6993f293aac8a1c13b7b3ef7774416f52c3
SHA512 03fb432f3d306f5fbe1abae8170fb60b2eb1999516470df0fe457f3483413500f3876e08cee32b04dfea9afe2e7006676b2efe9f51503201083f07afe2d9dfd5

memory/5264-369-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/5264-370-0x0000000000A50000-0x0000000000A6E000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\RVGLib.dll

MD5 5bbc659b819d1a39f1987136c7d8e014
SHA1 e6d9472deb956cff4b6d706ef475209ceb69d2cd
SHA256 45aa789e30b3239064645d2832e1cb70d132017817499ce73ceb0593a94bb4be
SHA512 5563a0dde515516f3c0cf231a8ad49e1c1c3081444b3159593ebec90d2fd20b0adde200184b0e4e30502ea3b9db3b04ac1f2a14c04bf10e81489f82173769f97

memory/5264-374-0x0000000004BB0000-0x0000000004BF2000-memory.dmp

memory/5264-375-0x0000000005050000-0x00000000050EC000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\MonoMod.Backports.dll

MD5 dd43356f07fc0ce082db4e2f102747a2
SHA1 aa0782732e2d60fa668b0aadbf3447ef70b6a619
SHA256 e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6
SHA512 284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

memory/5264-379-0x0000000004FF0000-0x0000000005018000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\MonoMod.ILHelpers.dll

MD5 6512e89e0cb92514ef24be43f0bf4500
SHA1 a039c51f89656d9d5c584f063b2b675a9ff44b8e
SHA256 1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0
SHA512 9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

memory/5264-383-0x0000000004FD0000-0x0000000004FD6000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\Mono.Cecil.dll

MD5 de69bb29d6a9dfb615a90df3580d63b1
SHA1 74446b4dcc146ce61e5216bf7efac186adf7849b
SHA256 f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc
SHA512 6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

memory/5264-387-0x0000000005150000-0x00000000051AE000-memory.dmp

memory/5264-391-0x00000000051B0000-0x0000000005206000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\MonoMod.Utils.dll

MD5 79f1c4c312fdbb9258c2cdde3772271f
SHA1 a143434883e4ef2c0190407602b030f5c4fdf96f
SHA256 f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a
SHA512 b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

memory/5264-392-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/5264-393-0x0000000005110000-0x0000000005116000-memory.dmp

memory/5264-394-0x0000000005220000-0x0000000005226000-memory.dmp

memory/5264-398-0x00000000052C0000-0x00000000052FC000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\MonoMod.Core.dll

MD5 b808181453b17f3fc1ab153bf11be197
SHA1 bce86080b7eb76783940d1ff277e2b46f231efe9
SHA256 da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd
SHA512 a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

memory/5264-399-0x0000000005300000-0x000000000531A000-memory.dmp

memory/5264-401-0x0000000005330000-0x0000000005340000-memory.dmp

memory/5264-402-0x0000000005330000-0x0000000005340000-memory.dmp

memory/5264-403-0x0000000005330000-0x0000000005340000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0.exe

MD5 a2e286110f3afb3e4affa5b849cad822
SHA1 a3f398a0cefabf8e4567613e85fe9ee8d6cb0e11
SHA256 539a69cb69bdbf249a473de3f08e3f1b60b3b9d53df938b153587ba8e49baf01
SHA512 47f07b3d02dbff8676a9b79c0146e5685bec1c311a4dfcde0ac2e5e2f6f9b50d7d38d86a3e993dbe78b820ef4444cd8556a4f975b5b4e3b9f1b493e4fef4394f

memory/5264-407-0x0000000005330000-0x0000000005340000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0.exe

MD5 9f95c535cd0bb5b3514eb3188f4bbee2
SHA1 5279692ba5843054151fbbee73cac00fcd3fbd7d
SHA256 1094342d8c592fc825a0cef0873472ecf0780177ed1da1de3380b85028d2e623
SHA512 45ca87058d16b1a7a622de746cc2802a2dcce03d2ccd0a5adba20b49e7872d5e84990c37790f7e128ee3b5a384f3ce519001481f71cf0d2f3be1ed6714e45159

memory/5264-408-0x0000000005DF0000-0x0000000006862000-memory.dmp

memory/5264-409-0x0000000006870000-0x0000000006E14000-memory.dmp

memory/5264-410-0x00000000055A0000-0x0000000005632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dll

MD5 230e9947bdacac72fa6556c32a3fd721
SHA1 c534758bd97f59782da939ca8c43e76df394f920
SHA256 bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd
SHA512 259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9

memory/5264-417-0x0000000073EBF000-0x0000000073EC0000-memory.dmp

memory/5264-418-0x0000000073EC0000-0x0000000073EC1000-memory.dmp

memory/5264-419-0x000000000A2C0000-0x000000000AE76000-memory.dmp

memory/5264-420-0x00000000025B0000-0x00000000025BA000-memory.dmp

memory/5264-421-0x000000000AF70000-0x000000000AFC6000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\Guna.UI2.dll

MD5 c59d2c45e3ba6919ee612ec4a7fa2008
SHA1 103d6931785e0fcd39dbd4c4ac663f623cfefe9f
SHA256 5a270567c3e5cc89ca160916f5bb8b7b0e9ba18c9f8caee7238225710b8f07ac
SHA512 9d89988ab323c4547ef0cd274080b9f4524acfceea849f7125b28bc2d998b3d6673fe166a2e5e9c0e48c44f38a1fce02cbe6cd7e446733c742c395dec24a20d3

C:\Users\Admin\Downloads\XWorm V5.0\Guna.UI2.dll

MD5 7e59214c99d76218ac861953902c26c7
SHA1 6e49a8c6c0f957c4300ca1d4d50f2bf187bb3bfe
SHA256 b9880b94dcdfb97d3a20c6b81255578a35475c9c812d4af187cea3a661c5ab8a
SHA512 971433e7a5470c91b87148a9625608405161845e24dd89c2f95f697eba79ead9c99b05699ebf7bc1aca938e5eea948e514a12dedaff4d2fd8bc9a21588a54e04

C:\Users\Admin\Downloads\XWorm V5.0\Guna.UI2.dll

MD5 a196ea9ccdba8c5ef5bcdc3033a022c1
SHA1 5559a9b24e6adadfbf13b435c9d1c4b823477b59
SHA256 098444da3dca16f2d3081b48ec9a512693a319855e33aafa8b013b2f20735b57
SHA512 771038abcaf2bad2b6a26126cd10b7172eb7f5a75d99151cbf4dbc13f41a5341d49a05f88daa89a79da4315fa39e5802753e03f60aa5742aa50f362798f6b198

memory/5264-425-0x000000000B1D0000-0x000000000B3C4000-memory.dmp

memory/5264-426-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/5264-427-0x00000000736BE000-0x00000000736BF000-memory.dmp

memory/5264-428-0x000000000E280000-0x000000000E2E6000-memory.dmp

memory/5264-429-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/5264-430-0x00000000052B0000-0x00000000052C0000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\GeoIP.dat

MD5 8ef41798df108ce9bd41382c9721b1c9
SHA1 1e6227635a12039f4d380531b032bf773f0e6de0
SHA256 bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA512 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

memory/5264-432-0x0000000005330000-0x0000000005340000-memory.dmp

memory/5264-455-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/5264-474-0x00000000052B0000-0x00000000052C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d85840c01a89ed6fa162ae07921b2d97
SHA1 c29a2fa6779f974264da3202a2def49ede6de59f
SHA256 fc130d4b4324fba84faec046b56ba9a5090c7eebe0e70c1af9523400a9103786
SHA512 0f9bca63fbed7aba30f66415bd364c52ff7204fc3a287e1aafc64c50c46d7f24be2c17777a56326df3e45fc3fb664e2bac784aa9bafba0a8f084376835f55ce0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8bb2a116bf28cf0dae249632a7152b14
SHA1 1de3de0a15c16f624ae466e3a65b96916f246df2
SHA256 e0bbdc8cf40104d28aa325b2f60b24952ac874f0e164aab8876f6998c570b788
SHA512 88204e76994ad8c53ba9beab97c3e42283efe90112c1d6bb7e85b45c068178215f140d130eddaaf32b992a55208d92abe5ded969a834e3b8318a2cabfe4bd4e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 47b401e17d65214e6c830bf48aee7ffb
SHA1 e64eeaead40843c4bfc784eb60c9a03b2ed28a4e
SHA256 fac89a6f93ea85ce8cad527705e1ddb8895fd42f4493dcd66343516d7d5d9cc8
SHA512 b818e7697dd4eb55901098f21aeae211b3e9534e0f73571ecb0ec89c08495c756c8c6c35f2675bd8c041303ee6562cfabae307c224cf6d00a241c684c495dfa6

memory/5264-513-0x00000000052B0000-0x00000000052C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 16d2d25368b182355a20a55d16fdc06e
SHA1 e3a2061792af50ea9b0a5357ca2ff8bf6dd5fc7b
SHA256 2e030300ff991071340489e221953e6a8ee36db9464bcd3737dfcd50ea08a6a3
SHA512 7a85fcd21913814419a514b8fd288ba1ed65a06a6ba55988ae8c50e0a52a8885eb067d4a2f451d291c6d25ecde0a9790407a64b1bef10cd3b0d0248bc9bfeb9f

memory/5264-523-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/5264-524-0x0000000000A57000-0x0000000000A58000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6091d94fec63f11d13c1b45b483a9fb2
SHA1 041c1170950f31e8368776c078450d3486a8a8ff
SHA256 bdf6bf6dcdecdd2ab619feec1a806f82c6f8e6c2fdc51162a6480418b54b0f76
SHA512 6367b70692929f8e5cd9fbcfb928afb349a8170df08fbceee5e677195849cce16e76810e07e55d2e4e9e6b4d503d11caceae8cde842f4f81654f97991c513af8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b12eab8131e0c6b90300dd3f4f4fbdf0
SHA1 495468e5c85050896ff05c3b659ce6b4b39b9d8b
SHA256 0e3f4de463d319eb7b0de70250274281db8331ffe7ab9d6fde67790f23f77bd0
SHA512 17023d24c429b84c51776e996c68fede150a55522302670d3114d1ccfa46f1aa79f25c94a49e4b801643306e9fe468ebdea4e493f3bbb1dcd695af8e8a841b8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3bec2ab9a81c63ef38d64d3bfd356aac
SHA1 046c557d3e6543d5cd9b83cc0590959c621a0f15
SHA256 b3ba56053362454402fbd1ddacc6bbfb4b58da75e9028d9eb73e42eacb4bde92
SHA512 a5f0e65b9c04b6a60adcdfb498f0245c4f34afc5f4ee52af7a2f78a07401cd301b5371e00dfebc037e0cfd8cad452a1f2910717a805e26b662a909c0a9dc4b89

C:\Users\Admin\Downloads\XWorm V5.0\Sounds\Intro.wav

MD5 ad3b4fae17bcabc254df49f5e76b87a6
SHA1 1683ff029eebaffdc7a4827827da7bb361c8747e
SHA256 e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA512 3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2b55388df17cf4f8ec5425f037dbefab
SHA1 0f3d976e0085a2b5c7ad356e0031ebee875cdc21
SHA256 9c695ffbea9f57d4d48c018b6674b330838189a8c559db22d6aadaf0f6195c46
SHA512 03bde00589588d144d6eca3bfcce1bf24e047fcd64d9d4d6a965d7e6e80d5bd91d5b5b0f3c10b212b9e708f24d70128300da9ce537813159d8e0252a7cdd3c42

memory/5264-611-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/5264-612-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/5264-615-0x0000000005330000-0x0000000005340000-memory.dmp

memory/5264-614-0x0000000005330000-0x0000000005340000-memory.dmp

memory/5264-616-0x0000000005330000-0x0000000005340000-memory.dmp

memory/5264-618-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/5264-619-0x0000000005330000-0x0000000005340000-memory.dmp

C:\Users\Admin\Downloads\XWorm V5.0\XWorm V5.0.exe

MD5 d694affe7962ddfb541b80937c13766d
SHA1 03e167d930eda4b486559b1d81c2601964dec4b0
SHA256 1ac407cd02e7e9f9ae37293bbb7c2bf62592f8ae0003d0a45ffb7c5ebee51964
SHA512 3e627514e7eaef4cf7aec3f58f770bc64e7eb08f8b8b203f9df99c88254838e34ae1411a2a90d1599936b6e849f45b9702b6588163ad8e85ca9b322c87c33fe7

memory/5436-621-0x000001C897B20000-0x000001C898592000-memory.dmp

memory/5436-622-0x00007FFDF6420000-0x00007FFDF6EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll

MD5 a239b7cac8be034a23e7e231d3bcc6df
SHA1 ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256 063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512 c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

memory/5436-630-0x000001C8B3220000-0x000001C8B3230000-memory.dmp

memory/5436-631-0x000001C8B3FF0000-0x000001C8B41E4000-memory.dmp

memory/5436-632-0x000001C8B3220000-0x000001C8B3230000-memory.dmp

memory/5436-633-0x000001C8B3220000-0x000001C8B3230000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4c4353e7e2241382ef71813f224d4430
SHA1 5357c8d468f754db53b1a264d4bab0363254b584
SHA256 e4e7fadd5dcbbfe99564e3b951102ab0ef88d34ccee3c754a553122a9f0e2efa
SHA512 1bd02479d301f00f3773c682ea1b40ad06e25f4d0015ef9586a361ca82f9eed6733ab436d010e05c101c7447aefa4ea42d9c338252a77b636f0a34a99b854cbc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 ec07ec9529f1e042a96e04f891d81a3d
SHA1 f987ee512dc69721a8f2994df82b6362f0dc5786
SHA256 d98f9835f3e5f050b96608928fd8fb2bad0c2085342c7ea246277bda6bfff371
SHA512 d79d501e4ceaa15e0c02951453ca657cca0cb5b11372ee2602105ba6dde0032611643b014f919d0fc09dadedc60c4e761eec76e4bacdbf9709e586d3df1f0675

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 14e39be019da848a73da7658165674cb
SHA1 e016473c4189a8cc3dbff754a48b3e42d68af25a
SHA256 39595a1806156cfcadf3cc4e20c5c3f3eec721386a0551790a15f025ba9402bd
SHA512 828a383de549871aa80ec960a7e371ef47da96d01ebb9628d1484ceed9eb698aec5109b3de0b24ff8000610a2c2d633616c9fd28d380656fecbaa930cffed029

memory/5436-665-0x00007FFDF6420000-0x00007FFDF6EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XWormLoader.exe.log

MD5 2241a3a43a2f0923ec8c4607a12988a0
SHA1 1c71e9c622e9e03d05c3fa01ab5032812c7fc737
SHA256 d10b3a47ca9ce684c66321e5ca09078970b2d32b558c63ce3d774a5890bd8fde
SHA512 8e8b2fd4af5dd56e0010ad98bd7f436e9174111b14682fe36f5d73d5eba6c051b684ff411e12ac6163dd87f50f091821fd414e148ee37d35206ecd83a76959db

memory/5560-672-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/5560-675-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/5560-676-0x0000000005420000-0x0000000005426000-memory.dmp

memory/5560-677-0x00000000055D0000-0x00000000055D6000-memory.dmp

memory/5560-680-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/5560-679-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/5560-681-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/5560-682-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/5560-683-0x0000000073F5F000-0x0000000073F60000-memory.dmp

memory/5560-684-0x0000000073F60000-0x0000000073F61000-memory.dmp

memory/5560-685-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/5560-686-0x000000007375E000-0x000000007375F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4fcebe989c83342cb0bf3c199a654a26
SHA1 5a8917c114b6a77a1d272567f8a56938c51b5ec4
SHA256 80c9ee725c8aa9a122dee37819570f57adc5a7f264b46b068f2dccb787ca007f
SHA512 96c31f46cebd6dd43b38ecdf0ffe8805e626d5f9202cf4476e354da53a287de855a94703e949ca37e48b7d1ba58453c5c786f618879b0920186a912dc8f24403

memory/5560-716-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/5560-726-0x00000000056E0000-0x00000000056F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7767286fccd7f4a3f32b6888a7203cae
SHA1 925f82d469baac8470efad739b21c3f520e296fb
SHA256 e0e86ec8c4fc93370f1aeacad551c68a87034b9f671772724c57125162cf129c
SHA512 c7a201f9ec34797a977d9c483d47fc759948c1f90b3422f35585bcfb931821cb6b37c07d1630d077c5b75ba3a3c1ef19689e0f8af512647b8675fbeb295d2f2a

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 20:24

Reported

2024-03-05 20:26

Platform

win11-20240221-en

Max time kernel

113s

Max time network

125s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/QSTG2B

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 2508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 3492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/QSTG2B

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d5093cb8,0x7ff8d5093cc8,0x7ff8d5093cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,508676386168284905,4685097891178101457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gofile.io udp
FR 51.38.43.18:443 gofile.io tcp
FR 51.38.43.18:443 gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
FR 51.75.242.210:443 s.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 184.179.17.96.in-addr.arpa udp
FR 51.38.43.18:443 api.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7c194bbd45fc5d3714e8db77e01ac25a
SHA1 e758434417035cccc8891d516854afb4141dd72a
SHA256 253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3
SHA512 aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 caaacbd78b8e7ebc636ff19241b2b13d
SHA1 4435edc68c0594ebb8b0aa84b769d566ad913bc8
SHA256 989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a
SHA512 c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d0e775893e0b812e5c03e0dbe253fb60
SHA1 671cf9071de1d120d78ce9a2c598ec9472695880
SHA256 23b9a6df5292853cd2a99ea89ad27ffb5b61598754f554213a552d79f1e4bf76
SHA512 6f166052f9ec69b9b1e647feb4c8fd897d788660ef836d78e2120004ef69f18ae83be6a301e13bd8e4cde61c6752a256917f0f2364a57090498cd3de15cdbed0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9f0fb826cefcf6a1ed0a05bcb3f2bd8c
SHA1 069cfb2f32a95904d7e30e32c442fb7b7c46ea77
SHA256 7a18201c69eb00a7475a23581f433e212541b68dad0d1a3e7293b24108fb65af
SHA512 f2a223bb5a0ef7cbc6c3cf0566e0d6e36a1d996f02fb64623c622c3fdcbd620e30ae322bcaa34eafbdca49fe8ab90d335d5e9ae6ae21a0fcec47ff22d77126cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5c0da63409804070b1855349d287b33b
SHA1 7b20151d07325e4da1cf4e64fed76f6bcedaa442
SHA256 ebcf0f52341f015a9c92301a8a1467c42894879fda0febfbc792f97a46f7e3c4
SHA512 a29dbae6756d558b5328c3ec37232751c76dec673995abf80b2e196518e775400574a39c63cb4749dba3e3c81bb5f3d25129e310f65fa2a005821e57e88ce55c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2135c5cc614c81871227d7eaf4d5ae74
SHA1 9bdfb8d8ed0a6cbf04327bad23667a0aadd3843d
SHA256 9a1bb9a2e55c2f6f0561646f9a451bffaaddaf2741128f5fa9895509fa0a28b4
SHA512 bbfeb25b20fabeef7ded557ae373ac943804f482364901c233a6ae4045f1cef1bf615c2b01a16d3eb04f83ff51cf39b7d2a75b35dd6d24813544087ecbd7a888

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9a9cbb3ee4377e307f078bee862af0b8
SHA1 61b6c5160cd28a9bb851b5698cf6df2f8b03984b
SHA256 688e441778e170142bfe738f57cdc6cd5eceaba17e4d11610b2241d96a2dc6f0
SHA512 683496f7e51cd66abb0e025a077f49ce934a67ff9a3128852e5c1a8979d6987234887a297f9b08b2e6626106c52d2ada6d09d3ba7f6ede84b8c31bee16ffe6fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d34e.TMP

MD5 20c1319df928e0cd5d59c83df3dfdd09
SHA1 80658fb0b767c5c65bd9b2ee7ffb3f48d56f2d3b
SHA256 adfa4940bd600240188d0c78ce4fcfcdc6a2796e3820486f1c97903c005c87c6
SHA512 09857be60d785053f60e64c1c71807a571858e154e8f14e25fcb7550e0048d113f196233b5a84b90ff1b64a0f0a1a60d4d69e0c347e0ad3d1a07c16488d3e945

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1b76987ca4675050bd5311670c446543
SHA1 0549d015509ec23ebeb6fdf1a85e1cf96ccf43b6
SHA256 4433acd632cc24eb03a7d99c051153dfd615b6ce95be80d48aada483ace7c29e
SHA512 5762099149b8fbbaa3e8e24168ac670f742ea7712fdab57af1bb7231c766cf66dda52efcb3533ab022a59ec1ce0bbca48f9a07ef1075e2b5612f3b76cd4510bc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 463ca84d59512cd4653c827c4ed17bb0
SHA1 d54c797c1253582be266bab8044a87953f06a91d
SHA256 a0013c78abf9022fafbf2c6c8ce463a5225333e6128721e8df12d9eec6026193
SHA512 ab19f2e03460db8477386aab0423ae5b4d7bd4a70d19b5ae27be50f9410cf5f46f05b8dd4bd43f6c87f4f72cb0d99e370e4644fcc8db7b8c3e951deffe35e517

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f7882637afc8b3a8573ee92354ac52fd
SHA1 57f51eab9658e1b2125ceb9f2542b238638210ca
SHA256 f283cbe13d4f8e24cbcab3dd49e62a50d45ca40080cccdb55d2b7e0ec2d90ae9
SHA512 25dc3f0569e9e4e01d11b8362e068f19590b4f81dfec23c89beba2edca96436a150d31f4c747622ff9484939ad98bb2e7a0b3553fe7388f49b0d3fb24c4a6baa