Malware Analysis Report

2024-11-30 19:08

Sample ID 240310-vzrwvahb23
Target Win Quick Config.exe
SHA256 3feaec930748c0217b9201c660288196dc972dddb85211224a21a282fba4650f
Tags
agenttesla agilenet discovery keylogger persistence spyware stealer trojan neshta
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3feaec930748c0217b9201c660288196dc972dddb85211224a21a282fba4650f

Threat Level: Known bad

The file Win Quick Config.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla agilenet discovery keylogger persistence spyware stealer trojan neshta

AgentTesla

Neshta

Detect Neshta payload

AgentTesla payload

Modifies RDP port number used by Windows

Downloads MZ/PE file

Obfuscated with Agile.Net obfuscator

Modifies system executable filetype association

Registers COM server for autorun

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Runs .reg file with regedit

Opens file in notepad (likely ransom note)

Suspicious use of SendNotifyMessage

Gathers network information

Suspicious behavior: GetForegroundWindowSpam

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-10 17:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 17:25

Reported

2024-03-10 17:56

Platform

win10v2004-20240226-en

Max time kernel

1752s

Max time network

1758s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies RDP port number used by Windows

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\Downloads\7z2401-x64.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipgeolocation.io N/A N/A
N/A api.ipgeolocation.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\lt.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\en.ttt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ka.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.dll C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip32.dll C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sk.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tt.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tk.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.dll C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eu.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Users\Admin\Downloads\7z2401-x64.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{FB5F1476-D95D-4211-9778-10BFD46AC0FC} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\Windows\SYSTEM32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2401-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2401-x64.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 444893.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 299250.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 386484.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\winrar-x64-700.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-700.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Windows\SYSTEM32\cmd.exe
PID 1620 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Windows\SYSTEM32\cmd.exe
PID 1088 wrote to memory of 4876 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1088 wrote to memory of 4876 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1620 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Windows\SYSTEM32\cmd.exe
PID 1620 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Windows\SYSTEM32\cmd.exe
PID 2180 wrote to memory of 4944 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2180 wrote to memory of 4944 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1620 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Windows\SYSTEM32\cmd.exe
PID 1620 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Windows\SYSTEM32\cmd.exe
PID 844 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\lodctr.exe
PID 844 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\lodctr.exe
PID 4628 wrote to memory of 4372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\lodctr.exe
PID 4628 wrote to memory of 4372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\lodctr.exe
PID 4656 wrote to memory of 1008 N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 1008 N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 4220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 2536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 2536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 2536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 2536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe

"C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ipconfig

C:\Windows\system32\ipconfig.exe

ipconfig

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ipconfig

C:\Windows\system32\ipconfig.exe

ipconfig

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /CC:\Users\Admin\AppData\Local\Temp\XWormV5.3.zip /q /install

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\Fixer.bat" "

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\Fixer.bat"

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb3ada46f8,0x7ffb3ada4708,0x7ffb3ada4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:2

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x300 0x2f4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5432 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5428 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5824 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\Fixer.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6752 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6212 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8

C:\Users\Admin\Downloads\winrar-x64-700.exe

"C:\Users\Admin\Downloads\winrar-x64-700.exe"

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\ed27940ee8f545e4bd3e463b2ac9b4f2 /t 3932 /p 4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7404 /prefetch:8

C:\Users\Admin\Downloads\7z2401-x64.exe

"C:\Users\Admin\Downloads\7z2401-x64.exe"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\" -spe -an -ai#7zMap9801:110:7zEvent22981

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\Readme.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\Fixer.bat"

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe

"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb3ada46f8,0x7ffb3ada4708,0x7ffb3ada4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\Fixer.bat"

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x300 0x2f4

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ipv4.icanhazip.com udp
US 104.16.184.241:443 ipv4.icanhazip.com tcp
US 8.8.8.8:53 api.ipgeolocation.io udp
US 104.20.61.122:443 api.ipgeolocation.io tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 122.61.20.104.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 nc.bmexcellentfocus.net udp
ID 153.92.8.74:443 nc.bmexcellentfocus.net tcp
US 8.8.8.8:53 74.8.92.153.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 cdn4.cdn-telegram.org udp
US 34.111.35.152:443 cdn4.cdn-telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 152.35.111.34.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 92.123.128.164:443 www.bing.com tcp
US 8.8.8.8:53 164.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 92.123.128.161:443 th.bing.com tcp
GB 92.123.128.169:443 th.bing.com tcp
GB 92.123.128.169:443 th.bing.com tcp
GB 92.123.128.161:443 th.bing.com tcp
GB 92.123.128.169:443 th.bing.com tcp
GB 92.123.128.169:443 th.bing.com tcp
GB 92.123.128.169:443 th.bing.com tcp
GB 92.123.128.169:443 th.bing.com tcp
GB 92.123.128.169:443 th.bing.com tcp
US 8.8.8.8:53 161.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 169.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 20.190.160.17:443 login.microsoftonline.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.114.22:443 collector.github.com tcp
US 140.82.114.22:443 collector.github.com tcp
DE 140.82.121.5:443 api.github.com tcp
DE 140.82.121.5:443 api.github.com tcp
US 8.8.8.8:53 5.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 22.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 88.221.135.112:443 aefd.nelreports.net tcp
GB 88.221.135.112:443 aefd.nelreports.net udp
US 8.8.8.8:53 112.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
LU 31.216.145.5:443 mega.nz tcp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 5.145.216.31.in-addr.arpa udp
US 8.8.8.8:53 132.169.44.89.in-addr.arpa udp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.14:443 g.api.mega.co.nz tcp
LU 66.203.125.14:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 14.125.203.66.in-addr.arpa udp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
US 8.8.8.8:53 gfs270n369.userstorage.mega.co.nz udp
LU 89.44.168.79:443 gfs270n369.userstorage.mega.co.nz tcp
LU 89.44.168.79:443 gfs270n369.userstorage.mega.co.nz tcp
LU 89.44.168.79:443 gfs270n369.userstorage.mega.co.nz tcp
LU 89.44.168.79:443 gfs270n369.userstorage.mega.co.nz tcp
LU 89.44.168.79:443 gfs270n369.userstorage.mega.co.nz tcp
US 8.8.8.8:53 79.168.44.89.in-addr.arpa udp
LU 89.44.168.79:443 gfs270n369.userstorage.mega.co.nz tcp
ID 153.92.8.74:443 nc.bmexcellentfocus.net tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 92.123.128.164:443 www.bing.com tcp
GB 92.123.128.164:443 www.bing.com tcp
GB 92.123.128.164:443 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 92.123.128.133:443 th.bing.com tcp
GB 92.123.128.133:443 th.bing.com tcp
GB 92.123.128.161:443 th.bing.com tcp
GB 92.123.128.161:443 th.bing.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 133.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.7-zip.org udp
DE 49.12.202.237:443 www.7-zip.org tcp
DE 49.12.202.237:443 www.7-zip.org tcp
US 8.8.8.8:53 237.202.12.49.in-addr.arpa udp
GB 92.123.128.161:443 th.bing.com tcp
US 8.8.8.8:53 www.rarlab.com udp
DE 51.195.68.162:443 www.rarlab.com tcp
DE 51.195.68.162:443 www.rarlab.com tcp
US 8.8.8.8:53 162.68.195.51.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 140.82.114.21:443 collector.github.com tcp
DE 140.82.121.5:443 api.github.com tcp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
DE 140.82.121.5:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.6:443 api.github.com tcp
US 8.8.8.8:53 6.121.82.140.in-addr.arpa udp
DE 49.12.202.237:443 www.7-zip.org tcp
DE 49.12.202.237:443 www.7-zip.org tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.6:443 api.github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 cdn4.cdn-telegram.org udp
US 34.111.35.152:443 cdn4.cdn-telegram.org udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.5:443 api.github.com tcp

Files

memory/1620-0-0x000001EC8E010000-0x000001EC8E3BE000-memory.dmp

memory/1620-1-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

memory/1620-2-0x000001EC900F0000-0x000001EC90100000-memory.dmp

memory/1620-3-0x000001EC900F0000-0x000001EC90100000-memory.dmp

memory/1620-4-0x000001ECAAAE0000-0x000001ECAAB92000-memory.dmp

memory/1620-5-0x000001ECAAC20000-0x000001ECAAC96000-memory.dmp

memory/1620-6-0x000001ECA94F0000-0x000001ECA9512000-memory.dmp

memory/1620-7-0x000001ECA94C0000-0x000001ECA94DE000-memory.dmp

memory/1620-8-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

memory/1620-9-0x000001EC900F0000-0x000001EC90100000-memory.dmp

memory/1620-10-0x000001EC900F0000-0x000001EC90100000-memory.dmp

memory/1620-11-0x000001EC900F0000-0x000001EC90100000-memory.dmp

memory/1620-12-0x000001EC900F0000-0x000001EC90100000-memory.dmp

memory/1620-13-0x000001EC900F0000-0x000001EC90100000-memory.dmp

memory/1620-14-0x000001EC900F0000-0x000001EC90100000-memory.dmp

memory/1620-15-0x000001EC900F0000-0x000001EC90100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWormV5.3.zip

MD5 78133a997800607b4538c50a27e8596b
SHA1 ad0e580985da260005fc2f884fb29577d2b0729d
SHA256 cf5fc43fed578e0d1313287c387f86017ed0a03708b86d8145807cfb12be4238
SHA512 e81964b3c17fe1e7fd04eecd8c7c5a989ecc8a510a37e6ea5a4ff9d3ae665bad6844be4f2f9d8931cd74f9bcccb03d7f2218d0c87bf083b240455a70845c510c

C:\Windows\System32\perfc011.dat

MD5 50681b748a019d0096b5df4ebe1eab74
SHA1 0fa741b445f16f05a1984813c7b07cc66097e180
SHA256 33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a
SHA512 568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

C:\Windows\System32\perfh007.dat

MD5 312d855b1d95ae830e067657cffdd28c
SHA1 8133c02adeae24916fa9c53e52b3bfe66ac3d5a3
SHA256 ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf
SHA512 f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14

C:\Windows\System32\perfc007.dat

MD5 bc3d1639f16cb93350a76b95cd59108b
SHA1 47f1067b694967d71af236d5e33d31cb99741f4c
SHA256 004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9
SHA512 fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249

C:\Windows\System32\perfc00A.dat

MD5 08728aef33bbac5884423c1597e74a29
SHA1 64d28ea3dc5c4392a0210b4d26db146b26e40f0b
SHA256 fbd64fca18300003ddcdddf3b25ad501cf224035ef5975dedc64c7d139eb69e6
SHA512 001cc1ef7a69ce59a9e37133a8cdf14cc8e7a09bc74d4678d9af25da3eaa9d99efc6fdf64fd2e301acb796cef4a988d502b63a61dcce14511568130bb1551a0c

C:\Windows\System32\perfh00A.dat

MD5 757de55399f7c5167e7cdfa65f184108
SHA1 06876adabd18e79946cc5280861145432257d210
SHA256 e7c22cb8443fb549de7a3e826645450ed47169ce0168c740096de44addd360dd
SHA512 51977c1104108e5b5ab0042e6d10ec95195be8c62dbd547b85626cc02b35e46cb363be8804f360220ce347709da3ba1626f253477b7512cdd414f1ad96cf4571

C:\Windows\System32\perfh010.dat

MD5 a5389200f9bbc7be1276d74ccd2939b4
SHA1 8d6f17c7d36f686e727b6e7b3a62812297228943
SHA256 494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087
SHA512 fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92

C:\Windows\System32\perfc010.dat

MD5 bea0a3b9b4dc8d06303d3d2f65f78b82
SHA1 361df606ee1c66a0b394716ba7253d9785a87024
SHA256 e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927
SHA512 341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88

C:\Windows\System32\perfc00C.dat

MD5 0cfd5298e63f44351ebca47f6a491fbe
SHA1 b86c08b13f0e60f664be64cb4077f915f9fc1138
SHA256 562261cc16c6e5e2e3841a1ba79083293baa40330fb5d4f7f62c3553df26ccb3
SHA512 549e5c28598ac2a6b11936aa90f641dfa794c04dd642309d08ef90a683d995d8f2d3a69ee2ecd74adae5beb19e9de055e71670922d738bd985657ffe75ebe235

C:\Windows\System32\perfh009.dat

MD5 367662b55faba4e0728f3c296daa92a7
SHA1 1775899bd0f1bb5cf945910db18aa3a9d4d15b7a
SHA256 c2ea1af1c970468f522e354c8e47b121b66a0d0428a8400f4a5cb03216368ce1
SHA512 283e9cf2bf6fe904b530bd188347641c1d30b27c95d89552e18aa33be1c7e2840f10a09868a2862ee53bb805cef2cdbb31b8db391ca140b5dda27058dcad11ce

C:\Windows\System32\perfh011.dat

MD5 394e68a48cbedf2aa4290ad4be6c1254
SHA1 e9b5a4204bedd201adfee94cd4bd475f92d508a0
SHA256 48dbdc9f160e51c14f7cf0f4f31856fc5c51bb5a157eefc9159612227def9d88
SHA512 5b3ebefb252a4ea2b5504fdb79fba35f256ee544df6385eeb47a05be4eddd41063fe9a025d5e8393d34cc34abd431810b5c5cc21c777316200c9cfa769fcfd6c

C:\Windows\System32\perfh00C.dat

MD5 d5972cca5d434d4ca1742fe0a5ddd5d4
SHA1 a3cdc3ad50ff9ba19722f2e2cb76f95b60bd92b2
SHA256 f85cfffd1414d3e975f430a1e2f2a3b473ee8995a961dfb103fe18d5bf06e321
SHA512 2ce34cf9b868fda0852e6b0d805171fcfda00c0c6cf044bf8831e6fa2aef4933ae00a8eaf757c09d67c30ae7ab58136959351f7d04d8ba6921f51fc87378565c

C:\Windows\system32\perfh007.dat

MD5 eadd51b4e0a81aa0a1ec7392a1ce681a
SHA1 f384c3bc0f16ccb5049ebbf7df776e684da84706
SHA256 1a2fd21891c4055b2ee03ee06665f1a09a6503f7a4b57acba67820ec561d12e4
SHA512 de74112ed8f81f4723241102e9e493921419f836e7f095000a0ae34616db1886c22dff6ab4dfd5bd1ebbc9840498c3606ac0e5791f7fadac1b52c18043571ae4

C:\Windows\system32\perfh009.dat

MD5 56c3b96dd714b0da77c0b9fb0d392c86
SHA1 6dfd6e883c67ea4aef8a03d28874a677441e512f
SHA256 1bc70ca290a7b4afc37049a8435c81d9b863520609d2e4f627d08cd21c07a58e
SHA512 c2036039da93d0c594b99aad74f1bb807c7230a746d749cec57a5f6012e8dfc401f9430fe1c7090280532ffdb044f7a4970e17e5cede82581793d69e9bc6d10a

C:\Windows\system32\perfh011.dat

MD5 ab91dd7fa8878b8d14608522cc38102e
SHA1 c4cf62ad6183a2d341fb3de756cb672516897183
SHA256 7aae74ee957962add631778e45a174693a15a2e9ca48e151f2fb5e31488eecf7
SHA512 f1202cbb56c93182d1aec675d9d069d1156d2cbe11cc6b05358f0e83786e4a04b0a6ba42be378574d01b8d17a3f2e38110d45f7d7a10cd89f8d7d8c83ff35455

C:\Windows\system32\perfh010.dat

MD5 70ac53e2ebbd863ff7f319d68aed16f7
SHA1 90109a5028b07e8aa36846fe5096e04bd97839d6
SHA256 a4e35710b8277d733eec1c165459f85d9660fbe264ccabe0a624626e93763e37
SHA512 8fc6d4c665a642e86acfffa35ce6c6d7bf49c1a414de8b15fb5cda8d121f4d671914aafe0625ad11e87fd74f0bba2d40b9a71f373d1ae67a12b238b023682af1

C:\Windows\system32\perfc010.dat

MD5 4f32511bd6124c1b65c8f7fcd244a82b
SHA1 6d840ddec80ee4f6ab99a1d0b55c50a568edd722
SHA256 8ceaa2e1a9cc8b7f76e6a2551bb1dfbcc64896c8c3fd5901e417f41ddff35e6d
SHA512 ca8c8103a4ec3b8f1a070ee2a3301f8af64e08cfd40b21022e5d9f54e3decfc55b7571112d186aba9d7b4c7b5720f7eb0ff3847b39366dd04b912dde386a73e3

C:\Windows\system32\perfh00C.dat

MD5 9a780b14eeafa8b9a2409f02bf9d9af0
SHA1 f52c28235879e45685ee0163f97c31099baa616d
SHA256 a04ee6316af61e7a475d47ab74744ea485b419566f5e40c96ec09b400926b932
SHA512 f316652ec8dc3af06842de056329230152e74f53530c4f099a2ee73a96106f2fc3dbf244dce75c10e3131cdfbaa3b4a28d8ff116f8d6d7ae7b5553688c170d7a

C:\Windows\system32\perfc00C.dat

MD5 9f9af8517189b0d61b2615007e071084
SHA1 a33753ca07f370b7d99f6658b32abb97eed7bbc4
SHA256 b6dc84d6c21f558e69174d3b62e13fbb8aecd5e49de0fb737f56445a9b883034
SHA512 640f51590a6f5d61e9dcb9a463a6b7aae6d88749843d1ec62f30a00c95b4a449b442281ac61058db4da464bee03e62a1f43a91b0a05914d4dbda2bce007d745d

C:\Windows\system32\perfc009.dat

MD5 1e60bc5e525063b96078df17fbd3c4e1
SHA1 bae8eda409cb3e016ddd420c6354aeaac2d267b9
SHA256 a0894847ca6208cf7e519d8e825458596bbcd78156a453e32872de7592ea20d8
SHA512 5758d535e4ce20cc30b9b57fea1811feffb2655ecc6eec69c942defb4b4f8c06e8e37860f85ec7cad26df9d7635ecaf131a68ec4ee291aa36e448c7ef2339652

C:\Windows\system32\perfc007.dat

MD5 cacc87a7a4824d4fca6da760d909821d
SHA1 a1f2ccfa48a2d8877425f16e0723e3b3ce8f0f67
SHA256 1f431b499e240794a4f798579cdb642dcac1b271451291327404c98605e5ebf6
SHA512 7ac2c48b41a1b13af9c8a0097d913ff5c8fbe72456faf49d0dda213ffe6ed4d2373f16963d42c5d9d09cccbc8d70ede86eba03c815a4c9b2c6af8a5d739c76ee

memory/4656-2935-0x0000000000FE0000-0x0000000001000000-memory.dmp

memory/4656-2936-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

memory/4656-2937-0x00000187E9DE0000-0x00000187E9E22000-memory.dmp

memory/4656-2939-0x00000187E9DD0000-0x00000187E9DD6000-memory.dmp

memory/4656-2941-0x00000187EC080000-0x00000187EC0D6000-memory.dmp

memory/4656-2940-0x00000187EC020000-0x00000187EC07E000-memory.dmp

memory/4656-2942-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

memory/4656-2938-0x00000187E9E30000-0x00000187E9E58000-memory.dmp

memory/4656-2943-0x00000187E9D70000-0x00000187E9D76000-memory.dmp

memory/4656-2944-0x00000187E9DB0000-0x00000187E9DB6000-memory.dmp

memory/4656-2945-0x00000187EC0E0000-0x00000187EC11C000-memory.dmp

memory/4656-2946-0x00000187EBFC0000-0x00000187EBFDA000-memory.dmp

memory/4656-2947-0x00000187ECF00000-0x00000187EDCDE000-memory.dmp

memory/4656-2948-0x00007FFB3F037000-0x00007FFB3F038000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll

MD5 2f1a50031dcf5c87d92e8b2491fdcea6
SHA1 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA256 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA512 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

memory/4656-2956-0x00007FFB3F948000-0x00007FFB3F949000-memory.dmp

memory/4656-2957-0x00007FFB3F949000-0x00007FFB3F94A000-memory.dmp

memory/4656-2958-0x00000187EE4E0000-0x00000187EF0CC000-memory.dmp

memory/4656-2959-0x00000187ECA20000-0x00000187ECC14000-memory.dmp

memory/4656-2960-0x00007FFB37DFD000-0x00007FFB37DFE000-memory.dmp

memory/4656-2961-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

memory/4656-2962-0x00007FFB37E14000-0x00007FFB37E15000-memory.dmp

memory/4656-2963-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

memory/4656-2964-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9f44d6f922f830d04d7463189045a5a3
SHA1 2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA256 0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA512 7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

\??\pipe\LOCAL\crashpad_1008_DDUNRIIOKJGLEPYG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7740a919423ddc469647f8fdd981324d
SHA1 c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256 bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA512 7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7719752b78f60b04406a219a78ace6d7
SHA1 367bac15d80bfd029ef3de3bf87edbc211623a26
SHA256 1785000a58b6f547a2569bdc1e771b0791126fa683e7a526997db8b84c7e3542
SHA512 7e48825c60f922139665072390a640ff352f77ee1683286a7669dcaa3097fd989e5071081447ce5b0e9411b1f1d2957391723fdf436ac63b904b5e5b2b5439d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4656-3008-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fa04fc4a3498e4b6dd284ab8500aeac2
SHA1 faf6e6494fa6b16325c721b333eb6ecdd692ffca
SHA256 ea793397d765555579a250da048a4e6d7b76aecf7549964dcf372dd3fd507bb4
SHA512 89bf09d856e5a449e4cb357613fcf57a38b9ac39cac7873565b49115ece3c820ace8a88de982eb1f7df2fa39788361bba999cc1d32d1c75c861195d96351d51a

memory/4656-3020-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5520b8e66e67ed126359c76400a61d80
SHA1 57bf4da9ef0fabd8d3f7dca95025863d4102b7c9
SHA256 7a6ca4b013c6d4efaa899fd6aabac26d59b15d5df608c09117c6fa25ec0d6215
SHA512 4115721f21ddb62f206efdd1e6373925c93c7beb4f5d1298c903342652dda90e4f1e0011e27c0ce74b48b26fe20d6b7a1d7432a9a8ec0bb7ceb802aa394c71ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d8a2e1f160dd2db277e50a1523eeb956
SHA1 39c81e923261f10601717700a2d7b8f76a150e08
SHA256 ab2bed1238a7501515d18eb3e3b493db6c383cd6effed1bfae11cb0cf8180a68
SHA512 a5bc86fda4f7cf5d1f4a430204d6de18c030cde57115aa88613bb87ba8c0212bd1a130755e5d7fd2fe4623a29410819b827c5787bf5bb0fac7ce415109bc915c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9c69baac6b5a2f51afd9ca00849db5cd
SHA1 acd3b010235e21a356f34c72f9b1689472589f21
SHA256 732652e55cb1ec800b23e6dc654fe248265a480288832b2ad9ba65000eaf2f57
SHA512 3c45ac800be6ee9a4fe4ae7e6bda0a675938b377db08e6aa5a90c85f065fda9eb8b6a1723e4c5d1f00203d407c22c118a2ece6616ba350bac3f27e77d73589f7

memory/4656-3095-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bafae02e7e8c18390056017445e344b5
SHA1 95ff9b70ff6de48f4808fb64f9ca586d6daa8c2d
SHA256 2bfc9e7af0bf73ceace3e681911061d249816be984f9a0207c4d6bfc8c5303d5
SHA512 7a048eb06f4764aba730d62baead61b47250f29420852c75d91a6decc28a0af120713b0db071ad47b6337294bf029579ca0c71737b43e320d20bddc5e8732dc2

memory/4656-3114-0x00007FFB37E0D000-0x00007FFB37E0E000-memory.dmp

memory/4656-3115-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

C:\Windows\system32\perfc009.dat

MD5 243bb32f23a8a2fa8113e879d73bfdf7
SHA1 2f9d0154d65d0b8979a1aeb95b6cf43384114f70
SHA256 69012c5b50e669fca5ad692dc405017da474a5a4ec876de70d9748a4f30c046c
SHA512 34f7663ef59412a12ce950eb5ab947b2fb6bb811d5cfd92d05b6a884bcb2fc31fdc880b8e152a383055ca0efee707eb23bbfe181ace8c1ca112262f2a75bf0a8

memory/4656-3117-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

memory/4656-3118-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

memory/4656-3119-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

memory/4656-3120-0x00000187F30C0000-0x00000187F3169000-memory.dmp

memory/4656-3128-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

memory/4656-3129-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1774153e043cec027d294dbb0864fb56
SHA1 6cd4ad82a2703a1c7226085d06a6cdabaed26cd7
SHA256 c6b87c81a3c77d53d344b19ffc692519c469b2361617d8881c853d210e9d01e2
SHA512 354cca86583daeb9705a6256f44d5728cfbba7ad1e9530fcc96c9e351a163a3636aee53695f64550f060b9ecfeafc2618988c2740bc797327d16cda4e5923b5a

memory/4656-3200-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b415ce2cb25bb3841786d2a5bf96818c
SHA1 5a00c4dfdb5179a660316323bbd279045e0ec87d
SHA256 2600a83425f50724251163bfebbd75c5b3b565cec49802927d3bc791f7ecc019
SHA512 735e13fcad4807741fcddbd3d303d085babd0d9909164b1be764968b9d2f869b18432d343b63d3d4f0b4ce2e2b0223dcfe09843f33040fd8be6a0f23fb4983c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe635672.TMP

MD5 da738e25ff3a6852933cb224e2fda368
SHA1 6d9820c667793bae30d0c9ae5cbf5419f438fcbf
SHA256 ea7c80135838a9d86357706deabc959536423b8a2699fc4cd8141cd44ebcb748
SHA512 f473b61cef33182200f67b6cd6ee12de12c65e6a1eeec728dd25e5c57dcf42372501a32ac31be167188c0909bb10d88308855611224dcdec320def48b0e07f5e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 43859622122aea8b431a1ca701d0f436
SHA1 032e3f3b25ab7b88cb4634cec2984f87794ea59b
SHA256 cf4b615c5d425471ca64910cb4e510a8779cd90adc667678f50f7b08ba925b0e
SHA512 b5d3e7226ab47cbcf6e6a21512952cc6425b218306e6f404f6edba9abe0ebe33b3c1e367b2ba25dbdced1869d18bb5b77d95a2009281106d041f95d6573ce5f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d210144a0c446f4327468c257fe066b0
SHA1 819f4355b270e95280caa4189de8539f42061cf4
SHA256 5adebd2561f3da5065ffbb64cbd61c332600ba34a9b72983c6f85f89ebf7c72c
SHA512 d31df9bf3a7e37a53c7cc315e0af1cad703f42d084d99a55425f553f2e125b80c1902a8c10cf56ad9f41ed97d2bcd2895308c5272b5ec6a78f29ef4025d6cd76

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ca550150a1752b823ff0c6ccf22c96cc
SHA1 e63eed0373a1ee59c6e0b297c1018d0986a899a0
SHA256 4e0f955e07f56efe9c78e8d962990323cc1b460224752d8ca5da5f7ccb04bb27
SHA512 d2ec2f25cfe6fc954781debacedd637d544a5f4b447966e71bfe67d7bf525b01ae7d02debe050ee60e67451109c98248bd55b13b6ab01c6064e24577d7a058a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 12bfc9dc8c345031c5fbdfc29f3a1732
SHA1 01700b1a5aa2a1f25c64d51607e7700baa9540fd
SHA256 1f7df6dc73057d1898b330ae3f46a94ff5f7639e1b38b4579cd9e9e0f129edff
SHA512 e5419b4b0aff18508cf24f419efd8d987546796fea178294abbf49a6171e4e3a0c76112e2922d4d2149b67af9a704cf9697181015d2731cec24ef6f9c4448ab0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3bded50ba67b3f06073ac33e42339810
SHA1 a5185e9292f952dd139ca8650a213066945de9e9
SHA256 2968da693cde282cf08b14fc4c8545382d81ba6c5a3f5288d432d284e01a027a
SHA512 0bfdde366d7cdf43e75ab5c97f8a00cfffcd42b635f1b987bd59f15ddf1919b659427b910ec4dcc69c35c8002ba3e71b1533a29c95358be5e7532ec83497479f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6ff3001b5341e0a4fcdf0364162df3de
SHA1 661cb98d65e028e9b68e82932a2f7f029addd67c
SHA256 1bc56b6dda7bdc6363d9974f9e6e7f046f8f9b839fc6b052007fbe4503102567
SHA512 54d174373548d52aac987dac28a2fb2da062701be965de45327b037686296cc158a129cad6509b8f60f535d5b05cbb15dce13d98753d2934b6270f27733647e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a4f6f3c2d6e6e50ccb20973340c0310c
SHA1 c23fbceee436f55e1bfa6f1aaa8eb2f369764e8e
SHA256 b641e88010c3ad089de8fabc4b0d95658613406ccc71999ece61ef02ea4c3cbb
SHA512 49eb621771db2cb36eb402dbc4a122be7e4e24c9aea2026ae52ffd6d5ca122bf576c4d7ea08efcc0277b4a44866fc654b2fe88225527241e967481f858c0e284

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f61a65963a2b6a38f9c956f0a0cd99ae
SHA1 41549de788cb5852e120f04fdefecd168a3e1023
SHA256 1608838ecf5c10c610fe1af3ecee3b0cb34632d504e762df6cd336babfc96dfb
SHA512 841dcea9d543de7f64bebd5b111792c26fb62ba3c2b0651a9d0356ba8d5a154f49b5a27b289aad20ae5c9618fc8b097af5dbea398c619b48e1a09ea47cdf3293

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8c87bfe8e853235ca15f34804582e3da
SHA1 149026ff06db3854a894d7e235d66c11952b7a09
SHA256 4f3266b91bee3148b9c6a2c2211b8531edb9f53f0f243105d80e67e798835134
SHA512 6d0464c749f405fac318998c728085a8d201139840f52aeb5e2d9b950c7597220649e5951f5f0ad17d226dabb5dcfce14549925119bf96438f2fd79ae55206fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 784d23087d26ad3f66416aaa878de1ad
SHA1 c49a352a048a15df7a095c53a7241c4c3c41dc37
SHA256 6c28c1ff3a0b37306fb32923f1c00b4f3242641afdfd683215106195706c00a7
SHA512 a40ef27d0d9191d918f661206544107219b0aa003afeb347843d2504806a226640d924b6748a55af1f5c26a503372beea025e49639317461a5374f13bdbc5b34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

MD5 950eca48e414acbe2c3b5d046dcb8521
SHA1 1731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256 c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA512 27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 695fec2be3b33787ea2732904a1f5207
SHA1 890e312ae973585a2dce58902fb23fc03ad2c8b6
SHA256 2cdbbc257955ccedbff2d385f2eb646a7798ba35ec7d92b087dc3fdcfe799b9b
SHA512 59234ea821fc0e87307992e0ad6602c53c7a9c435a52e19699729c257e3c20474a85712a1e40f2b98b816d7157569b2493e87646ce407908a2a78f9b6a5f5f7c

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin.zip

MD5 fedd12ebf6a7107c2454a7a42e45b733
SHA1 6ee5f962260f6ed79bfcea408a6e1315289989c3
SHA256 22df62f2469fafbbc09b23be0aacd2bb95636aed427712f03c19c4967ea588b0
SHA512 826434d09e0ce85c7c4cf283b65bc186390689f13de36ec6fc1cc97a07b961c42689dfeb04e37a5f13ee5566484ee1442e96635433bb3c18630af77157b78c75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe64d590.TMP

MD5 b7774d8110e2ac7245e9eb49a01c8803
SHA1 ccaf70c5ae8e3afeda07443f41fcc17d630bed1a
SHA256 7784dc44fe35632e9155129efec4a1011a6b20ba3e36d21a591d0dbf6077e1a0
SHA512 33141d7738e7319bdee36b933d90160034a09965b9b9e5f39c4bf2212191ec248a4b23d74d501630a60e01252a77949cced08decc802e3eea4881930e0c2ada4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 49784b936000c6c01df183f8bdbb1c57
SHA1 ca85127ad4f9904bcb84536dd1909fcf8a52a2f9
SHA256 87c079be770e96c381f9d8bb66535d2e107a2a4f86ecd785a81dd12250f71363
SHA512 d04aeb0d634f6d54fa6c7ecdea74b6d5721d7d877b688d20bfe3b90cc52e429006909c98b7f3403524691d4f83c6e29cdec68460c2080e92c392d1e6259eb66d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e50e3c08095e9743ef0dc86a1ad1ed7b
SHA1 aab318ab9ba070db7bfcffd21c61a05fbab8e26c
SHA256 d003cc8164f8805c614cb80ce74049b056e10685e80b0747c5b612574f6cb2f3
SHA512 8b52b55dc750c788d66fe83acfe3686bfa1d1ed9eb30feb6f2014df096fd781f66e10ec36c9b48bf15cc4184bacc62d5532a9bed190688c565e1725aa4848f9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 24d92f019d758cfe730d9758aec24948
SHA1 395b2e4f6d68f801ffff93e5a8898708d9163789
SHA256 41ed1f47534d536e34887bc4f9beca63e9692109a3e5bd4a12f08f9ed662a455
SHA512 b8a4e394977e176793426a55ff181290e294d8b7d4d503dfd7d3493ce8c29f16f833aa4f30d3e60916951adbd92ef9b130836fb1b4d25eace64c615f362d981c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3abb9e31f41d3e6d1e909e13e27b010a
SHA1 a1e721a6564b8d2b91d4d96a01ff253260e89f97
SHA256 1393470d45b6f12f21c68da10c3a5ef3e4a2b124ad6f80ade608c2f738d1bee8
SHA512 c8a276cd5fd9b0bf8e242b76c691a89310255b1e03e556d584925b0ca3e98282dadc75189578736b05ccc25a68a3c5dfcf9ad8ee6afc023226455f3df14d6fd9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 88a552e6be1ac3978c49143983276b3a
SHA1 dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423
SHA256 927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5
SHA512 125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 1fddfdab08937ca30e43dc454840c64d
SHA1 25af586ab7462e30465c9306426062b9d10bd058
SHA256 c578d1b5c5f608df3926d2658217ae728beace6455244c0cd9e3e3d15e455013
SHA512 b0f5666b0fed1321f525f72b5950b8c694032160e6e5fe101201f4fda3ea3c04fae226a997f949478a93705c8a2f25e3567eb69e35dd7bb6bff85d4bdc481fb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 d6b36c7d4b06f140f860ddc91a4c659c
SHA1 ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA256 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA512 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 2e86a72f4e82614cd4842950d2e0a716
SHA1 d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256 c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA512 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 74e33b4b54f4d1f3da06ab47c5936a13
SHA1 6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256 535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA512 79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 f86ce2628602974d4a9d5d06f04aa5fd
SHA1 87954f89c760c24836909c305dc359c6de974488
SHA256 33c09ca0cf367dbb24c92a6b0f14f017c0b500df9a2c5de292cdf5e8bce87e6c
SHA512 a1319c15cdc4063b99e7c2de939d63302779fbec9b0ca4f48d2428accaa4df7643fede261076292f0de1fba907beda820188c0fd7b4aa84506b77636aabe0af5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 be6ac982fcf18bad9c36da0ad1707a36
SHA1 ecee6413be12900116adb68cb5c3ca11e564bc04
SHA256 bde6b859f1ec98bd23c0d3c83bf06357ef04d544db3f6711e2ee8a04f2657080
SHA512 310cc3dc60af50346885b9ed0e353b3423bc4c478f19da523adba97a4d7131b07f19c8699519fde08f96a7b00365b122c2c23dcc889d15a741dc1d06698460bc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bab1732f740be434a459285ae0938e30
SHA1 32dd07757693ba50b401b4a23d70f489bb5e96cd
SHA256 c948a1fd048dd6272268d9c6829e554f29d618070567e20f5cf2b29d689431b2
SHA512 f81dc6b505f641badf8ff5f7d7af1de458bfa6a1bdab22665fe5ce172956d6355d5996ec98af0800cfdf9e4fff80a3ff3e8a8a0fe03f61d43cd249d7aa6c6fde

C:\Users\Admin\Downloads\Unconfirmed 444893.crdownload

MD5 de644b4e1086f1315c422f359133543b
SHA1 54be86d121879b0e5d86604297c57a926d665fa8
SHA256 17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd
SHA512 714d41254352d91834a4b648d613e9b4452b93b097b5781ec5bf3ec7c310a489d3a1c409b2f0a6946822b96f6943b579910d26a5f4324b320d485e856dbdcb1a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 365db53c78dc4a6c4acbddcf2430b249
SHA1 271bad2be0860960ca9965a822169678775d7ae4
SHA256 b2a817680ca18d66c822bfaa0c187872ac1728fe027b05124c83681ea9b96b5f
SHA512 8430e85412562b5d2a9d27d0baad692d85a6b2deb15b77d07bad819ac80b4c4602ac33c5e862bacbaf1ecc8d9f60e4e935cd6fcf966b48189459895da8738392

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 3cd0f2f60ab620c7be0c2c3dbf2cda97
SHA1 47fad82bfa9a32d578c0c84aed2840c55bd27bfb
SHA256 29a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b
SHA512 ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 bc9faa8bb6aae687766b2db2e055a494
SHA1 34b2395d1b6908afcd60f92cdd8e7153939191e4
SHA256 4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed
SHA512 621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 af767f60f8f5ea903ef56a82d2fe73f1
SHA1 2162b127af171565e10597da81621d35d538eecc
SHA256 843d5b82442ecaba71820e9fa6dd3ab321cf556cd4c703d3424e6f0b27697b51
SHA512 0405d9a7e5e9dcab39e1f650d550f2bb901f5afa19329d2d1ece577a5dd2a82f161cf2788c2f32a4cb4a33b7456b9c150ac7671da40f51ddaec7161cb5004cff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c892e029c272adc78711e984172249cf
SHA1 fa4b6db4a4e93f83ec3304f3a04b7a0e8e1f8854
SHA256 6ccd26dde7157f0ccfffc63ee67d03cd148efb3b6d50e94dc4ac8c58c3a87bee
SHA512 8af2846d7231ece010b023554b630bca9e6552c5b4dac083daf079f61378bd26becd879c0b794dd38aff8fc3ce5fde784cd044cbb1685bd36c0ddb2f04244370

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 e95cbb228af888f31d41b2dc69bcd1d6
SHA1 98efed8badc5acd7735e94d62d864b2dcdf4cfa8
SHA256 99d79cfef45fd7847d5cb9f7228419aa2ddd3b82a07ff686d135fd860f89a072
SHA512 15420cc465744165f9f16aeefc75bbeece70cc7a0256822eb9ff6edd30037f264f7e9168c91da16cc92c7643d0ac9875bc607a75a5678c5ac860e0392370dc6b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f554c58e06942c92ea6c3ad174a17f76
SHA1 6368232db4b2bc5b3ed3cd6ec184d0d86b92967f
SHA256 49e06a8517ba333d517ce05682c3913e714bdc47f25a3efcc43a46017cfe3ae6
SHA512 90f8893ba01b75f6073c2a25dd5f0e2b7c4aff6b3f81faa1159aa644c0204ab9ef0f5f91d94e86a3f00b211ddd06d049c06c45af7c6f01693ec29279b1ed2f04

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ee03f0d307c8cd582b54847a54a86a41
SHA1 168d37e5e66bfd7cdab008c918f7586f2c6c3c12
SHA256 97af09bf101449642d20e73cc4c81a9ca3d7406f466fdd56e933f47b287b8dcc
SHA512 9884587c2fefbd4a18d43772bc08470607230f12270d0ad2342d355efd58fbe43b4c9e5a0925b08511d5261ec9db75ad5109abe5b6493abfee1885ff53199358

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 17792748c417942af7d92fa85e1d2fb8
SHA1 aba7eea759223c7fd14b36ada90ba1d43be28d8f
SHA256 b295030196099cf3dac879e7a1396cd2109d551951de1e49286b489e622bfebe
SHA512 67981204400beb4221f04efe20c941ae26f4dfca43b8bdcf0cf30b812515222893249ca6650b9236717eebc8f836ca3c81fd63e8b6fd79103bc9d6ec513a29cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 56db37f4c641034f2d9782891553b6e0
SHA1 aa8c8e3f17ac644715b795890c31f7b063c032cb
SHA256 063745990e050be85f4b7fd81e91ad3652900f3765f58cce67aa5efc5328da6b
SHA512 9025e0013290a437d9e9a184e0126dc093661ee1f7218e3e781ea7d9e5d3f32dce95d11d945a4680d97fff6d65411c51033941e050350e93fcdd6b19d17c0fb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 1965b62e56b6d4757d9e0d74c86dad04
SHA1 1c1c809a61758adb130d0ced642d2d1c27840f4f
SHA256 37e4da4156be306303e3457c6a903e741bee2d8824042f941dbdfb8a1b762b8c
SHA512 228623aeaa3931d49192b2fa4eefa9fc81f04c1ffe008858801313914454b7443bb3dda2c01d8242e5e47641bfda5fb66b75067c7d789859d4f7219d35ce5fae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 43dac252d21bddd2477439e023621c6c
SHA1 a7a81cd955811fd15dad91f443e0880d7aa08d79
SHA256 fedd9610bd4c2237de2d9eebba3143424967690767ba25ca7ab369f7aab3bb4a
SHA512 cc5aac6a7e47a0548ebc9a606eff04d175e1c76844160069bf4787349be6fe897cffd1444f9c00dddc214502ebd5a8ab97a1527d219679af894a28858de40fc3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 93ab4cf70b3aa1641a4b258c3fe03f24
SHA1 cba2ddecb8e019e6e5a91dcf867c6d6094f39b63
SHA256 d6c2f9f2bb35841cdb53abb660544e6e6f44e39d6542323992cc1c63e998fa16
SHA512 70fa907afd9b52ed54a3cf755e394c40a3ff7a83041540b435cba47d889c1c9401afc9fb23a5e879d85bed42fd5df40cd7540d428b3ee7a9cdc278a314770884

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

MD5 77a781823d1c1a1f70513ffeda9e996d
SHA1 60776ceeb79ed41e7cd49b1ee07b1e09ff846f25
SHA256 b093599957b103def2cc82ffd2d42d57a98292ace5a6596e3e4439a6cce063b2
SHA512 9aa66273ad419e1fc4ee825ec9e9fea4297139eca060572d3f59ed9bccbf2e1dbd03a006a0a35c6d37196e8297ec9a49fb787f0a31c3772b17911603eca62aac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d52de70c934488cc5b07cccc297c8e29
SHA1 7a0a3a175d6c3ce5f9ae4d3841b4190056be92fa
SHA256 2b2ef47ec7764cc85a661b9933f0794928707bd7905b33facf4d1b1dc118d2e6
SHA512 264b32ce8234f9cc1e07ab870b4aa51243bb67777532e683406e20327b77fb462e1737b5b13f96f47c8445ff4904daad4f447cfe997c4735acd860229910d2d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1765a2bc316f25aa5ce51f698ecef1f9
SHA1 a75c22276d87854c14bde82e244d3cd60320cf97
SHA256 20db218e4c1ed88f6070c40fc5bee7149ce628507d9583a1c48871c8e4e6e9ec
SHA512 6712b93556d1c15a7475cbb177f14194f5c2858c8b0f7b793aeb5d5a2c46f429e7d43c9283acff1246105f4c5aacee10804503ad5aaf85bfc0c68d40daeb2ef9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3c25b96c92420d546a09aaaf228821af
SHA1 7ed650d2fa33e5d9225c69b6a85109b0c9b7486c
SHA256 dc6b4a5991a11577291eaf6d2f2df1dd345c5efc1a7ff9500c665479dcfb4a23
SHA512 064ba2849e91d514248df458c94dc7dfdd2d5f2766d5af8545bd0be31c9e2718b4d50757bd598c87daf7211b4840b734eff1e59057502def550bb04ba66526a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a2504e9e03962a9a117fb388fa35e029
SHA1 11419d867c3d05e7d72e0e80188f41f14762ab7d
SHA256 4a8811ea0cd4029c0ffe39cfefa62fcf2850b8a028ed270542cd3fc5eb6deaf8
SHA512 455c469fd4a473619ed0960f678cbf841e7504c2624976ab9a53d97452ebfecf6fe5afc0aeb591a21da854626d0289b5df92b4cc9aca6e14ebb2eb4da1e1f3a9

C:\Users\Admin\Downloads\winrar-x64-700.exe

MD5 fc7776eec30751e169e1089bc2a4c478
SHA1 99cdb78719ca97c7351aa75f1566224396d9033b
SHA256 426b7b38ca6de20f1f6535d2fa63c16e11780c7cd5f2ebc66ff9a0022e246e83
SHA512 bc94f526d4dd751a44071dd6f540f2957d96f5c6500d7e5bb41ec6581bb0a584a6bb91fe13f7a1d9c7749c4601b1fe95f2a12a204b73bdc9a37c83cff7ac35c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f5f4b686d27daf9edd3f0ecc41bb71e3
SHA1 f4fbed1497db23b4291c8e701da559475e2fa195
SHA256 abc229bc10b8a712a84b20ee2c7eddd214e8548e36ad828751f69d891c6b24bd
SHA512 f583fb80df1427c19fb70e576be1c28316cbc5adfa67f9737ffb1d7e703d4f29723dfdc444ff1ec3f34c248c60eea2a02df0d563f764dad3100f37ad2b8f55e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 beb586f16c05b4d5832604326f936e97
SHA1 34b99b0de90b4b531afe5fd3bdbfa7587a046ca6
SHA256 afb77b040f19872c08afaa1056ee7bbdb8c685155d34e4fac86f2b525b8bc774
SHA512 2c213c1a9a4617f4e7889750ebce375754f27f4cb46e28d811debb405bed5e75f2bc9df29723c1cbbe278acae5aa0be621e0ae4bb613ba0679c73340c77a50be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b3ae22f7c6c38c7a6db2fe46e98f8b28
SHA1 faea12744a2f130938de877683db9500584db9ca
SHA256 d8f4e23f6397c613bd8c0ab7c93249c8ac45489a0dec0460e756d69eb57b0d51
SHA512 810fc877f62d0934d57d206a1bea9f81c8692980f0e2b55dd8493ebdad66144dfbc931805fa5b080c796d43a265b9c516c443266fc0c80118a3341447235bb54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 15e01f6233b8fd22ebb6f71c90887f8c
SHA1 85e9d39dffe1121064c26f6b9b5c1fddfc5ca9a6
SHA256 b9151545726224c390cd47af8600ee0a5a95c519f98e4734dab94a48965339a5
SHA512 2912c85a77554620686bd522d74bc10b8b1d8c9486f0e724ff05e7177d924b3126bd11d6867774f61153e041482b9159c9fde1719e150cd3865fe23131af1677

C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\Icons\icon (15).ico

MD5 e3143e8c70427a56dac73a808cba0c79
SHA1 63556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256 b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA512 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3fbdf8d34cbb99c99baea1b18e2d0df1
SHA1 e96937391381829cbf574dd3fb20352920a4c93c
SHA256 99a5005d72805a55972ed586d0f9cce990d9816de0e0ca97a45a50e7b799c2a4
SHA512 0ab4de1ad4a9f3d6093d58e35f9d5c0b4112c27fe4265b899630d1c349e6fb0772d963232087af20b1fb6e92db88e4ac7cfe2db49198bc74ff8a7d08e1fdef04

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9193377c2ded446e706bed981885ff85
SHA1 0f8658eabaa8eb738759df7c2ac2e63ae8dac362
SHA256 64660ea9b2c2b7e9450e42889ff842d0d8b1e5e187572fc656454ad2dcadcc2c
SHA512 d2774928b382230d3ba9e4387820b4f50088e98e70b9058003e84a5c5b78770e27373fbba5512aba78dc741af83daa908a896d997ec66e2cfc7bed72da06f608

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 47a1fcb90c7c1c97c9fe912bcead676c
SHA1 be50d99c19b1801c1437ab860731809c0ec25c6a
SHA256 372804adb5ef148b0e208a06634175e6212738871debeebf3cddff1e5f5601a2
SHA512 6d754ddbb0dbc3a61b41630f0758e32ed3ea6fe8e70af20c92229fc932b39cb0c7662c557ae7ec22f7f4f6c0931332052c5069f2c0e20976cd4e1dc1d884a41f

memory/1052-6489-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

memory/1052-6490-0x0000022038A50000-0x000002203982E000-memory.dmp

memory/1052-6492-0x0000022054CD0000-0x0000022054CE0000-memory.dmp

memory/1052-6493-0x0000022054CD0000-0x0000022054CE0000-memory.dmp

memory/1052-6494-0x0000022054CD0000-0x0000022054CE0000-memory.dmp

memory/1052-6510-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 903e7eca6fafac910cb2ec3b5cc45bea
SHA1 8e9014fd7386c412aabd7ae67395a4d542b63025
SHA256 5145de2d0fe933a8f0b26f73f4326e369a37890aa5981a7de3ecca524320b2a7
SHA512 e4aaf27428c70b31fd8ba8ada1512f15817e14a9cc1e96f7812c5c9a66a64711cde8c30f491ad7010adf54fee948343e50dc5d48dcf840695f5e6b34321b47d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d877a826a7b11cdd45b016eb6305afd3
SHA1 ecda35e13b815eef63c5ee989d83f0e872e61c9f
SHA256 fc7ba9a6235c600a1e6fa4eecec5d0d924aa8202a0346214f52d3c2e42d6bc1c
SHA512 4ff089a60f6aca0be52b1e27a4a2592b77138980ad555dafc45d656ca06fbc519df0750ce8d496167861d00e250298bd8038838160bdf1dfce898fe2a04105f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a574c06de6b4733f5a66005f6a559c5e
SHA1 660933c2a28590266f8c90b43b54d342b1bb490d
SHA256 3a86c254bb68316a696455b0b11c6aaf4e84a15ba44e2776760a48cd804e537a
SHA512 5c4d00c4cec2539fd58dbf4a315af018d3f869bd15e1350535d3e030586394d71ed6626f81c1113f2f8002417e178ec0fac54668138f0a8d9b2e459998e14b3b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 349cea3fff97179780545c1b22584808
SHA1 efbfecf72432ef6236dfa37d20c63bcb402bf775
SHA256 028f406929bc75aaa76cf0b8301be0f87a824887295ec329d94a4fde84fb19ff
SHA512 89738c347a71218eebc60004e97452f752eeefc129b2769c8fcc2afad6fa6a53124e11a0ac888a5bee568e1dc455347321c4321f5dba0f60d8393aea634b49ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 92e2f11301b8ff559ec573ac50201d8f
SHA1 c41ef2918625d98b2b69217b58b62947a00412b3
SHA256 3a6da2b0e9f206a7e064e0940b72e5271f1cf950130d481d6326b6b6568304bc
SHA512 b82c993fdaab6396f2ca127b431142a5cb7d362c696916ec54f94fcf1ac4ab7efaa0a266b97fec9feeff734dabdae8caee9803c45160aa07430ba84252fcbc07

memory/3504-6572-0x00000000003D0000-0x00000000003F0000-memory.dmp

memory/3504-6573-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

memory/3504-6574-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

memory/2292-6576-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

memory/2292-6577-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 08fa45e8958529613a94ff1c6103b11d
SHA1 53fdc89a4d0aed685b7fa76e139ae142860c47d0
SHA256 c2b879aced675fe78695a2a5d3abf10b9b381f895ce0571a07425a01bd0bae53
SHA512 a329da5b3aca7fbd1e4927c9bcf0afeb209a184edbefbe4087b39106367f8906c2894b217d6fbad191305c81fa960246a3619094d8b289dc7f99699dcb74b2c7

memory/2044-8062-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp

memory/2044-8063-0x0000015CCE2A0000-0x0000015CCE2B0000-memory.dmp

memory/2044-8064-0x0000015CCE290000-0x0000015CCE296000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c4531ecba6bae4a147f95a2bb3660d59
SHA1 8b804bb88da8ce60cd98917943ba80e76bd22f27
SHA256 08a9ac7783742a9e6e4210302a435b42af516e917799387f922fda8361cad33e
SHA512 0b4fd4dd0ad4d25bbccf7d34342e248544f0bfbbef81e2ed97943081c4dd7b4db77a8a43560b82c86371a97c87086494f5cf6e4942c22e8cdf32541fe5e8e25a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9b511ae94e84dc5a3bcdea04b7bc3686
SHA1 50a598491bc047112331a71928447ff55d132ce4
SHA256 20b7904e08dfc2009016a2616b0094ab044cf830b3990aa1384a380dc1f07b5a
SHA512 a867e55add9c9fd362e74ce15caadc71400ade2c433d0c532be313041ffc125c4c9d66ae42105461c6280ff89cb0b4be09f93028c54014cabc4123489c9397eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 6c0f1dec4acb45c591a61ee962a8376c
SHA1 4943996857288e7bf4e128ac82b5209cde069e2a
SHA256 958016a7b697589201df1d8b6ba4c63dc401fab40115ef55c02275fc386a05bc
SHA512 76d379b5982772a84b3993567be2550b0bfeda75d28c24bc8b5936401200ca4d5fe4e29905dfb67f7f8a4515dff29a562ea05f4e2a421d43104cc6d8b7fdfbf4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2a0a0c0ff4e6b8dbd27069849bc19b1d
SHA1 ca37de58e9867ce7d4ac8c2f56039118325c19d5
SHA256 f7b5e99c34aee0ca2638abfc62232f88fb53688d78e3fbcf7fc5e904c184593e
SHA512 6c987f7280ce2ae762e6e0db1c48d96dd78078a5545731580b2dd52a4c393fa7d2044059bcc502c2f5a97b3586b10edcfb356ed78d35213c09890db2f2f97b36

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 034cb97b481d20f2a3b25bc8002fc806
SHA1 817485f2f031c2a0d00356767442c1b886b57346
SHA256 7f44a141db23c7ed5de79a5a3aae3b4c7c8c3675ffd0d3b1af7ffc279c84db49
SHA512 73889a912afabc5b201eb34c3c53ec543c1aa39ccf27dfe9b698b9024460528283da90447c5fda4205c3b1b0e841efaf5ac4833d0d896c691868f369634d606e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a67195cf01f04752550f5fef4cd6a241
SHA1 b92652b7ca3d2de2ac8d756f27dc579c996f4e69
SHA256 cc89ac5aeb1fc9b94d58871907eeea07f5c32fab4033dfcc16262c8e576e15fa
SHA512 5dd81d8513dcdc026fe2fe277141cd53760956b59eee322c698f2950c9071ed6ce8a09c6878a05d7b1ca9a602d1254a4e4e5bd7fe763b9f8bd7765a7f500ddf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3f313d26268598f94fcbc991bda84e6a
SHA1 685010a9723bf6d4de51be9286c7d2ee2da9f08a
SHA256 d4a0d6fa1be599de03099db84d209a809c5a6859d7c8085c71e2d85dfdc48dfe
SHA512 2da64c392a928b99b79d1f081c93580c751562d0c39dce682d340e2ad5c29ca1e3c2b80fb8fc2bc84ffdc76e15c170dbad15f1bda3499adf810f098b8a800f01

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 17:25

Reported

2024-03-10 17:58

Platform

win11-20240221-en

Max time kernel

1739s

Max time network

1746s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies RDP port number used by Windows

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe N/A
N/A N/A C:\Windows\svchost.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-10156" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\regedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open C:\Windows\regedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 38070000 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\ = "Compatibility" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\ = "@shell32.dll,-50944" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command C:\Windows\regedit.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipgeolocation.io N/A N/A
N/A api.ipgeolocation.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_proxy.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings C:\Windows\SYSTEM32\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" C:\Windows\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\FullDetails = "prop:System.PropGroup.Description;System.FileDescription;System.ItemTypeText;System.FileVersion;System.Software.ProductName;System.Software.ProductVersion;System.Copyright;*System.Category;*System.Comment;System.Size;System.DateModified;System.Language;*System.Trademarks;*System.OriginalFileName" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\0 C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings C:\Windows\SYSTEM32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Documents" C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\TileInfo = "prop:System.FileDescription;System.Company;System.FileVersion;System.DateCreated;System.Size" C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings C:\Windows\SYSTEM32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\regedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 38070000 C:\Windows\regedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000 C:\Windows\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Windows\SYSTEM32\cmd.exe
PID 3796 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Windows\SYSTEM32\cmd.exe
PID 4736 wrote to memory of 4792 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4736 wrote to memory of 4792 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3796 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3796 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3796 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3796 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 4076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 4076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe

"C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ipconfig

C:\Windows\system32\ipconfig.exe

ipconfig

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/OurAllNetwork

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f2b43cb8,0x7ff8f2b43cc8,0x7ff8f2b43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/OurAllNetwork

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8f2b43cb8,0x7ff8f2b43cc8,0x7ff8f2b43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,6540273361273910462,15061628231997835871,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2056 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,6540273361273910462,15061628231997835871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /CC:\Users\Admin\AppData\Local\Temp\XWormV5.3.zip /q /install

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\Fixer.bat"

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\Readme.txt

C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /CC:\Users\Admin\AppData\Local\Temp\KPortScaner.zip /S

C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe

"C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004B4

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /CC:\Users\Admin\AppData\Local\Temp\NLBruteAllTools.zip /q /install

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE"

C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE

C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE

C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE

C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\NLBruteAllTools\NLBrute All Tools\ERROR.txt

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Documents\NLBruteAllTools\NLBrute All Tools\dControl.7z"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /CC:\Users\Admin\AppData\Local\Temp\EXE-Fixer.reg /q /norestart

C:\Windows\regedit.exe

"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\EXE-Fixer.reg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipv4.icanhazip.com udp
US 104.16.185.241:443 ipv4.icanhazip.com tcp
US 104.20.62.122:443 api.ipgeolocation.io tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 122.62.20.104.in-addr.arpa udp
ID 153.92.8.74:443 nc.bmexcellentfocus.net tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.108.175:443 cdn5.cdn-telegram.org tcp
US 8.8.8.8:53 175.108.111.34.in-addr.arpa udp
NL 149.154.167.99:443 telegram.org tcp
ID 153.92.8.74:443 nc.bmexcellentfocus.net tcp
US 173.255.194.134:80 www.proxysecurity.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
ID 153.92.8.74:443 nc.bmexcellentfocus.net tcp
ID 153.92.8.74:443 nc.bmexcellentfocus.net tcp

Files

memory/3796-0-0x0000016482F20000-0x00000164832CE000-memory.dmp

memory/3796-1-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp

memory/3796-2-0x000001649D7F0000-0x000001649D800000-memory.dmp

memory/3796-4-0x000001649D7F0000-0x000001649D800000-memory.dmp

memory/3796-3-0x000001649D7F0000-0x000001649D800000-memory.dmp

memory/3796-5-0x000001649E390000-0x000001649E442000-memory.dmp

memory/3796-6-0x000001649E4D0000-0x000001649E546000-memory.dmp

memory/3796-7-0x000001649FB40000-0x000001649FB62000-memory.dmp

memory/3796-8-0x000001649E5A0000-0x000001649E5BE000-memory.dmp

memory/3796-9-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp

memory/3796-10-0x000001649D7F0000-0x000001649D800000-memory.dmp

memory/3796-11-0x000001649D7F0000-0x000001649D800000-memory.dmp

memory/3796-12-0x000001649D7F0000-0x000001649D800000-memory.dmp

memory/3796-13-0x000001649D7F0000-0x000001649D800000-memory.dmp

memory/3796-14-0x000001649D7F0000-0x000001649D800000-memory.dmp

memory/3796-15-0x000001649D7F0000-0x000001649D800000-memory.dmp

memory/3796-16-0x000001649D7F0000-0x000001649D800000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 601fbcb77ed9464402ad83ed36803fd1
SHA1 9a34f45553356ec48b03c4d2b2aa089b44c6532d
SHA256 09d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15
SHA512 c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a91469041c09ba8e6c92487f02ca8040
SHA1 7207eded6577ec8dc3962cd5c3b093d194317ea1
SHA256 0fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f
SHA512 b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f

memory/3796-30-0x000001649D7F0000-0x000001649D800000-memory.dmp

\??\pipe\LOCAL\crashpad_3548_VJKXUKQWMIIQBSVM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 faf31162cf543bd84cadaf08eac6d90d
SHA1 4270d3dd0f27bedbe8809d7814150339809c1afd
SHA256 0b681bc161ad7c17147a3ce705909be0653309818dbf605eb043cc41213736d1
SHA512 40f63e03242e7ed363116c14504628d3ce2f3bb97be39832af8d7b5cbcd07f154222883fb8cc78c320dc956771ea7dcf92834da5a8241e42f71e7ea6cf14ec9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0720e10d3b69c15d0445959322b48d61
SHA1 b6d522e72381d926981ca200497e31a72129a698
SHA256 02596f54443ce5c6a858fa9b525b48d148fc92d406a1cc30cca8847ed9c24571
SHA512 b523e649e5c102cb6ed4ba9ae77d4908ff61de905b41e85b11fc4bb2ed6874c73f9a669a8d4ae7259cd12f7fe5f66f1069c43724058310bfc0d730c092513a96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 456676bed1c86f253172818c819da618
SHA1 c498201a9ccafbbe52b3b6634ab035372f7fc3a6
SHA256 334cb0bab4aca1c9b1a9fa66d578f27b298c850bc4852127258bb2c243e5ff31
SHA512 ef812237e72357aba684c500e774f7cf7a8ebc39ceabd966a0d9bc5363c96b42a3cfaa16ace4c17de9c96107e9aeb3379a1be5810d945caeaf67810d4927533f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a07664a3b3ede9aaefe726f8c43ab412
SHA1 8db0b5eff9106c658d95857fe5defd6e75bedb4b
SHA256 4296c2090e0e777d3ddb954e652768a3d7d5163e93e1fb9e9c4763e833549ea4
SHA512 4a34cf9109d2f496384f12b400bd2f63fe330482840a3816088ff34463f8408e4ea5be3d23e28ca82388ec25bd41f7ab1330d6f59c13c974764e36d84320cbc4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4e407251af4bf11770e8a924cea0048b
SHA1 5ffc4c126bf93df393914d9acc3a474682f7c961
SHA256 e8b36f85f4a86efdf471507afade2018a51ca6da42c8cf8ab9e1bc2bb0764662
SHA512 e38852eb92afce94a16f23421e8ec15af686bde63621668f7e829402a21cb43ed3bd25370c2d2e1c9b1b533108a2c6ad999b8596c15a92728c45d048be57d546

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\695ad376-033f-4aa3-b5a2-76245fa91bd7.tmp

MD5 ec0fef1aaf0616b6034262deebf93a3c
SHA1 d59a9679ccc053274d79cbfa8786b363b6bc0396
SHA256 bb7a834df7991a180ec8b3606dfeb8cdd4747ccb76de62273a7b9e9fa7326cf9
SHA512 6cb990177c8ff2011acb4b7f48d102f84d55059035a6ec4d9315628ae3076872db43c92a4050e792180586f14aca55519f34cfe1930f3767c9e3301cd6b3168c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\XWormV5.3.zip

MD5 35710259ab981b8e70bad6c0ec6ac70e
SHA1 7aeee44521e6066ee4946bd641b452a92b9dac58
SHA256 7356fa17a44f6e93635f87fdd25566d8530e1a4f712de686b63618c84d2b86e8
SHA512 6ede219ce36d1326100f46336706c5b1e698ea1888f15812f6ad9748cd860da5e76260b3e294c8db782f1d621e23889f92401815313bb59d586ca5ed70f01f85

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 e7287dd4e71a21e10194c99cc8ccd823
SHA1 d12b4151bb25ca694ad8098751b4918129c322ac
SHA256 9c3bad374f6b813d2d3393e29f7e9aaca5404a001e521746d21fe7ced190f27c
SHA512 e76c126fb4f111e78772ee65afb4a06ff74d4c56432a4aa3f6c9680a0e832c257285e68f2b09e4513b4d4ca3169d865e375caa20dca32648d81010394c0c8c21

C:\Windows\System32\perfc009.dat

MD5 7f41bddfccdfe4a298b0bfcf14a20836
SHA1 8acacdd3503c65fb2ddc4fbb9f41811ae8550276
SHA256 446d064235ee69494d5797e01e4039eca0a026c9b801cacf0670334104eedbbb
SHA512 bb984e7660899c293eb3e8c14156cee5237e0cd2b0ada7b03c850f027a08d728fe8774f7a377e911ed54bd788ac5c88fd6e24b41fda6d5020dc6fae0e4980c85

C:\Windows\System32\perfh009.dat

MD5 1ad05e460c6fbb5f7b96e059a4ab6cef
SHA1 1c3e4e455fa0630aaa78a1d19537d5ff787960cf
SHA256 0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71
SHA512 c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f

memory/3300-469-0x00000000004F0000-0x0000000000510000-memory.dmp

memory/3300-470-0x0000028BC8900000-0x0000028BC8942000-memory.dmp

memory/3300-473-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp

memory/3300-472-0x0000028BC8980000-0x0000028BC8986000-memory.dmp

memory/3300-471-0x0000028BC8950000-0x0000028BC8978000-memory.dmp

memory/3300-474-0x0000028BE2B10000-0x0000028BE2B6E000-memory.dmp

memory/3300-475-0x0000028BE2B70000-0x0000028BE2BC6000-memory.dmp

memory/3300-476-0x0000028BE2CA0000-0x0000028BE2CB0000-memory.dmp

memory/3300-477-0x0000028BC88C0000-0x0000028BC88C6000-memory.dmp

memory/3300-478-0x0000028BC88D0000-0x0000028BC88D6000-memory.dmp

memory/3300-479-0x0000028BC8A00000-0x0000028BC8A3C000-memory.dmp

memory/3300-480-0x0000028BC89B0000-0x0000028BC89CA000-memory.dmp

memory/3300-481-0x0000028BE3A90000-0x0000028BE486E000-memory.dmp

memory/3300-482-0x00007FF8DF887000-0x00007FF8DF888000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll

MD5 2f1a50031dcf5c87d92e8b2491fdcea6
SHA1 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA256 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA512 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

memory/3300-490-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp

memory/1164-491-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp

memory/1164-492-0x000001F9F8420000-0x000001F9F8430000-memory.dmp

memory/1164-493-0x000001F9F7CF0000-0x000001F9F7CF6000-memory.dmp

memory/1164-494-0x000001F9F7D00000-0x000001F9F7D06000-memory.dmp

memory/1164-495-0x00007FF8DF887000-0x00007FF8DF888000-memory.dmp

memory/1164-498-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp

memory/4688-499-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp

memory/4688-500-0x0000012AAF610000-0x0000012AAF616000-memory.dmp

memory/4688-501-0x0000012AAF620000-0x0000012AAF626000-memory.dmp

memory/4688-503-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp

memory/3796-504-0x000001649D7F0000-0x000001649D800000-memory.dmp

memory/3796-505-0x000001649D7F0000-0x000001649D800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KPortScaner.zip

MD5 74f3e00524e50b2b191cdda342cb2186
SHA1 17cae9921a3d3bcde0fbea27aea830511b5e9f6a
SHA256 69a5e71b08e6c65a789853ccda99e483ae4a569ede116ed21ac252534d368ff1
SHA512 b2a85221fd1c01b76f83b8e70e26def7084ff652acad07f32ef6740a9744b8e3396476026850652df09fba6e5e670fddee87960327cbb256582aa820da4a0d4f

C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe

MD5 c0a8af17a2912a08a20d65fe85191c28
SHA1 0fbc897bf6046718524d05b6bc144c3785224802
SHA256 080c6108c3bd0f8a43d5647db36dc434032842339f0ba38ad1ff62f72999c4e5
SHA512 bd6b67a2f285a5634c5d38f742d5528a661414d3fb88f8065433f6a6a1a3a3f707dede9be7bda9bac9327240422c2314081d0a9eb9b6bc61687465ac96868ef9

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

memory/4764-624-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4764-625-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4764-626-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4764-627-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4764-628-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4764-629-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4764-630-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4764-631-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4764-632-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4764-634-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NLBruteAllTools.zip

MD5 74b961dac92bba58a673817a4963976a
SHA1 d01b7beeeb774575cc187416ef7d205f012dc6eb
SHA256 55bc0ea43f6571d9f041d699e069b651b6dfd6b23091434a94193b8ca4fc8302
SHA512 cdfc5eeffcdd8aa11a652e217de553c404d0bd7b320bdba4eb3b63b32b4744060fc19f7df6933ade3bb966f06b06a4e81fbd8b770206676320574b0405b58904

C:\Windows\svchost.com

MD5 7623402ee71e75aace57a0aa43fc5cc1
SHA1 71b98ca03bf87fbaa8c5b68b5239370bfee90be3
SHA256 efa4c9f64ccdefd3cafc60bf432ab16672d534a3a55ba36e03d81736570f8657
SHA512 7612e43f1aeb536436d3a291d27d8d3ed8cd5d115d8b2fa45ba9af6a2ebca61819d7ca49d4d17e9d23934903052130cdef7ee8823ce00e80e5770ecde38d5135

memory/3924-644-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

MD5 4054e99e7c770fde6245c832fdb87897
SHA1 47ce07c01b369b0282ca93c1b73e91a6ac476e11
SHA256 21a06caed43387480edbcd09f45befbdb8779e3a034077d9961e39cb38b980d3
SHA512 210619f131624b2f1006cab9a43d1a2d86bab5870b589f62a9ee393fc2c224bc9f6d37e01dcd7fd1d3a436e8d8c3dd5ed7b880e6403b88b9a846e69632af621c

C:\Users\Admin\AppData\Local\Temp\_MEI42202\SCAN.exe.manifest

MD5 02bad6e0bf54f39089e7c9b9d7812702
SHA1 23724d9baf3d0711ea1fada8f606e08e92a4de59
SHA256 5434584527b30e1d6f68060c2720af8ceb08116970b17dc4de9fc406b82b3d33
SHA512 75b935b7061fdd05987769483a2ee64465ff137f6bf345c6267382ef5f234630b19d61aeeb639a5412ccac2acfe06002828115097204d865f895fac1c531ce39

C:\Users\Admin\AppData\Local\Temp\_MEI42202\python27.dll

MD5 076a8a0dd3bec1b61110b87a989c994f
SHA1 b6771a7b63b106c3fccbf8c0477952758109a724
SHA256 65c735b2e427755241bfa61bc3249d7169b63e49b314eb9405c6bcf74afb8754
SHA512 c8f7d588f8fdf1750fd7b4af9020c5db72129109ebfa546b2c97ef19af89c020337c1a8a2199c079d1859a28103e1fc4d07ba95b9a6c17ca21fd3ca94b356a74

C:\Users\Admin\AppData\Local\Temp\_MEI42~1\_ctypes.pyd

MD5 43d728dca22fa15a90426900eb6a11d2
SHA1 888bdb94315383cee0727d2cd60f0baa0bb2dd98
SHA256 510e917666061200868396f69c26c508fd07c44ee48a94d310c59e69b3804cff
SHA512 c54b118d3ff7f7134879a3b542c6587af27282affdffd8189d01428ad1040b3cc03587b170355111eca0cbab100ce0f0eb634ef2e3928fb119007ff14551ae4f

C:\Users\Admin\AppData\Local\Temp\_MEI42~1\bz2.pyd

MD5 e139c613c4aab0de3dfabe287e1dda29
SHA1 ae4ecc55bd82d5c9cb54ee1510e5d83d3c0aa2fb
SHA256 d09a7a68c62a54548a19582b956b332ea3de431156125eaa8e7476c8ec16c002
SHA512 35314235e118e620b335c30165056dd2a0ecbe07f1e37b3215a424d10cfc4dd866976b64bc4d155c18e73eaf9bae10d77c289c5afc08ab2076c9c5afefaedd02

C:\Users\Admin\AppData\Local\Temp\_MEI42202\_hashlib.pyd

MD5 3881fed46c9663727204ebcf69a48827
SHA1 3a8193a8da7c50f106dc2e11574a792472e41910
SHA256 5878b68ad284870bc147b0e342e7a544e04c30b8199bca17e9a26f83066bed34
SHA512 46ca4b2f3208bd984e4a1ac97f6b8ae6f0d0aa23d08fe82e443aaf3526db52c4ff61e4bf75792f499d9977cec92aaa95f3120ab3aec45c32c2f1819525dc6c7b

C:\Users\Admin\AppData\Local\Temp\_MEI42~1\_hashlib.pyd

MD5 d256d9116eaede4dbf39a90cc90d594b
SHA1 9e52edf54d10eb722b3cce72cb1e5fba8468e16c
SHA256 456376da077b6abf0a7533607ef31b658d02afff2f7bcc25a3e454966b6ffa51
SHA512 d2e501353516409b8ef88b1ae9812c74977a4acf2f739c62c7622c8adc2c48d1672194b3d5891dab902d4133b7b7bd172ceeba5e13fe6abaab9072b512cbbedc

C:\Users\Admin\AppData\Local\Temp\_MEI42202\_socket.pyd

MD5 a4d40e5cd4a75c68d460773fb0625be2
SHA1 60456c263f350a9b23fd8a54c3ea36595dfec0e1
SHA256 898936f85d2dc26575856a3ef8fefc2b30c733e858b6595adf10ef232928e189
SHA512 bdc53264a6659e1185a05dc3f94277a4e05288313fa6ade11015a538176782c3f692a57c27d7c4b15c839351bfacd63dd869d1374a010cf1f25877b6c2f2f89d

C:\Users\Admin\AppData\Local\Temp\_MEI42~1\_ssl.pyd

MD5 f98bc128112daa1f3dfd0d9fd5d81e03
SHA1 8bfd83bdd2d2c8252d5da7640253cc1f8bf7a356
SHA256 27d29dde2a3ef9112216c5c80d86061d898fcf91bcf71cc30cefca3f425aa7b9
SHA512 d15e9227422ba84d56a09ff72882ede67ed15a4235fdbf89c3952eb088c83d6fb3d77564bf23200d5741f6f9ded2dccf58a328ea173c2603c7de46f744c221aa

C:\Users\Admin\AppData\Local\Temp\_MEI42202\win32api.pyd

MD5 ee73b5435ffd8c1ed67525263b35d4d1
SHA1 3a1ddf1aa147f5c5f165209ad388bb02fc55fb8d
SHA256 db7ab701c7626b928bb4306bc49cc5f55cff56dacea7cfdccc77eefd06fb136a
SHA512 70372c9f627be9b42a24dac36af96d1483a7f8c91c0e9ebde80a8168bed7ba14b23d55d330a3f6fd3609190bf5bde98267a2a87abfd414be77a4384f331f4c39

C:\Users\Admin\AppData\Local\Temp\_MEI42202\pythoncom27.dll

MD5 7805e430a83c985a059fbb9df16da10c
SHA1 498b077aa47b53667937dc2b8463f8ff169dcb08
SHA256 c9f1b53f87a4ee5d4740e03c9da300166de8c239be726e42f2d9d96bd81fabe2
SHA512 fba45917ddd07505b0035eeaf1fb6d8d472473dbcd2710cb8388bcbbf7833e65e1eb53b05e919c59ee5e11051068dabb65eb4e8b2262c3bcf8b74aa74fdd30ae

C:\Users\Admin\AppData\Local\Temp\_MEI42202\_multiprocessing.pyd

MD5 d945e0fe5638a5955189ecf8ad156f29
SHA1 996f2fac787a8fe6a24a812e724c5badc7d15154
SHA256 2ac1673c1d14d02dea009686f93df075c701a14e693af2c7dc9bf69bfb128668
SHA512 57dc1f3e51c98a018dfaad227c74b8a3a7c6b2685ac8eb3b1e7fce7c0b57028e710f49f31856859899d408958811ff2be72d37d4f83af60b15991a8749bf654b

C:\Users\Admin\AppData\Local\Temp\_MEI42202\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\_MEI42~1\PIL._imaging.pyd

MD5 9443404880d5776ddf5fe9962be70eb2
SHA1 f85a742e79b7021f36c2ccd19c0c2a5a7fb33d98
SHA256 df0482b2f7c962d7c78a804c671b1976f7ff50f6d62e6dcb889befa4dccafbe4
SHA512 1a39e23e3665888ec528442ca60fc1458af1bf39b5d7f61fa31a9a5559f8bab119faec9f8d644a69d1afbc49bed63bfbf37ef3ee9ea21899a368d725c60c50a4

C:\Users\Admin\AppData\Local\Temp\_MEI42202\PIL._imaging.pyd

MD5 6895f3eb68ef91c6025fe9328bca15b7
SHA1 511d2fc85e0ebfa9a535980686161794de408fcd
SHA256 3d748e2e8fc92e18551e1e778b93ce821a5fe44fe8ca3d2e067d22b781addae8
SHA512 2701eb3450a6799f230072e389fd92789f9d84134d8b062b04955bce9d568f89c857b307eff3b81205262261d1ab168af50928f7d440289792bded5d5f75727b

memory/900-1668-0x000001C802DD0000-0x000001C802DFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42202\_cffi_backend.pyd

MD5 cbfc7a2d429438f83162a58d67fa6688
SHA1 98785bdfd8ab7f6c21e28e67483fd73c63a51cdc
SHA256 2b2898f7e1722429779d194b9c233a01782f869b76f6590c3af08392a8128de8
SHA512 5bccb7f4ba0c6328a1a8874a6cad2e7f07c3293217a0e62a4854507a6e433e2160d85370c1cae4f087f434cbe17165d4975364ae7b54c9de51ca51d285501c07

C:\Users\Admin\AppData\Local\Temp\_MEI42202\cryptography.hazmat.bindings._constant_time.pyd

MD5 166bf01c2382676cbfbcba57c30f02ff
SHA1 c7ef11d11bdd3d5d9cec9cf1592228cf086dbb7e
SHA256 729be9d7fb0e62a55c275c0496a8873e63164b4d53a20b7b3c1545deab836d91
SHA512 4a0eb752cbe70b1cbda87c9233e6736f9f4363623a57d40e3e612dce5f851ad09f2a52fa21f2119b0ffa3b5c085eae2f2fae5bdb4b58a9f5fff343affc201e59

memory/900-1669-0x000001C8043C0000-0x000001C8043D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI42202\unicodedata.pyd

MD5 7aff74ee0bc42f0862e1d58d8147c081
SHA1 8cfe4fbcb9c35828e8ad611dc680bf1fe383f99a
SHA256 7a0e39ef1bd3991cb18374c69c47b24a0e4b25cded4727e50ce645f5e751a213
SHA512 60e50c66a1bca1ad0f12c38d4d6ca9181acb26f67e1a1d439dc597c019df808d3cc89e3739b67827162890a9f4d8344dcfb8516d0cc6ad9e55a0e53f08871e41

C:\Users\Admin\AppData\Local\Temp\_MEI42202\tk85.dll

MD5 9d2e6eb30f4905b4a19089332d0430b5
SHA1 d8d134b0dc7cb9b88f3e35fc5bb30dce4eb40312
SHA256 c3739fa11a966b550b6a4c8c68aea5915e9f4d11f7e55cf055f2ef5316133926
SHA512 a39bfbedbaaaa9e5f449cb66f67dc08328f964136135a4de52352fe01c44ac2df8ac6c0fb188395f41bbf9696bfe00128d6f1f7749692286a0a564d5dc1234b7

C:\Users\Admin\AppData\Local\Temp\_MEI42~1\tk85.dll

MD5 b02a075cc286edc0dbe933939080cf70
SHA1 589f68b1ffa119556d30c9024395a8ce610d5962
SHA256 7931f5c15a54c28a7bc6c51c7e47490afd9a0f286ee2d5518819cee8b083aa21
SHA512 f10a0e14575745a07af0f797c726851afc88888f01989efb4d48572d00543e401de4567da5179a049ee52423eb51f24a92a31987922bb0399776636e82abf9ce

C:\Users\Admin\AppData\Local\Temp\_MEI42202\tcl85.dll

MD5 837f6e21b4edf1e09bc470131e8ed4ec
SHA1 3f2c0fc9d39941712299183a300fe287bd25960d
SHA256 613af62f42e4d4329c7fed824f7c91b30e2869a5a80defe80b7e1364b0e38e7a
SHA512 754c23829e3e41556e49f867525746e61ff151a227daf09a7eade85eee53d311c8a8fe53640c2c065b3dfc64faab26c88c34cf62aed1b73f0fe15600a2e800b9

C:\Users\Admin\AppData\Local\Temp\_MEI42202\_tkinter.pyd

MD5 d3fe1d1bfbb9b55bd8874bf7a428dc8c
SHA1 3052aeeffe1f535ec3fcb6a45edddb10e95fad92
SHA256 266cd843beaed33af053545226568cf43c2bccab03e5545310cf76e09b1ececf
SHA512 6b58d3fd233f82ff331d1bca41401eb4ff7993697536280a073dbd27d63161a1e8b4ecc1f06c09a343f8f528a38517bc1f25bacf577ffa67a325792feefefb79

C:\Users\Admin\AppData\Local\Temp\_MEI42202\pywintypes27.dll

MD5 ec16db0ad80be2fb40600df034797ecb
SHA1 6d5bce3b8fb8c7dff0aa179d503af47887e3f0c2
SHA256 959bece25a592bf32d3b3e602bb8ebe88039db2f58916f593db3b66795258074
SHA512 e0827664a6ff06093c16b520da354af77d85ee10a364fd827ecd345d61c322005104354c12cee9778560e44e6ae7a4aa7e4070f388ef8799f139ea8c5c0c97fb

memory/3796-1674-0x000001649FD80000-0x000001649FD8A000-memory.dmp

memory/3796-1677-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp