Analysis Overview
SHA256
3feaec930748c0217b9201c660288196dc972dddb85211224a21a282fba4650f
Threat Level: Known bad
The file Win Quick Config.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Neshta
Detect Neshta payload
AgentTesla payload
Modifies RDP port number used by Windows
Downloads MZ/PE file
Obfuscated with Agile.Net obfuscator
Modifies system executable filetype association
Registers COM server for autorun
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Runs .reg file with regedit
Opens file in notepad (likely ransom note)
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious behavior: GetForegroundWindowSpam
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-10 17:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 17:25
Reported
2024-03-10 17:56
Platform
win10v2004-20240226-en
Max time kernel
1752s
Max time network
1758s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Modifies RDP port number used by Windows
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x64-700.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipgeolocation.io | N/A | N/A |
| N/A | api.ipgeolocation.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\lodctr.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\lt.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ne.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spl.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\en.ttt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bn.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\cy.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\an.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ru.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ka.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pa-in.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hr.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sl.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File created | C:\Program Files\7-Zip\7-zip.dll | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.dll | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fi.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fr.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\he.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lv.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\af.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ast.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ro.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip32.dll | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ar.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\be.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\id.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sk.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tt.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ug.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\va.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.sfx | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kab.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mr.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\it.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mn.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng2.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tk.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bg.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fur.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ga.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hi.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uk.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-tw.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fy.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ms.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ps.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\cs.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gu.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt-br.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\da.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fa.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip.dll | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File created | C:\Program Files\7-Zip\7-zip.dll.tmp | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\de.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ko.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sq.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\eu.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hu.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\is.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sa.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ca.txt | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{FB5F1476-D95D-4211-9778-10BFD46AC0FC} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\SYSTEM32\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2401-x64.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 444893.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 299250.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 386484.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x64-700.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x64-700.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe
"C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ipconfig
C:\Windows\system32\ipconfig.exe
ipconfig
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ipconfig
C:\Windows\system32\ipconfig.exe
ipconfig
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /CC:\Users\Admin\AppData\Local\Temp\XWormV5.3.zip /q /install
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\Fixer.bat" "
C:\Windows\system32\lodctr.exe
lodctr /r
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\Fixer.bat"
C:\Windows\system32\lodctr.exe
lodctr /r
C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb3ada46f8,0x7ffb3ada4708,0x7ffb3ada4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:2
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x2f4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5432 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2692 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5428 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5824 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\Fixer.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1776 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6752 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6212 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ed27940ee8f545e4bd3e463b2ac9b4f2 /t 3932 /p 4812
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7404 /prefetch:8
C:\Users\Admin\Downloads\7z2401-x64.exe
"C:\Users\Admin\Downloads\7z2401-x64.exe"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\" -spe -an -ai#7zMap9801:110:7zEvent22981
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\Readme.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\Fixer.bat"
C:\Windows\system32\lodctr.exe
lodctr /r
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWorm V5.3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb3ada46f8,0x7ffb3ada4708,0x7ffb3ada4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6681228406627415583,3069340589767966395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\Fixer.bat"
C:\Windows\system32\lodctr.exe
lodctr /r
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x2f4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipv4.icanhazip.com | udp |
| US | 104.16.184.241:443 | ipv4.icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.ipgeolocation.io | udp |
| US | 104.20.61.122:443 | api.ipgeolocation.io | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.184.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.61.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nc.bmexcellentfocus.net | udp |
| ID | 153.92.8.74:443 | nc.bmexcellentfocus.net | tcp |
| US | 8.8.8.8:53 | 74.8.92.153.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | cdn4.cdn-telegram.org | udp |
| US | 34.111.35.152:443 | cdn4.cdn-telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.35.111.34.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 92.123.128.164:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 164.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 92.123.128.161:443 | th.bing.com | tcp |
| GB | 92.123.128.169:443 | th.bing.com | tcp |
| GB | 92.123.128.169:443 | th.bing.com | tcp |
| GB | 92.123.128.161:443 | th.bing.com | tcp |
| GB | 92.123.128.169:443 | th.bing.com | tcp |
| GB | 92.123.128.169:443 | th.bing.com | tcp |
| GB | 92.123.128.169:443 | th.bing.com | tcp |
| GB | 92.123.128.169:443 | th.bing.com | tcp |
| GB | 92.123.128.169:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 161.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 20.190.160.17:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 5.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 88.221.135.112:443 | aefd.nelreports.net | tcp |
| GB | 88.221.135.112:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | 112.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 5.145.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.169.44.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.14:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.14:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 14.125.203.66.in-addr.arpa | udp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | gfs270n369.userstorage.mega.co.nz | udp |
| LU | 89.44.168.79:443 | gfs270n369.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.79:443 | gfs270n369.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.79:443 | gfs270n369.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.79:443 | gfs270n369.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.79:443 | gfs270n369.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 79.168.44.89.in-addr.arpa | udp |
| LU | 89.44.168.79:443 | gfs270n369.userstorage.mega.co.nz | tcp |
| ID | 153.92.8.74:443 | nc.bmexcellentfocus.net | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 92.123.128.164:443 | www.bing.com | tcp |
| GB | 92.123.128.164:443 | www.bing.com | tcp |
| GB | 92.123.128.164:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 92.123.128.133:443 | th.bing.com | tcp |
| GB | 92.123.128.133:443 | th.bing.com | tcp |
| GB | 92.123.128.161:443 | th.bing.com | tcp |
| GB | 92.123.128.161:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | 133.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.7-zip.org | udp |
| DE | 49.12.202.237:443 | www.7-zip.org | tcp |
| DE | 49.12.202.237:443 | www.7-zip.org | tcp |
| US | 8.8.8.8:53 | 237.202.12.49.in-addr.arpa | udp |
| GB | 92.123.128.161:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | www.rarlab.com | udp |
| DE | 51.195.68.162:443 | www.rarlab.com | tcp |
| DE | 51.195.68.162:443 | www.rarlab.com | tcp |
| US | 8.8.8.8:53 | 162.68.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 6.121.82.140.in-addr.arpa | udp |
| DE | 49.12.202.237:443 | www.7-zip.org | tcp |
| DE | 49.12.202.237:443 | www.7-zip.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | cdn4.cdn-telegram.org | udp |
| US | 34.111.35.152:443 | cdn4.cdn-telegram.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
Files
memory/1620-0-0x000001EC8E010000-0x000001EC8E3BE000-memory.dmp
memory/1620-1-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
memory/1620-2-0x000001EC900F0000-0x000001EC90100000-memory.dmp
memory/1620-3-0x000001EC900F0000-0x000001EC90100000-memory.dmp
memory/1620-4-0x000001ECAAAE0000-0x000001ECAAB92000-memory.dmp
memory/1620-5-0x000001ECAAC20000-0x000001ECAAC96000-memory.dmp
memory/1620-6-0x000001ECA94F0000-0x000001ECA9512000-memory.dmp
memory/1620-7-0x000001ECA94C0000-0x000001ECA94DE000-memory.dmp
memory/1620-8-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
memory/1620-9-0x000001EC900F0000-0x000001EC90100000-memory.dmp
memory/1620-10-0x000001EC900F0000-0x000001EC90100000-memory.dmp
memory/1620-11-0x000001EC900F0000-0x000001EC90100000-memory.dmp
memory/1620-12-0x000001EC900F0000-0x000001EC90100000-memory.dmp
memory/1620-13-0x000001EC900F0000-0x000001EC90100000-memory.dmp
memory/1620-14-0x000001EC900F0000-0x000001EC90100000-memory.dmp
memory/1620-15-0x000001EC900F0000-0x000001EC90100000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XWormV5.3.zip
| MD5 | 78133a997800607b4538c50a27e8596b |
| SHA1 | ad0e580985da260005fc2f884fb29577d2b0729d |
| SHA256 | cf5fc43fed578e0d1313287c387f86017ed0a03708b86d8145807cfb12be4238 |
| SHA512 | e81964b3c17fe1e7fd04eecd8c7c5a989ecc8a510a37e6ea5a4ff9d3ae665bad6844be4f2f9d8931cd74f9bcccb03d7f2218d0c87bf083b240455a70845c510c |
C:\Windows\System32\perfc011.dat
| MD5 | 50681b748a019d0096b5df4ebe1eab74 |
| SHA1 | 0fa741b445f16f05a1984813c7b07cc66097e180 |
| SHA256 | 33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a |
| SHA512 | 568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e |
C:\Windows\System32\perfh007.dat
| MD5 | 312d855b1d95ae830e067657cffdd28c |
| SHA1 | 8133c02adeae24916fa9c53e52b3bfe66ac3d5a3 |
| SHA256 | ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf |
| SHA512 | f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14 |
C:\Windows\System32\perfc007.dat
| MD5 | bc3d1639f16cb93350a76b95cd59108b |
| SHA1 | 47f1067b694967d71af236d5e33d31cb99741f4c |
| SHA256 | 004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9 |
| SHA512 | fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249 |
C:\Windows\System32\perfc00A.dat
| MD5 | 08728aef33bbac5884423c1597e74a29 |
| SHA1 | 64d28ea3dc5c4392a0210b4d26db146b26e40f0b |
| SHA256 | fbd64fca18300003ddcdddf3b25ad501cf224035ef5975dedc64c7d139eb69e6 |
| SHA512 | 001cc1ef7a69ce59a9e37133a8cdf14cc8e7a09bc74d4678d9af25da3eaa9d99efc6fdf64fd2e301acb796cef4a988d502b63a61dcce14511568130bb1551a0c |
C:\Windows\System32\perfh00A.dat
| MD5 | 757de55399f7c5167e7cdfa65f184108 |
| SHA1 | 06876adabd18e79946cc5280861145432257d210 |
| SHA256 | e7c22cb8443fb549de7a3e826645450ed47169ce0168c740096de44addd360dd |
| SHA512 | 51977c1104108e5b5ab0042e6d10ec95195be8c62dbd547b85626cc02b35e46cb363be8804f360220ce347709da3ba1626f253477b7512cdd414f1ad96cf4571 |
C:\Windows\System32\perfh010.dat
| MD5 | a5389200f9bbc7be1276d74ccd2939b4 |
| SHA1 | 8d6f17c7d36f686e727b6e7b3a62812297228943 |
| SHA256 | 494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087 |
| SHA512 | fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92 |
C:\Windows\System32\perfc010.dat
| MD5 | bea0a3b9b4dc8d06303d3d2f65f78b82 |
| SHA1 | 361df606ee1c66a0b394716ba7253d9785a87024 |
| SHA256 | e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927 |
| SHA512 | 341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88 |
C:\Windows\System32\perfc00C.dat
| MD5 | 0cfd5298e63f44351ebca47f6a491fbe |
| SHA1 | b86c08b13f0e60f664be64cb4077f915f9fc1138 |
| SHA256 | 562261cc16c6e5e2e3841a1ba79083293baa40330fb5d4f7f62c3553df26ccb3 |
| SHA512 | 549e5c28598ac2a6b11936aa90f641dfa794c04dd642309d08ef90a683d995d8f2d3a69ee2ecd74adae5beb19e9de055e71670922d738bd985657ffe75ebe235 |
C:\Windows\System32\perfh009.dat
| MD5 | 367662b55faba4e0728f3c296daa92a7 |
| SHA1 | 1775899bd0f1bb5cf945910db18aa3a9d4d15b7a |
| SHA256 | c2ea1af1c970468f522e354c8e47b121b66a0d0428a8400f4a5cb03216368ce1 |
| SHA512 | 283e9cf2bf6fe904b530bd188347641c1d30b27c95d89552e18aa33be1c7e2840f10a09868a2862ee53bb805cef2cdbb31b8db391ca140b5dda27058dcad11ce |
C:\Windows\System32\perfh011.dat
| MD5 | 394e68a48cbedf2aa4290ad4be6c1254 |
| SHA1 | e9b5a4204bedd201adfee94cd4bd475f92d508a0 |
| SHA256 | 48dbdc9f160e51c14f7cf0f4f31856fc5c51bb5a157eefc9159612227def9d88 |
| SHA512 | 5b3ebefb252a4ea2b5504fdb79fba35f256ee544df6385eeb47a05be4eddd41063fe9a025d5e8393d34cc34abd431810b5c5cc21c777316200c9cfa769fcfd6c |
C:\Windows\System32\perfh00C.dat
| MD5 | d5972cca5d434d4ca1742fe0a5ddd5d4 |
| SHA1 | a3cdc3ad50ff9ba19722f2e2cb76f95b60bd92b2 |
| SHA256 | f85cfffd1414d3e975f430a1e2f2a3b473ee8995a961dfb103fe18d5bf06e321 |
| SHA512 | 2ce34cf9b868fda0852e6b0d805171fcfda00c0c6cf044bf8831e6fa2aef4933ae00a8eaf757c09d67c30ae7ab58136959351f7d04d8ba6921f51fc87378565c |
C:\Windows\system32\perfh007.dat
| MD5 | eadd51b4e0a81aa0a1ec7392a1ce681a |
| SHA1 | f384c3bc0f16ccb5049ebbf7df776e684da84706 |
| SHA256 | 1a2fd21891c4055b2ee03ee06665f1a09a6503f7a4b57acba67820ec561d12e4 |
| SHA512 | de74112ed8f81f4723241102e9e493921419f836e7f095000a0ae34616db1886c22dff6ab4dfd5bd1ebbc9840498c3606ac0e5791f7fadac1b52c18043571ae4 |
C:\Windows\system32\perfh009.dat
| MD5 | 56c3b96dd714b0da77c0b9fb0d392c86 |
| SHA1 | 6dfd6e883c67ea4aef8a03d28874a677441e512f |
| SHA256 | 1bc70ca290a7b4afc37049a8435c81d9b863520609d2e4f627d08cd21c07a58e |
| SHA512 | c2036039da93d0c594b99aad74f1bb807c7230a746d749cec57a5f6012e8dfc401f9430fe1c7090280532ffdb044f7a4970e17e5cede82581793d69e9bc6d10a |
C:\Windows\system32\perfh011.dat
| MD5 | ab91dd7fa8878b8d14608522cc38102e |
| SHA1 | c4cf62ad6183a2d341fb3de756cb672516897183 |
| SHA256 | 7aae74ee957962add631778e45a174693a15a2e9ca48e151f2fb5e31488eecf7 |
| SHA512 | f1202cbb56c93182d1aec675d9d069d1156d2cbe11cc6b05358f0e83786e4a04b0a6ba42be378574d01b8d17a3f2e38110d45f7d7a10cd89f8d7d8c83ff35455 |
C:\Windows\system32\perfh010.dat
| MD5 | 70ac53e2ebbd863ff7f319d68aed16f7 |
| SHA1 | 90109a5028b07e8aa36846fe5096e04bd97839d6 |
| SHA256 | a4e35710b8277d733eec1c165459f85d9660fbe264ccabe0a624626e93763e37 |
| SHA512 | 8fc6d4c665a642e86acfffa35ce6c6d7bf49c1a414de8b15fb5cda8d121f4d671914aafe0625ad11e87fd74f0bba2d40b9a71f373d1ae67a12b238b023682af1 |
C:\Windows\system32\perfc010.dat
| MD5 | 4f32511bd6124c1b65c8f7fcd244a82b |
| SHA1 | 6d840ddec80ee4f6ab99a1d0b55c50a568edd722 |
| SHA256 | 8ceaa2e1a9cc8b7f76e6a2551bb1dfbcc64896c8c3fd5901e417f41ddff35e6d |
| SHA512 | ca8c8103a4ec3b8f1a070ee2a3301f8af64e08cfd40b21022e5d9f54e3decfc55b7571112d186aba9d7b4c7b5720f7eb0ff3847b39366dd04b912dde386a73e3 |
C:\Windows\system32\perfh00C.dat
| MD5 | 9a780b14eeafa8b9a2409f02bf9d9af0 |
| SHA1 | f52c28235879e45685ee0163f97c31099baa616d |
| SHA256 | a04ee6316af61e7a475d47ab74744ea485b419566f5e40c96ec09b400926b932 |
| SHA512 | f316652ec8dc3af06842de056329230152e74f53530c4f099a2ee73a96106f2fc3dbf244dce75c10e3131cdfbaa3b4a28d8ff116f8d6d7ae7b5553688c170d7a |
C:\Windows\system32\perfc00C.dat
| MD5 | 9f9af8517189b0d61b2615007e071084 |
| SHA1 | a33753ca07f370b7d99f6658b32abb97eed7bbc4 |
| SHA256 | b6dc84d6c21f558e69174d3b62e13fbb8aecd5e49de0fb737f56445a9b883034 |
| SHA512 | 640f51590a6f5d61e9dcb9a463a6b7aae6d88749843d1ec62f30a00c95b4a449b442281ac61058db4da464bee03e62a1f43a91b0a05914d4dbda2bce007d745d |
C:\Windows\system32\perfc009.dat
| MD5 | 1e60bc5e525063b96078df17fbd3c4e1 |
| SHA1 | bae8eda409cb3e016ddd420c6354aeaac2d267b9 |
| SHA256 | a0894847ca6208cf7e519d8e825458596bbcd78156a453e32872de7592ea20d8 |
| SHA512 | 5758d535e4ce20cc30b9b57fea1811feffb2655ecc6eec69c942defb4b4f8c06e8e37860f85ec7cad26df9d7635ecaf131a68ec4ee291aa36e448c7ef2339652 |
C:\Windows\system32\perfc007.dat
| MD5 | cacc87a7a4824d4fca6da760d909821d |
| SHA1 | a1f2ccfa48a2d8877425f16e0723e3b3ce8f0f67 |
| SHA256 | 1f431b499e240794a4f798579cdb642dcac1b271451291327404c98605e5ebf6 |
| SHA512 | 7ac2c48b41a1b13af9c8a0097d913ff5c8fbe72456faf49d0dda213ffe6ed4d2373f16963d42c5d9d09cccbc8d70ede86eba03c815a4c9b2c6af8a5d739c76ee |
memory/4656-2935-0x0000000000FE0000-0x0000000001000000-memory.dmp
memory/4656-2936-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
memory/4656-2937-0x00000187E9DE0000-0x00000187E9E22000-memory.dmp
memory/4656-2939-0x00000187E9DD0000-0x00000187E9DD6000-memory.dmp
memory/4656-2941-0x00000187EC080000-0x00000187EC0D6000-memory.dmp
memory/4656-2940-0x00000187EC020000-0x00000187EC07E000-memory.dmp
memory/4656-2942-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
memory/4656-2938-0x00000187E9E30000-0x00000187E9E58000-memory.dmp
memory/4656-2943-0x00000187E9D70000-0x00000187E9D76000-memory.dmp
memory/4656-2944-0x00000187E9DB0000-0x00000187E9DB6000-memory.dmp
memory/4656-2945-0x00000187EC0E0000-0x00000187EC11C000-memory.dmp
memory/4656-2946-0x00000187EBFC0000-0x00000187EBFDA000-memory.dmp
memory/4656-2947-0x00000187ECF00000-0x00000187EDCDE000-memory.dmp
memory/4656-2948-0x00007FFB3F037000-0x00007FFB3F038000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll
| MD5 | 2f1a50031dcf5c87d92e8b2491fdcea6 |
| SHA1 | 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f |
| SHA256 | 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed |
| SHA512 | 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8 |
memory/4656-2956-0x00007FFB3F948000-0x00007FFB3F949000-memory.dmp
memory/4656-2957-0x00007FFB3F949000-0x00007FFB3F94A000-memory.dmp
memory/4656-2958-0x00000187EE4E0000-0x00000187EF0CC000-memory.dmp
memory/4656-2959-0x00000187ECA20000-0x00000187ECC14000-memory.dmp
memory/4656-2960-0x00007FFB37DFD000-0x00007FFB37DFE000-memory.dmp
memory/4656-2961-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
memory/4656-2962-0x00007FFB37E14000-0x00007FFB37E15000-memory.dmp
memory/4656-2963-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
memory/4656-2964-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9f44d6f922f830d04d7463189045a5a3 |
| SHA1 | 2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c |
| SHA256 | 0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a |
| SHA512 | 7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d |
\??\pipe\LOCAL\crashpad_1008_DDUNRIIOKJGLEPYG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7740a919423ddc469647f8fdd981324d |
| SHA1 | c1bc3f834507e4940a0b7594e34c4b83bbea7cda |
| SHA256 | bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221 |
| SHA512 | 7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7719752b78f60b04406a219a78ace6d7 |
| SHA1 | 367bac15d80bfd029ef3de3bf87edbc211623a26 |
| SHA256 | 1785000a58b6f547a2569bdc1e771b0791126fa683e7a526997db8b84c7e3542 |
| SHA512 | 7e48825c60f922139665072390a640ff352f77ee1683286a7669dcaa3097fd989e5071081447ce5b0e9411b1f1d2957391723fdf436ac63b904b5e5b2b5439d8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/4656-3008-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fa04fc4a3498e4b6dd284ab8500aeac2 |
| SHA1 | faf6e6494fa6b16325c721b333eb6ecdd692ffca |
| SHA256 | ea793397d765555579a250da048a4e6d7b76aecf7549964dcf372dd3fd507bb4 |
| SHA512 | 89bf09d856e5a449e4cb357613fcf57a38b9ac39cac7873565b49115ece3c820ace8a88de982eb1f7df2fa39788361bba999cc1d32d1c75c861195d96351d51a |
memory/4656-3020-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5520b8e66e67ed126359c76400a61d80 |
| SHA1 | 57bf4da9ef0fabd8d3f7dca95025863d4102b7c9 |
| SHA256 | 7a6ca4b013c6d4efaa899fd6aabac26d59b15d5df608c09117c6fa25ec0d6215 |
| SHA512 | 4115721f21ddb62f206efdd1e6373925c93c7beb4f5d1298c903342652dda90e4f1e0011e27c0ce74b48b26fe20d6b7a1d7432a9a8ec0bb7ceb802aa394c71ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d8a2e1f160dd2db277e50a1523eeb956 |
| SHA1 | 39c81e923261f10601717700a2d7b8f76a150e08 |
| SHA256 | ab2bed1238a7501515d18eb3e3b493db6c383cd6effed1bfae11cb0cf8180a68 |
| SHA512 | a5bc86fda4f7cf5d1f4a430204d6de18c030cde57115aa88613bb87ba8c0212bd1a130755e5d7fd2fe4623a29410819b827c5787bf5bb0fac7ce415109bc915c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 9c69baac6b5a2f51afd9ca00849db5cd |
| SHA1 | acd3b010235e21a356f34c72f9b1689472589f21 |
| SHA256 | 732652e55cb1ec800b23e6dc654fe248265a480288832b2ad9ba65000eaf2f57 |
| SHA512 | 3c45ac800be6ee9a4fe4ae7e6bda0a675938b377db08e6aa5a90c85f065fda9eb8b6a1723e4c5d1f00203d407c22c118a2ece6616ba350bac3f27e77d73589f7 |
memory/4656-3095-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bafae02e7e8c18390056017445e344b5 |
| SHA1 | 95ff9b70ff6de48f4808fb64f9ca586d6daa8c2d |
| SHA256 | 2bfc9e7af0bf73ceace3e681911061d249816be984f9a0207c4d6bfc8c5303d5 |
| SHA512 | 7a048eb06f4764aba730d62baead61b47250f29420852c75d91a6decc28a0af120713b0db071ad47b6337294bf029579ca0c71737b43e320d20bddc5e8732dc2 |
memory/4656-3114-0x00007FFB37E0D000-0x00007FFB37E0E000-memory.dmp
memory/4656-3115-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
C:\Windows\system32\perfc009.dat
| MD5 | 243bb32f23a8a2fa8113e879d73bfdf7 |
| SHA1 | 2f9d0154d65d0b8979a1aeb95b6cf43384114f70 |
| SHA256 | 69012c5b50e669fca5ad692dc405017da474a5a4ec876de70d9748a4f30c046c |
| SHA512 | 34f7663ef59412a12ce950eb5ab947b2fb6bb811d5cfd92d05b6a884bcb2fc31fdc880b8e152a383055ca0efee707eb23bbfe181ace8c1ca112262f2a75bf0a8 |
memory/4656-3117-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
memory/4656-3118-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
memory/4656-3119-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
memory/4656-3120-0x00000187F30C0000-0x00000187F3169000-memory.dmp
memory/4656-3128-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
memory/4656-3129-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1774153e043cec027d294dbb0864fb56 |
| SHA1 | 6cd4ad82a2703a1c7226085d06a6cdabaed26cd7 |
| SHA256 | c6b87c81a3c77d53d344b19ffc692519c469b2361617d8881c853d210e9d01e2 |
| SHA512 | 354cca86583daeb9705a6256f44d5728cfbba7ad1e9530fcc96c9e351a163a3636aee53695f64550f060b9ecfeafc2618988c2740bc797327d16cda4e5923b5a |
memory/4656-3200-0x00000187EBE90000-0x00000187EBEA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b415ce2cb25bb3841786d2a5bf96818c |
| SHA1 | 5a00c4dfdb5179a660316323bbd279045e0ec87d |
| SHA256 | 2600a83425f50724251163bfebbd75c5b3b565cec49802927d3bc791f7ecc019 |
| SHA512 | 735e13fcad4807741fcddbd3d303d085babd0d9909164b1be764968b9d2f869b18432d343b63d3d4f0b4ce2e2b0223dcfe09843f33040fd8be6a0f23fb4983c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe635672.TMP
| MD5 | da738e25ff3a6852933cb224e2fda368 |
| SHA1 | 6d9820c667793bae30d0c9ae5cbf5419f438fcbf |
| SHA256 | ea7c80135838a9d86357706deabc959536423b8a2699fc4cd8141cd44ebcb748 |
| SHA512 | f473b61cef33182200f67b6cd6ee12de12c65e6a1eeec728dd25e5c57dcf42372501a32ac31be167188c0909bb10d88308855611224dcdec320def48b0e07f5e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 43859622122aea8b431a1ca701d0f436 |
| SHA1 | 032e3f3b25ab7b88cb4634cec2984f87794ea59b |
| SHA256 | cf4b615c5d425471ca64910cb4e510a8779cd90adc667678f50f7b08ba925b0e |
| SHA512 | b5d3e7226ab47cbcf6e6a21512952cc6425b218306e6f404f6edba9abe0ebe33b3c1e367b2ba25dbdced1869d18bb5b77d95a2009281106d041f95d6573ce5f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | d210144a0c446f4327468c257fe066b0 |
| SHA1 | 819f4355b270e95280caa4189de8539f42061cf4 |
| SHA256 | 5adebd2561f3da5065ffbb64cbd61c332600ba34a9b72983c6f85f89ebf7c72c |
| SHA512 | d31df9bf3a7e37a53c7cc315e0af1cad703f42d084d99a55425f553f2e125b80c1902a8c10cf56ad9f41ed97d2bcd2895308c5272b5ec6a78f29ef4025d6cd76 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ca550150a1752b823ff0c6ccf22c96cc |
| SHA1 | e63eed0373a1ee59c6e0b297c1018d0986a899a0 |
| SHA256 | 4e0f955e07f56efe9c78e8d962990323cc1b460224752d8ca5da5f7ccb04bb27 |
| SHA512 | d2ec2f25cfe6fc954781debacedd637d544a5f4b447966e71bfe67d7bf525b01ae7d02debe050ee60e67451109c98248bd55b13b6ab01c6064e24577d7a058a2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 12bfc9dc8c345031c5fbdfc29f3a1732 |
| SHA1 | 01700b1a5aa2a1f25c64d51607e7700baa9540fd |
| SHA256 | 1f7df6dc73057d1898b330ae3f46a94ff5f7639e1b38b4579cd9e9e0f129edff |
| SHA512 | e5419b4b0aff18508cf24f419efd8d987546796fea178294abbf49a6171e4e3a0c76112e2922d4d2149b67af9a704cf9697181015d2731cec24ef6f9c4448ab0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 3bded50ba67b3f06073ac33e42339810 |
| SHA1 | a5185e9292f952dd139ca8650a213066945de9e9 |
| SHA256 | 2968da693cde282cf08b14fc4c8545382d81ba6c5a3f5288d432d284e01a027a |
| SHA512 | 0bfdde366d7cdf43e75ab5c97f8a00cfffcd42b635f1b987bd59f15ddf1919b659427b910ec4dcc69c35c8002ba3e71b1533a29c95358be5e7532ec83497479f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6ff3001b5341e0a4fcdf0364162df3de |
| SHA1 | 661cb98d65e028e9b68e82932a2f7f029addd67c |
| SHA256 | 1bc56b6dda7bdc6363d9974f9e6e7f046f8f9b839fc6b052007fbe4503102567 |
| SHA512 | 54d174373548d52aac987dac28a2fb2da062701be965de45327b037686296cc158a129cad6509b8f60f535d5b05cbb15dce13d98753d2934b6270f27733647e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a4f6f3c2d6e6e50ccb20973340c0310c |
| SHA1 | c23fbceee436f55e1bfa6f1aaa8eb2f369764e8e |
| SHA256 | b641e88010c3ad089de8fabc4b0d95658613406ccc71999ece61ef02ea4c3cbb |
| SHA512 | 49eb621771db2cb36eb402dbc4a122be7e4e24c9aea2026ae52ffd6d5ca122bf576c4d7ea08efcc0277b4a44866fc654b2fe88225527241e967481f858c0e284 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f61a65963a2b6a38f9c956f0a0cd99ae |
| SHA1 | 41549de788cb5852e120f04fdefecd168a3e1023 |
| SHA256 | 1608838ecf5c10c610fe1af3ecee3b0cb34632d504e762df6cd336babfc96dfb |
| SHA512 | 841dcea9d543de7f64bebd5b111792c26fb62ba3c2b0651a9d0356ba8d5a154f49b5a27b289aad20ae5c9618fc8b097af5dbea398c619b48e1a09ea47cdf3293 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 8c87bfe8e853235ca15f34804582e3da |
| SHA1 | 149026ff06db3854a894d7e235d66c11952b7a09 |
| SHA256 | 4f3266b91bee3148b9c6a2c2211b8531edb9f53f0f243105d80e67e798835134 |
| SHA512 | 6d0464c749f405fac318998c728085a8d201139840f52aeb5e2d9b950c7597220649e5951f5f0ad17d226dabb5dcfce14549925119bf96438f2fd79ae55206fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 784d23087d26ad3f66416aaa878de1ad |
| SHA1 | c49a352a048a15df7a095c53a7241c4c3c41dc37 |
| SHA256 | 6c28c1ff3a0b37306fb32923f1c00b4f3242641afdfd683215106195706c00a7 |
| SHA512 | a40ef27d0d9191d918f661206544107219b0aa003afeb347843d2504806a226640d924b6748a55af1f5c26a503372beea025e49639317461a5374f13bdbc5b34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039
| MD5 | 950eca48e414acbe2c3b5d046dcb8521 |
| SHA1 | 1731f264e979f18cdf08c405c7b7d32789a6fb59 |
| SHA256 | c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2 |
| SHA512 | 27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 695fec2be3b33787ea2732904a1f5207 |
| SHA1 | 890e312ae973585a2dce58902fb23fc03ad2c8b6 |
| SHA256 | 2cdbbc257955ccedbff2d385f2eb646a7798ba35ec7d92b087dc3fdcfe799b9b |
| SHA512 | 59234ea821fc0e87307992e0ad6602c53c7a9c435a52e19699729c257e3c20474a85712a1e40f2b98b816d7157569b2493e87646ce407908a2a78f9b6a5f5f7c |
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin.zip
| MD5 | fedd12ebf6a7107c2454a7a42e45b733 |
| SHA1 | 6ee5f962260f6ed79bfcea408a6e1315289989c3 |
| SHA256 | 22df62f2469fafbbc09b23be0aacd2bb95636aed427712f03c19c4967ea588b0 |
| SHA512 | 826434d09e0ce85c7c4cf283b65bc186390689f13de36ec6fc1cc97a07b961c42689dfeb04e37a5f13ee5566484ee1442e96635433bb3c18630af77157b78c75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe64d590.TMP
| MD5 | b7774d8110e2ac7245e9eb49a01c8803 |
| SHA1 | ccaf70c5ae8e3afeda07443f41fcc17d630bed1a |
| SHA256 | 7784dc44fe35632e9155129efec4a1011a6b20ba3e36d21a591d0dbf6077e1a0 |
| SHA512 | 33141d7738e7319bdee36b933d90160034a09965b9b9e5f39c4bf2212191ec248a4b23d74d501630a60e01252a77949cced08decc802e3eea4881930e0c2ada4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 49784b936000c6c01df183f8bdbb1c57 |
| SHA1 | ca85127ad4f9904bcb84536dd1909fcf8a52a2f9 |
| SHA256 | 87c079be770e96c381f9d8bb66535d2e107a2a4f86ecd785a81dd12250f71363 |
| SHA512 | d04aeb0d634f6d54fa6c7ecdea74b6d5721d7d877b688d20bfe3b90cc52e429006909c98b7f3403524691d4f83c6e29cdec68460c2080e92c392d1e6259eb66d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e50e3c08095e9743ef0dc86a1ad1ed7b |
| SHA1 | aab318ab9ba070db7bfcffd21c61a05fbab8e26c |
| SHA256 | d003cc8164f8805c614cb80ce74049b056e10685e80b0747c5b612574f6cb2f3 |
| SHA512 | 8b52b55dc750c788d66fe83acfe3686bfa1d1ed9eb30feb6f2014df096fd781f66e10ec36c9b48bf15cc4184bacc62d5532a9bed190688c565e1725aa4848f9a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 24d92f019d758cfe730d9758aec24948 |
| SHA1 | 395b2e4f6d68f801ffff93e5a8898708d9163789 |
| SHA256 | 41ed1f47534d536e34887bc4f9beca63e9692109a3e5bd4a12f08f9ed662a455 |
| SHA512 | b8a4e394977e176793426a55ff181290e294d8b7d4d503dfd7d3493ce8c29f16f833aa4f30d3e60916951adbd92ef9b130836fb1b4d25eace64c615f362d981c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 3abb9e31f41d3e6d1e909e13e27b010a |
| SHA1 | a1e721a6564b8d2b91d4d96a01ff253260e89f97 |
| SHA256 | 1393470d45b6f12f21c68da10c3a5ef3e4a2b124ad6f80ade608c2f738d1bee8 |
| SHA512 | c8a276cd5fd9b0bf8e242b76c691a89310255b1e03e556d584925b0ca3e98282dadc75189578736b05ccc25a68a3c5dfcf9ad8ee6afc023226455f3df14d6fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 88a552e6be1ac3978c49143983276b3a |
| SHA1 | dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423 |
| SHA256 | 927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5 |
| SHA512 | 125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 1fddfdab08937ca30e43dc454840c64d |
| SHA1 | 25af586ab7462e30465c9306426062b9d10bd058 |
| SHA256 | c578d1b5c5f608df3926d2658217ae728beace6455244c0cd9e3e3d15e455013 |
| SHA512 | b0f5666b0fed1321f525f72b5950b8c694032160e6e5fe101201f4fda3ea3c04fae226a997f949478a93705c8a2f25e3567eb69e35dd7bb6bff85d4bdc481fb9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | d6b36c7d4b06f140f860ddc91a4c659c |
| SHA1 | ccf16571637b8d3e4c9423688c5bd06167bfb9e9 |
| SHA256 | 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92 |
| SHA512 | 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 2e86a72f4e82614cd4842950d2e0a716 |
| SHA1 | d7b4ee0c9af735d098bff474632fc2c0113e0b9c |
| SHA256 | c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f |
| SHA512 | 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
| MD5 | 74e33b4b54f4d1f3da06ab47c5936a13 |
| SHA1 | 6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c |
| SHA256 | 535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287 |
| SHA512 | 79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
| MD5 | f86ce2628602974d4a9d5d06f04aa5fd |
| SHA1 | 87954f89c760c24836909c305dc359c6de974488 |
| SHA256 | 33c09ca0cf367dbb24c92a6b0f14f017c0b500df9a2c5de292cdf5e8bce87e6c |
| SHA512 | a1319c15cdc4063b99e7c2de939d63302779fbec9b0ca4f48d2428accaa4df7643fede261076292f0de1fba907beda820188c0fd7b4aa84506b77636aabe0af5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | be6ac982fcf18bad9c36da0ad1707a36 |
| SHA1 | ecee6413be12900116adb68cb5c3ca11e564bc04 |
| SHA256 | bde6b859f1ec98bd23c0d3c83bf06357ef04d544db3f6711e2ee8a04f2657080 |
| SHA512 | 310cc3dc60af50346885b9ed0e353b3423bc4c478f19da523adba97a4d7131b07f19c8699519fde08f96a7b00365b122c2c23dcc889d15a741dc1d06698460bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bab1732f740be434a459285ae0938e30 |
| SHA1 | 32dd07757693ba50b401b4a23d70f489bb5e96cd |
| SHA256 | c948a1fd048dd6272268d9c6829e554f29d618070567e20f5cf2b29d689431b2 |
| SHA512 | f81dc6b505f641badf8ff5f7d7af1de458bfa6a1bdab22665fe5ce172956d6355d5996ec98af0800cfdf9e4fff80a3ff3e8a8a0fe03f61d43cd249d7aa6c6fde |
C:\Users\Admin\Downloads\Unconfirmed 444893.crdownload
| MD5 | de644b4e1086f1315c422f359133543b |
| SHA1 | 54be86d121879b0e5d86604297c57a926d665fa8 |
| SHA256 | 17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd |
| SHA512 | 714d41254352d91834a4b648d613e9b4452b93b097b5781ec5bf3ec7c310a489d3a1c409b2f0a6946822b96f6943b579910d26a5f4324b320d485e856dbdcb1a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 365db53c78dc4a6c4acbddcf2430b249 |
| SHA1 | 271bad2be0860960ca9965a822169678775d7ae4 |
| SHA256 | b2a817680ca18d66c822bfaa0c187872ac1728fe027b05124c83681ea9b96b5f |
| SHA512 | 8430e85412562b5d2a9d27d0baad692d85a6b2deb15b77d07bad819ac80b4c4602ac33c5e862bacbaf1ecc8d9f60e4e935cd6fcf966b48189459895da8738392 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
| MD5 | 3cd0f2f60ab620c7be0c2c3dbf2cda97 |
| SHA1 | 47fad82bfa9a32d578c0c84aed2840c55bd27bfb |
| SHA256 | 29a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b |
| SHA512 | ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
| MD5 | bc9faa8bb6aae687766b2db2e055a494 |
| SHA1 | 34b2395d1b6908afcd60f92cdd8e7153939191e4 |
| SHA256 | 4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed |
| SHA512 | 621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | af767f60f8f5ea903ef56a82d2fe73f1 |
| SHA1 | 2162b127af171565e10597da81621d35d538eecc |
| SHA256 | 843d5b82442ecaba71820e9fa6dd3ab321cf556cd4c703d3424e6f0b27697b51 |
| SHA512 | 0405d9a7e5e9dcab39e1f650d550f2bb901f5afa19329d2d1ece577a5dd2a82f161cf2788c2f32a4cb4a33b7456b9c150ac7671da40f51ddaec7161cb5004cff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c892e029c272adc78711e984172249cf |
| SHA1 | fa4b6db4a4e93f83ec3304f3a04b7a0e8e1f8854 |
| SHA256 | 6ccd26dde7157f0ccfffc63ee67d03cd148efb3b6d50e94dc4ac8c58c3a87bee |
| SHA512 | 8af2846d7231ece010b023554b630bca9e6552c5b4dac083daf079f61378bd26becd879c0b794dd38aff8fc3ce5fde784cd044cbb1685bd36c0ddb2f04244370 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | e95cbb228af888f31d41b2dc69bcd1d6 |
| SHA1 | 98efed8badc5acd7735e94d62d864b2dcdf4cfa8 |
| SHA256 | 99d79cfef45fd7847d5cb9f7228419aa2ddd3b82a07ff686d135fd860f89a072 |
| SHA512 | 15420cc465744165f9f16aeefc75bbeece70cc7a0256822eb9ff6edd30037f264f7e9168c91da16cc92c7643d0ac9875bc607a75a5678c5ac860e0392370dc6b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f554c58e06942c92ea6c3ad174a17f76 |
| SHA1 | 6368232db4b2bc5b3ed3cd6ec184d0d86b92967f |
| SHA256 | 49e06a8517ba333d517ce05682c3913e714bdc47f25a3efcc43a46017cfe3ae6 |
| SHA512 | 90f8893ba01b75f6073c2a25dd5f0e2b7c4aff6b3f81faa1159aa644c0204ab9ef0f5f91d94e86a3f00b211ddd06d049c06c45af7c6f01693ec29279b1ed2f04 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ee03f0d307c8cd582b54847a54a86a41 |
| SHA1 | 168d37e5e66bfd7cdab008c918f7586f2c6c3c12 |
| SHA256 | 97af09bf101449642d20e73cc4c81a9ca3d7406f466fdd56e933f47b287b8dcc |
| SHA512 | 9884587c2fefbd4a18d43772bc08470607230f12270d0ad2342d355efd58fbe43b4c9e5a0925b08511d5261ec9db75ad5109abe5b6493abfee1885ff53199358 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 17792748c417942af7d92fa85e1d2fb8 |
| SHA1 | aba7eea759223c7fd14b36ada90ba1d43be28d8f |
| SHA256 | b295030196099cf3dac879e7a1396cd2109d551951de1e49286b489e622bfebe |
| SHA512 | 67981204400beb4221f04efe20c941ae26f4dfca43b8bdcf0cf30b812515222893249ca6650b9236717eebc8f836ca3c81fd63e8b6fd79103bc9d6ec513a29cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 56db37f4c641034f2d9782891553b6e0 |
| SHA1 | aa8c8e3f17ac644715b795890c31f7b063c032cb |
| SHA256 | 063745990e050be85f4b7fd81e91ad3652900f3765f58cce67aa5efc5328da6b |
| SHA512 | 9025e0013290a437d9e9a184e0126dc093661ee1f7218e3e781ea7d9e5d3f32dce95d11d945a4680d97fff6d65411c51033941e050350e93fcdd6b19d17c0fb9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
| MD5 | 1965b62e56b6d4757d9e0d74c86dad04 |
| SHA1 | 1c1c809a61758adb130d0ced642d2d1c27840f4f |
| SHA256 | 37e4da4156be306303e3457c6a903e741bee2d8824042f941dbdfb8a1b762b8c |
| SHA512 | 228623aeaa3931d49192b2fa4eefa9fc81f04c1ffe008858801313914454b7443bb3dda2c01d8242e5e47641bfda5fb66b75067c7d789859d4f7219d35ce5fae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
| MD5 | 43dac252d21bddd2477439e023621c6c |
| SHA1 | a7a81cd955811fd15dad91f443e0880d7aa08d79 |
| SHA256 | fedd9610bd4c2237de2d9eebba3143424967690767ba25ca7ab369f7aab3bb4a |
| SHA512 | cc5aac6a7e47a0548ebc9a606eff04d175e1c76844160069bf4787349be6fe897cffd1444f9c00dddc214502ebd5a8ab97a1527d219679af894a28858de40fc3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
| MD5 | 93ab4cf70b3aa1641a4b258c3fe03f24 |
| SHA1 | cba2ddecb8e019e6e5a91dcf867c6d6094f39b63 |
| SHA256 | d6c2f9f2bb35841cdb53abb660544e6e6f44e39d6542323992cc1c63e998fa16 |
| SHA512 | 70fa907afd9b52ed54a3cf755e394c40a3ff7a83041540b435cba47d889c1c9401afc9fb23a5e879d85bed42fd5df40cd7540d428b3ee7a9cdc278a314770884 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017
| MD5 | 77a781823d1c1a1f70513ffeda9e996d |
| SHA1 | 60776ceeb79ed41e7cd49b1ee07b1e09ff846f25 |
| SHA256 | b093599957b103def2cc82ffd2d42d57a98292ace5a6596e3e4439a6cce063b2 |
| SHA512 | 9aa66273ad419e1fc4ee825ec9e9fea4297139eca060572d3f59ed9bccbf2e1dbd03a006a0a35c6d37196e8297ec9a49fb787f0a31c3772b17911603eca62aac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d52de70c934488cc5b07cccc297c8e29 |
| SHA1 | 7a0a3a175d6c3ce5f9ae4d3841b4190056be92fa |
| SHA256 | 2b2ef47ec7764cc85a661b9933f0794928707bd7905b33facf4d1b1dc118d2e6 |
| SHA512 | 264b32ce8234f9cc1e07ab870b4aa51243bb67777532e683406e20327b77fb462e1737b5b13f96f47c8445ff4904daad4f447cfe997c4735acd860229910d2d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1765a2bc316f25aa5ce51f698ecef1f9 |
| SHA1 | a75c22276d87854c14bde82e244d3cd60320cf97 |
| SHA256 | 20db218e4c1ed88f6070c40fc5bee7149ce628507d9583a1c48871c8e4e6e9ec |
| SHA512 | 6712b93556d1c15a7475cbb177f14194f5c2858c8b0f7b793aeb5d5a2c46f429e7d43c9283acff1246105f4c5aacee10804503ad5aaf85bfc0c68d40daeb2ef9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 3c25b96c92420d546a09aaaf228821af |
| SHA1 | 7ed650d2fa33e5d9225c69b6a85109b0c9b7486c |
| SHA256 | dc6b4a5991a11577291eaf6d2f2df1dd345c5efc1a7ff9500c665479dcfb4a23 |
| SHA512 | 064ba2849e91d514248df458c94dc7dfdd2d5f2766d5af8545bd0be31c9e2718b4d50757bd598c87daf7211b4840b734eff1e59057502def550bb04ba66526a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a2504e9e03962a9a117fb388fa35e029 |
| SHA1 | 11419d867c3d05e7d72e0e80188f41f14762ab7d |
| SHA256 | 4a8811ea0cd4029c0ffe39cfefa62fcf2850b8a028ed270542cd3fc5eb6deaf8 |
| SHA512 | 455c469fd4a473619ed0960f678cbf841e7504c2624976ab9a53d97452ebfecf6fe5afc0aeb591a21da854626d0289b5df92b4cc9aca6e14ebb2eb4da1e1f3a9 |
C:\Users\Admin\Downloads\winrar-x64-700.exe
| MD5 | fc7776eec30751e169e1089bc2a4c478 |
| SHA1 | 99cdb78719ca97c7351aa75f1566224396d9033b |
| SHA256 | 426b7b38ca6de20f1f6535d2fa63c16e11780c7cd5f2ebc66ff9a0022e246e83 |
| SHA512 | bc94f526d4dd751a44071dd6f540f2957d96f5c6500d7e5bb41ec6581bb0a584a6bb91fe13f7a1d9c7749c4601b1fe95f2a12a204b73bdc9a37c83cff7ac35c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f5f4b686d27daf9edd3f0ecc41bb71e3 |
| SHA1 | f4fbed1497db23b4291c8e701da559475e2fa195 |
| SHA256 | abc229bc10b8a712a84b20ee2c7eddd214e8548e36ad828751f69d891c6b24bd |
| SHA512 | f583fb80df1427c19fb70e576be1c28316cbc5adfa67f9737ffb1d7e703d4f29723dfdc444ff1ec3f34c248c60eea2a02df0d563f764dad3100f37ad2b8f55e1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | beb586f16c05b4d5832604326f936e97 |
| SHA1 | 34b99b0de90b4b531afe5fd3bdbfa7587a046ca6 |
| SHA256 | afb77b040f19872c08afaa1056ee7bbdb8c685155d34e4fac86f2b525b8bc774 |
| SHA512 | 2c213c1a9a4617f4e7889750ebce375754f27f4cb46e28d811debb405bed5e75f2bc9df29723c1cbbe278acae5aa0be621e0ae4bb613ba0679c73340c77a50be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b3ae22f7c6c38c7a6db2fe46e98f8b28 |
| SHA1 | faea12744a2f130938de877683db9500584db9ca |
| SHA256 | d8f4e23f6397c613bd8c0ab7c93249c8ac45489a0dec0460e756d69eb57b0d51 |
| SHA512 | 810fc877f62d0934d57d206a1bea9f81c8692980f0e2b55dd8493ebdad66144dfbc931805fa5b080c796d43a265b9c516c443266fc0c80118a3341447235bb54 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 15e01f6233b8fd22ebb6f71c90887f8c |
| SHA1 | 85e9d39dffe1121064c26f6b9b5c1fddfc5ca9a6 |
| SHA256 | b9151545726224c390cd47af8600ee0a5a95c519f98e4734dab94a48965339a5 |
| SHA512 | 2912c85a77554620686bd522d74bc10b8b1d8c9486f0e724ff05e7177d924b3126bd11d6867774f61153e041482b9159c9fde1719e150cd3865fe23131af1677 |
C:\Users\Admin\Downloads\XWorm V5.3 Optimized Bin\Icons\icon (15).ico
| MD5 | e3143e8c70427a56dac73a808cba0c79 |
| SHA1 | 63556c7ad9e778d5bd9092f834b5cc751e419d16 |
| SHA256 | b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188 |
| SHA512 | 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3fbdf8d34cbb99c99baea1b18e2d0df1 |
| SHA1 | e96937391381829cbf574dd3fb20352920a4c93c |
| SHA256 | 99a5005d72805a55972ed586d0f9cce990d9816de0e0ca97a45a50e7b799c2a4 |
| SHA512 | 0ab4de1ad4a9f3d6093d58e35f9d5c0b4112c27fe4265b899630d1c349e6fb0772d963232087af20b1fb6e92db88e4ac7cfe2db49198bc74ff8a7d08e1fdef04 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 9193377c2ded446e706bed981885ff85 |
| SHA1 | 0f8658eabaa8eb738759df7c2ac2e63ae8dac362 |
| SHA256 | 64660ea9b2c2b7e9450e42889ff842d0d8b1e5e187572fc656454ad2dcadcc2c |
| SHA512 | d2774928b382230d3ba9e4387820b4f50088e98e70b9058003e84a5c5b78770e27373fbba5512aba78dc741af83daa908a896d997ec66e2cfc7bed72da06f608 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 47a1fcb90c7c1c97c9fe912bcead676c |
| SHA1 | be50d99c19b1801c1437ab860731809c0ec25c6a |
| SHA256 | 372804adb5ef148b0e208a06634175e6212738871debeebf3cddff1e5f5601a2 |
| SHA512 | 6d754ddbb0dbc3a61b41630f0758e32ed3ea6fe8e70af20c92229fc932b39cb0c7662c557ae7ec22f7f4f6c0931332052c5069f2c0e20976cd4e1dc1d884a41f |
memory/1052-6489-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
memory/1052-6490-0x0000022038A50000-0x000002203982E000-memory.dmp
memory/1052-6492-0x0000022054CD0000-0x0000022054CE0000-memory.dmp
memory/1052-6493-0x0000022054CD0000-0x0000022054CE0000-memory.dmp
memory/1052-6494-0x0000022054CD0000-0x0000022054CE0000-memory.dmp
memory/1052-6510-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 903e7eca6fafac910cb2ec3b5cc45bea |
| SHA1 | 8e9014fd7386c412aabd7ae67395a4d542b63025 |
| SHA256 | 5145de2d0fe933a8f0b26f73f4326e369a37890aa5981a7de3ecca524320b2a7 |
| SHA512 | e4aaf27428c70b31fd8ba8ada1512f15817e14a9cc1e96f7812c5c9a66a64711cde8c30f491ad7010adf54fee948343e50dc5d48dcf840695f5e6b34321b47d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d877a826a7b11cdd45b016eb6305afd3 |
| SHA1 | ecda35e13b815eef63c5ee989d83f0e872e61c9f |
| SHA256 | fc7ba9a6235c600a1e6fa4eecec5d0d924aa8202a0346214f52d3c2e42d6bc1c |
| SHA512 | 4ff089a60f6aca0be52b1e27a4a2592b77138980ad555dafc45d656ca06fbc519df0750ce8d496167861d00e250298bd8038838160bdf1dfce898fe2a04105f1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a574c06de6b4733f5a66005f6a559c5e |
| SHA1 | 660933c2a28590266f8c90b43b54d342b1bb490d |
| SHA256 | 3a86c254bb68316a696455b0b11c6aaf4e84a15ba44e2776760a48cd804e537a |
| SHA512 | 5c4d00c4cec2539fd58dbf4a315af018d3f869bd15e1350535d3e030586394d71ed6626f81c1113f2f8002417e178ec0fac54668138f0a8d9b2e459998e14b3b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 349cea3fff97179780545c1b22584808 |
| SHA1 | efbfecf72432ef6236dfa37d20c63bcb402bf775 |
| SHA256 | 028f406929bc75aaa76cf0b8301be0f87a824887295ec329d94a4fde84fb19ff |
| SHA512 | 89738c347a71218eebc60004e97452f752eeefc129b2769c8fcc2afad6fa6a53124e11a0ac888a5bee568e1dc455347321c4321f5dba0f60d8393aea634b49ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 92e2f11301b8ff559ec573ac50201d8f |
| SHA1 | c41ef2918625d98b2b69217b58b62947a00412b3 |
| SHA256 | 3a6da2b0e9f206a7e064e0940b72e5271f1cf950130d481d6326b6b6568304bc |
| SHA512 | b82c993fdaab6396f2ca127b431142a5cb7d362c696916ec54f94fcf1ac4ab7efaa0a266b97fec9feeff734dabdae8caee9803c45160aa07430ba84252fcbc07 |
memory/3504-6572-0x00000000003D0000-0x00000000003F0000-memory.dmp
memory/3504-6573-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
memory/3504-6574-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
memory/2292-6576-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
memory/2292-6577-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 08fa45e8958529613a94ff1c6103b11d |
| SHA1 | 53fdc89a4d0aed685b7fa76e139ae142860c47d0 |
| SHA256 | c2b879aced675fe78695a2a5d3abf10b9b381f895ce0571a07425a01bd0bae53 |
| SHA512 | a329da5b3aca7fbd1e4927c9bcf0afeb209a184edbefbe4087b39106367f8906c2894b217d6fbad191305c81fa960246a3619094d8b289dc7f99699dcb74b2c7 |
memory/2044-8062-0x00007FFB40090000-0x00007FFB40B51000-memory.dmp
memory/2044-8063-0x0000015CCE2A0000-0x0000015CCE2B0000-memory.dmp
memory/2044-8064-0x0000015CCE290000-0x0000015CCE296000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c4531ecba6bae4a147f95a2bb3660d59 |
| SHA1 | 8b804bb88da8ce60cd98917943ba80e76bd22f27 |
| SHA256 | 08a9ac7783742a9e6e4210302a435b42af516e917799387f922fda8361cad33e |
| SHA512 | 0b4fd4dd0ad4d25bbccf7d34342e248544f0bfbbef81e2ed97943081c4dd7b4db77a8a43560b82c86371a97c87086494f5cf6e4942c22e8cdf32541fe5e8e25a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 9b511ae94e84dc5a3bcdea04b7bc3686 |
| SHA1 | 50a598491bc047112331a71928447ff55d132ce4 |
| SHA256 | 20b7904e08dfc2009016a2616b0094ab044cf830b3990aa1384a380dc1f07b5a |
| SHA512 | a867e55add9c9fd362e74ce15caadc71400ade2c433d0c532be313041ffc125c4c9d66ae42105461c6280ff89cb0b4be09f93028c54014cabc4123489c9397eb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 6c0f1dec4acb45c591a61ee962a8376c |
| SHA1 | 4943996857288e7bf4e128ac82b5209cde069e2a |
| SHA256 | 958016a7b697589201df1d8b6ba4c63dc401fab40115ef55c02275fc386a05bc |
| SHA512 | 76d379b5982772a84b3993567be2550b0bfeda75d28c24bc8b5936401200ca4d5fe4e29905dfb67f7f8a4515dff29a562ea05f4e2a421d43104cc6d8b7fdfbf4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2a0a0c0ff4e6b8dbd27069849bc19b1d |
| SHA1 | ca37de58e9867ce7d4ac8c2f56039118325c19d5 |
| SHA256 | f7b5e99c34aee0ca2638abfc62232f88fb53688d78e3fbcf7fc5e904c184593e |
| SHA512 | 6c987f7280ce2ae762e6e0db1c48d96dd78078a5545731580b2dd52a4c393fa7d2044059bcc502c2f5a97b3586b10edcfb356ed78d35213c09890db2f2f97b36 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 034cb97b481d20f2a3b25bc8002fc806 |
| SHA1 | 817485f2f031c2a0d00356767442c1b886b57346 |
| SHA256 | 7f44a141db23c7ed5de79a5a3aae3b4c7c8c3675ffd0d3b1af7ffc279c84db49 |
| SHA512 | 73889a912afabc5b201eb34c3c53ec543c1aa39ccf27dfe9b698b9024460528283da90447c5fda4205c3b1b0e841efaf5ac4833d0d896c691868f369634d606e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a67195cf01f04752550f5fef4cd6a241 |
| SHA1 | b92652b7ca3d2de2ac8d756f27dc579c996f4e69 |
| SHA256 | cc89ac5aeb1fc9b94d58871907eeea07f5c32fab4033dfcc16262c8e576e15fa |
| SHA512 | 5dd81d8513dcdc026fe2fe277141cd53760956b59eee322c698f2950c9071ed6ce8a09c6878a05d7b1ca9a602d1254a4e4e5bd7fe763b9f8bd7765a7f500ddf5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3f313d26268598f94fcbc991bda84e6a |
| SHA1 | 685010a9723bf6d4de51be9286c7d2ee2da9f08a |
| SHA256 | d4a0d6fa1be599de03099db84d209a809c5a6859d7c8085c71e2d85dfdc48dfe |
| SHA512 | 2da64c392a928b99b79d1f081c93580c751562d0c39dce682d340e2ad5c29ca1e3c2b80fb8fc2bc84ffdc76e15c170dbad15f1bda3499adf810f098b8a800f01 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 17:25
Reported
2024-03-10 17:58
Platform
win11-20240221-en
Max time kernel
1739s
Max time network
1746s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Modifies RDP port number used by Windows
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-10156" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open | C:\Windows\regedit.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 38070000 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\ = "Compatibility" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\ = "@shell32.dll,-50944" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command | C:\Windows\regedit.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipgeolocation.io | N/A | N/A |
| N/A | api.ipgeolocation.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\lodctr.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpconfig.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpshare.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_proxy.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings | C:\Windows\SYSTEM32\cmd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" | C:\Windows\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\FullDetails = "prop:System.PropGroup.Description;System.FileDescription;System.ItemTypeText;System.FileVersion;System.Software.ProductName;System.Software.ProductVersion;System.Copyright;*System.Category;*System.Comment;System.Size;System.DateModified;System.Language;*System.Trademarks;*System.OriginalFileName" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\0 | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings | C:\Windows\SYSTEM32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\TileInfo = "prop:System.FileDescription;System.Company;System.FileVersion;System.DateCreated;System.Size" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings | C:\Windows\SYSTEM32\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\regedit.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 38070000 | C:\Windows\regedit.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000 | C:\Windows\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe | N/A |
| N/A | N/A | C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe
"C:\Users\Admin\AppData\Local\Temp\Win Quick Config.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ipconfig
C:\Windows\system32\ipconfig.exe
ipconfig
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/OurAllNetwork
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f2b43cb8,0x7ff8f2b43cc8,0x7ff8f2b43cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/OurAllNetwork
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8f2b43cb8,0x7ff8f2b43cc8,0x7ff8f2b43cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,6540273361273910462,15061628231997835871,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2056 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,6540273361273910462,15061628231997835871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14024502223967164848,8620664338609091290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /CC:\Users\Admin\AppData\Local\Temp\XWormV5.3.zip /q /install
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\Fixer.bat"
C:\Windows\system32\lodctr.exe
lodctr /r
C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\Readme.txt
C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Documents\XWormV5.3\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /CC:\Users\Admin\AppData\Local\Temp\KPortScaner.zip /S
C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe
"C:\Users\Admin\Documents\KPortScaner\KPort Scaner\KPortScan V3.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004B4
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /CC:\Users\Admin\AppData\Local\Temp\NLBruteAllTools.zip /q /install
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE"
C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE
C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE
C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE
C:\Users\Admin\DOCUME~1\NLBRUT~1\NLBRUT~1\NLACHE~1.EXE
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\NLBruteAllTools\NLBrute All Tools\ERROR.txt
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Documents\NLBruteAllTools\NLBrute All Tools\dControl.7z"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /CC:\Users\Admin\AppData\Local\Temp\EXE-Fixer.reg /q /norestart
C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\EXE-Fixer.reg"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipv4.icanhazip.com | udp |
| US | 104.16.185.241:443 | ipv4.icanhazip.com | tcp |
| US | 104.20.62.122:443 | api.ipgeolocation.io | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.62.20.104.in-addr.arpa | udp |
| ID | 153.92.8.74:443 | nc.bmexcellentfocus.net | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | tcp |
| US | 8.8.8.8:53 | 175.108.111.34.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| ID | 153.92.8.74:443 | nc.bmexcellentfocus.net | tcp |
| US | 173.255.194.134:80 | www.proxysecurity.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| ID | 153.92.8.74:443 | nc.bmexcellentfocus.net | tcp |
| ID | 153.92.8.74:443 | nc.bmexcellentfocus.net | tcp |
Files
memory/3796-0-0x0000016482F20000-0x00000164832CE000-memory.dmp
memory/3796-1-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp
memory/3796-2-0x000001649D7F0000-0x000001649D800000-memory.dmp
memory/3796-4-0x000001649D7F0000-0x000001649D800000-memory.dmp
memory/3796-3-0x000001649D7F0000-0x000001649D800000-memory.dmp
memory/3796-5-0x000001649E390000-0x000001649E442000-memory.dmp
memory/3796-6-0x000001649E4D0000-0x000001649E546000-memory.dmp
memory/3796-7-0x000001649FB40000-0x000001649FB62000-memory.dmp
memory/3796-8-0x000001649E5A0000-0x000001649E5BE000-memory.dmp
memory/3796-9-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp
memory/3796-10-0x000001649D7F0000-0x000001649D800000-memory.dmp
memory/3796-11-0x000001649D7F0000-0x000001649D800000-memory.dmp
memory/3796-12-0x000001649D7F0000-0x000001649D800000-memory.dmp
memory/3796-13-0x000001649D7F0000-0x000001649D800000-memory.dmp
memory/3796-14-0x000001649D7F0000-0x000001649D800000-memory.dmp
memory/3796-15-0x000001649D7F0000-0x000001649D800000-memory.dmp
memory/3796-16-0x000001649D7F0000-0x000001649D800000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 601fbcb77ed9464402ad83ed36803fd1 |
| SHA1 | 9a34f45553356ec48b03c4d2b2aa089b44c6532d |
| SHA256 | 09d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15 |
| SHA512 | c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a91469041c09ba8e6c92487f02ca8040 |
| SHA1 | 7207eded6577ec8dc3962cd5c3b093d194317ea1 |
| SHA256 | 0fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f |
| SHA512 | b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f |
memory/3796-30-0x000001649D7F0000-0x000001649D800000-memory.dmp
\??\pipe\LOCAL\crashpad_3548_VJKXUKQWMIIQBSVM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | faf31162cf543bd84cadaf08eac6d90d |
| SHA1 | 4270d3dd0f27bedbe8809d7814150339809c1afd |
| SHA256 | 0b681bc161ad7c17147a3ce705909be0653309818dbf605eb043cc41213736d1 |
| SHA512 | 40f63e03242e7ed363116c14504628d3ce2f3bb97be39832af8d7b5cbcd07f154222883fb8cc78c320dc956771ea7dcf92834da5a8241e42f71e7ea6cf14ec9e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0720e10d3b69c15d0445959322b48d61 |
| SHA1 | b6d522e72381d926981ca200497e31a72129a698 |
| SHA256 | 02596f54443ce5c6a858fa9b525b48d148fc92d406a1cc30cca8847ed9c24571 |
| SHA512 | b523e649e5c102cb6ed4ba9ae77d4908ff61de905b41e85b11fc4bb2ed6874c73f9a669a8d4ae7259cd12f7fe5f66f1069c43724058310bfc0d730c092513a96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 456676bed1c86f253172818c819da618 |
| SHA1 | c498201a9ccafbbe52b3b6634ab035372f7fc3a6 |
| SHA256 | 334cb0bab4aca1c9b1a9fa66d578f27b298c850bc4852127258bb2c243e5ff31 |
| SHA512 | ef812237e72357aba684c500e774f7cf7a8ebc39ceabd966a0d9bc5363c96b42a3cfaa16ace4c17de9c96107e9aeb3379a1be5810d945caeaf67810d4927533f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a07664a3b3ede9aaefe726f8c43ab412 |
| SHA1 | 8db0b5eff9106c658d95857fe5defd6e75bedb4b |
| SHA256 | 4296c2090e0e777d3ddb954e652768a3d7d5163e93e1fb9e9c4763e833549ea4 |
| SHA512 | 4a34cf9109d2f496384f12b400bd2f63fe330482840a3816088ff34463f8408e4ea5be3d23e28ca82388ec25bd41f7ab1330d6f59c13c974764e36d84320cbc4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4e407251af4bf11770e8a924cea0048b |
| SHA1 | 5ffc4c126bf93df393914d9acc3a474682f7c961 |
| SHA256 | e8b36f85f4a86efdf471507afade2018a51ca6da42c8cf8ab9e1bc2bb0764662 |
| SHA512 | e38852eb92afce94a16f23421e8ec15af686bde63621668f7e829402a21cb43ed3bd25370c2d2e1c9b1b533108a2c6ad999b8596c15a92728c45d048be57d546 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\695ad376-033f-4aa3-b5a2-76245fa91bd7.tmp
| MD5 | ec0fef1aaf0616b6034262deebf93a3c |
| SHA1 | d59a9679ccc053274d79cbfa8786b363b6bc0396 |
| SHA256 | bb7a834df7991a180ec8b3606dfeb8cdd4747ccb76de62273a7b9e9fa7326cf9 |
| SHA512 | 6cb990177c8ff2011acb4b7f48d102f84d55059035a6ec4d9315628ae3076872db43c92a4050e792180586f14aca55519f34cfe1930f3767c9e3301cd6b3168c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\XWormV5.3.zip
| MD5 | 35710259ab981b8e70bad6c0ec6ac70e |
| SHA1 | 7aeee44521e6066ee4946bd641b452a92b9dac58 |
| SHA256 | 7356fa17a44f6e93635f87fdd25566d8530e1a4f712de686b63618c84d2b86e8 |
| SHA512 | 6ede219ce36d1326100f46336706c5b1e698ea1888f15812f6ad9748cd860da5e76260b3e294c8db782f1d621e23889f92401815313bb59d586ca5ed70f01f85 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | e7287dd4e71a21e10194c99cc8ccd823 |
| SHA1 | d12b4151bb25ca694ad8098751b4918129c322ac |
| SHA256 | 9c3bad374f6b813d2d3393e29f7e9aaca5404a001e521746d21fe7ced190f27c |
| SHA512 | e76c126fb4f111e78772ee65afb4a06ff74d4c56432a4aa3f6c9680a0e832c257285e68f2b09e4513b4d4ca3169d865e375caa20dca32648d81010394c0c8c21 |
C:\Windows\System32\perfc009.dat
| MD5 | 7f41bddfccdfe4a298b0bfcf14a20836 |
| SHA1 | 8acacdd3503c65fb2ddc4fbb9f41811ae8550276 |
| SHA256 | 446d064235ee69494d5797e01e4039eca0a026c9b801cacf0670334104eedbbb |
| SHA512 | bb984e7660899c293eb3e8c14156cee5237e0cd2b0ada7b03c850f027a08d728fe8774f7a377e911ed54bd788ac5c88fd6e24b41fda6d5020dc6fae0e4980c85 |
C:\Windows\System32\perfh009.dat
| MD5 | 1ad05e460c6fbb5f7b96e059a4ab6cef |
| SHA1 | 1c3e4e455fa0630aaa78a1d19537d5ff787960cf |
| SHA256 | 0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71 |
| SHA512 | c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f |
memory/3300-469-0x00000000004F0000-0x0000000000510000-memory.dmp
memory/3300-470-0x0000028BC8900000-0x0000028BC8942000-memory.dmp
memory/3300-473-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp
memory/3300-472-0x0000028BC8980000-0x0000028BC8986000-memory.dmp
memory/3300-471-0x0000028BC8950000-0x0000028BC8978000-memory.dmp
memory/3300-474-0x0000028BE2B10000-0x0000028BE2B6E000-memory.dmp
memory/3300-475-0x0000028BE2B70000-0x0000028BE2BC6000-memory.dmp
memory/3300-476-0x0000028BE2CA0000-0x0000028BE2CB0000-memory.dmp
memory/3300-477-0x0000028BC88C0000-0x0000028BC88C6000-memory.dmp
memory/3300-478-0x0000028BC88D0000-0x0000028BC88D6000-memory.dmp
memory/3300-479-0x0000028BC8A00000-0x0000028BC8A3C000-memory.dmp
memory/3300-480-0x0000028BC89B0000-0x0000028BC89CA000-memory.dmp
memory/3300-481-0x0000028BE3A90000-0x0000028BE486E000-memory.dmp
memory/3300-482-0x00007FF8DF887000-0x00007FF8DF888000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll
| MD5 | 2f1a50031dcf5c87d92e8b2491fdcea6 |
| SHA1 | 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f |
| SHA256 | 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed |
| SHA512 | 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8 |
memory/3300-490-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp
memory/1164-491-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp
memory/1164-492-0x000001F9F8420000-0x000001F9F8430000-memory.dmp
memory/1164-493-0x000001F9F7CF0000-0x000001F9F7CF6000-memory.dmp
memory/1164-494-0x000001F9F7D00000-0x000001F9F7D06000-memory.dmp
memory/1164-495-0x00007FF8DF887000-0x00007FF8DF888000-memory.dmp
memory/1164-498-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp
memory/4688-499-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp
memory/4688-500-0x0000012AAF610000-0x0000012AAF616000-memory.dmp
memory/4688-501-0x0000012AAF620000-0x0000012AAF626000-memory.dmp
memory/4688-503-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp
memory/3796-504-0x000001649D7F0000-0x000001649D800000-memory.dmp
memory/3796-505-0x000001649D7F0000-0x000001649D800000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KPortScaner.zip
| MD5 | 74f3e00524e50b2b191cdda342cb2186 |
| SHA1 | 17cae9921a3d3bcde0fbea27aea830511b5e9f6a |
| SHA256 | 69a5e71b08e6c65a789853ccda99e483ae4a569ede116ed21ac252534d368ff1 |
| SHA512 | b2a85221fd1c01b76f83b8e70e26def7084ff652acad07f32ef6740a9744b8e3396476026850652df09fba6e5e670fddee87960327cbb256582aa820da4a0d4f |
C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe
| MD5 | c0a8af17a2912a08a20d65fe85191c28 |
| SHA1 | 0fbc897bf6046718524d05b6bc144c3785224802 |
| SHA256 | 080c6108c3bd0f8a43d5647db36dc434032842339f0ba38ad1ff62f72999c4e5 |
| SHA512 | bd6b67a2f285a5634c5d38f742d5528a661414d3fb88f8065433f6a6a1a3a3f707dede9be7bda9bac9327240422c2314081d0a9eb9b6bc61687465ac96868ef9 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
| MD5 | 8ffc3bdf4a1903d9e28b99d1643fc9c7 |
| SHA1 | 919ba8594db0ae245a8abd80f9f3698826fc6fe5 |
| SHA256 | 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6 |
| SHA512 | 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427 |
memory/4764-624-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4764-625-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4764-626-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4764-627-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4764-628-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4764-629-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4764-630-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4764-631-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4764-632-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4764-634-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NLBruteAllTools.zip
| MD5 | 74b961dac92bba58a673817a4963976a |
| SHA1 | d01b7beeeb774575cc187416ef7d205f012dc6eb |
| SHA256 | 55bc0ea43f6571d9f041d699e069b651b6dfd6b23091434a94193b8ca4fc8302 |
| SHA512 | cdfc5eeffcdd8aa11a652e217de553c404d0bd7b320bdba4eb3b63b32b4744060fc19f7df6933ade3bb966f06b06a4e81fbd8b770206676320574b0405b58904 |
C:\Windows\svchost.com
| MD5 | 7623402ee71e75aace57a0aa43fc5cc1 |
| SHA1 | 71b98ca03bf87fbaa8c5b68b5239370bfee90be3 |
| SHA256 | efa4c9f64ccdefd3cafc60bf432ab16672d534a3a55ba36e03d81736570f8657 |
| SHA512 | 7612e43f1aeb536436d3a291d27d8d3ed8cd5d115d8b2fa45ba9af6a2ebca61819d7ca49d4d17e9d23934903052130cdef7ee8823ce00e80e5770ecde38d5135 |
memory/3924-644-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
| MD5 | 4054e99e7c770fde6245c832fdb87897 |
| SHA1 | 47ce07c01b369b0282ca93c1b73e91a6ac476e11 |
| SHA256 | 21a06caed43387480edbcd09f45befbdb8779e3a034077d9961e39cb38b980d3 |
| SHA512 | 210619f131624b2f1006cab9a43d1a2d86bab5870b589f62a9ee393fc2c224bc9f6d37e01dcd7fd1d3a436e8d8c3dd5ed7b880e6403b88b9a846e69632af621c |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\SCAN.exe.manifest
| MD5 | 02bad6e0bf54f39089e7c9b9d7812702 |
| SHA1 | 23724d9baf3d0711ea1fada8f606e08e92a4de59 |
| SHA256 | 5434584527b30e1d6f68060c2720af8ceb08116970b17dc4de9fc406b82b3d33 |
| SHA512 | 75b935b7061fdd05987769483a2ee64465ff137f6bf345c6267382ef5f234630b19d61aeeb639a5412ccac2acfe06002828115097204d865f895fac1c531ce39 |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\python27.dll
| MD5 | 076a8a0dd3bec1b61110b87a989c994f |
| SHA1 | b6771a7b63b106c3fccbf8c0477952758109a724 |
| SHA256 | 65c735b2e427755241bfa61bc3249d7169b63e49b314eb9405c6bcf74afb8754 |
| SHA512 | c8f7d588f8fdf1750fd7b4af9020c5db72129109ebfa546b2c97ef19af89c020337c1a8a2199c079d1859a28103e1fc4d07ba95b9a6c17ca21fd3ca94b356a74 |
C:\Users\Admin\AppData\Local\Temp\_MEI42~1\_ctypes.pyd
| MD5 | 43d728dca22fa15a90426900eb6a11d2 |
| SHA1 | 888bdb94315383cee0727d2cd60f0baa0bb2dd98 |
| SHA256 | 510e917666061200868396f69c26c508fd07c44ee48a94d310c59e69b3804cff |
| SHA512 | c54b118d3ff7f7134879a3b542c6587af27282affdffd8189d01428ad1040b3cc03587b170355111eca0cbab100ce0f0eb634ef2e3928fb119007ff14551ae4f |
C:\Users\Admin\AppData\Local\Temp\_MEI42~1\bz2.pyd
| MD5 | e139c613c4aab0de3dfabe287e1dda29 |
| SHA1 | ae4ecc55bd82d5c9cb54ee1510e5d83d3c0aa2fb |
| SHA256 | d09a7a68c62a54548a19582b956b332ea3de431156125eaa8e7476c8ec16c002 |
| SHA512 | 35314235e118e620b335c30165056dd2a0ecbe07f1e37b3215a424d10cfc4dd866976b64bc4d155c18e73eaf9bae10d77c289c5afc08ab2076c9c5afefaedd02 |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\_hashlib.pyd
| MD5 | 3881fed46c9663727204ebcf69a48827 |
| SHA1 | 3a8193a8da7c50f106dc2e11574a792472e41910 |
| SHA256 | 5878b68ad284870bc147b0e342e7a544e04c30b8199bca17e9a26f83066bed34 |
| SHA512 | 46ca4b2f3208bd984e4a1ac97f6b8ae6f0d0aa23d08fe82e443aaf3526db52c4ff61e4bf75792f499d9977cec92aaa95f3120ab3aec45c32c2f1819525dc6c7b |
C:\Users\Admin\AppData\Local\Temp\_MEI42~1\_hashlib.pyd
| MD5 | d256d9116eaede4dbf39a90cc90d594b |
| SHA1 | 9e52edf54d10eb722b3cce72cb1e5fba8468e16c |
| SHA256 | 456376da077b6abf0a7533607ef31b658d02afff2f7bcc25a3e454966b6ffa51 |
| SHA512 | d2e501353516409b8ef88b1ae9812c74977a4acf2f739c62c7622c8adc2c48d1672194b3d5891dab902d4133b7b7bd172ceeba5e13fe6abaab9072b512cbbedc |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\_socket.pyd
| MD5 | a4d40e5cd4a75c68d460773fb0625be2 |
| SHA1 | 60456c263f350a9b23fd8a54c3ea36595dfec0e1 |
| SHA256 | 898936f85d2dc26575856a3ef8fefc2b30c733e858b6595adf10ef232928e189 |
| SHA512 | bdc53264a6659e1185a05dc3f94277a4e05288313fa6ade11015a538176782c3f692a57c27d7c4b15c839351bfacd63dd869d1374a010cf1f25877b6c2f2f89d |
C:\Users\Admin\AppData\Local\Temp\_MEI42~1\_ssl.pyd
| MD5 | f98bc128112daa1f3dfd0d9fd5d81e03 |
| SHA1 | 8bfd83bdd2d2c8252d5da7640253cc1f8bf7a356 |
| SHA256 | 27d29dde2a3ef9112216c5c80d86061d898fcf91bcf71cc30cefca3f425aa7b9 |
| SHA512 | d15e9227422ba84d56a09ff72882ede67ed15a4235fdbf89c3952eb088c83d6fb3d77564bf23200d5741f6f9ded2dccf58a328ea173c2603c7de46f744c221aa |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\win32api.pyd
| MD5 | ee73b5435ffd8c1ed67525263b35d4d1 |
| SHA1 | 3a1ddf1aa147f5c5f165209ad388bb02fc55fb8d |
| SHA256 | db7ab701c7626b928bb4306bc49cc5f55cff56dacea7cfdccc77eefd06fb136a |
| SHA512 | 70372c9f627be9b42a24dac36af96d1483a7f8c91c0e9ebde80a8168bed7ba14b23d55d330a3f6fd3609190bf5bde98267a2a87abfd414be77a4384f331f4c39 |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\pythoncom27.dll
| MD5 | 7805e430a83c985a059fbb9df16da10c |
| SHA1 | 498b077aa47b53667937dc2b8463f8ff169dcb08 |
| SHA256 | c9f1b53f87a4ee5d4740e03c9da300166de8c239be726e42f2d9d96bd81fabe2 |
| SHA512 | fba45917ddd07505b0035eeaf1fb6d8d472473dbcd2710cb8388bcbbf7833e65e1eb53b05e919c59ee5e11051068dabb65eb4e8b2262c3bcf8b74aa74fdd30ae |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\_multiprocessing.pyd
| MD5 | d945e0fe5638a5955189ecf8ad156f29 |
| SHA1 | 996f2fac787a8fe6a24a812e724c5badc7d15154 |
| SHA256 | 2ac1673c1d14d02dea009686f93df075c701a14e693af2c7dc9bf69bfb128668 |
| SHA512 | 57dc1f3e51c98a018dfaad227c74b8a3a7c6b2685ac8eb3b1e7fce7c0b57028e710f49f31856859899d408958811ff2be72d37d4f83af60b15991a8749bf654b |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\tcl\encoding\cp1252.enc
| MD5 | 5900f51fd8b5ff75e65594eb7dd50533 |
| SHA1 | 2e21300e0bc8a847d0423671b08d3c65761ee172 |
| SHA256 | 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0 |
| SHA512 | ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc |
C:\Users\Admin\AppData\Local\Temp\_MEI42~1\PIL._imaging.pyd
| MD5 | 9443404880d5776ddf5fe9962be70eb2 |
| SHA1 | f85a742e79b7021f36c2ccd19c0c2a5a7fb33d98 |
| SHA256 | df0482b2f7c962d7c78a804c671b1976f7ff50f6d62e6dcb889befa4dccafbe4 |
| SHA512 | 1a39e23e3665888ec528442ca60fc1458af1bf39b5d7f61fa31a9a5559f8bab119faec9f8d644a69d1afbc49bed63bfbf37ef3ee9ea21899a368d725c60c50a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\PIL._imaging.pyd
| MD5 | 6895f3eb68ef91c6025fe9328bca15b7 |
| SHA1 | 511d2fc85e0ebfa9a535980686161794de408fcd |
| SHA256 | 3d748e2e8fc92e18551e1e778b93ce821a5fe44fe8ca3d2e067d22b781addae8 |
| SHA512 | 2701eb3450a6799f230072e389fd92789f9d84134d8b062b04955bce9d568f89c857b307eff3b81205262261d1ab168af50928f7d440289792bded5d5f75727b |
memory/900-1668-0x000001C802DD0000-0x000001C802DFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI42202\_cffi_backend.pyd
| MD5 | cbfc7a2d429438f83162a58d67fa6688 |
| SHA1 | 98785bdfd8ab7f6c21e28e67483fd73c63a51cdc |
| SHA256 | 2b2898f7e1722429779d194b9c233a01782f869b76f6590c3af08392a8128de8 |
| SHA512 | 5bccb7f4ba0c6328a1a8874a6cad2e7f07c3293217a0e62a4854507a6e433e2160d85370c1cae4f087f434cbe17165d4975364ae7b54c9de51ca51d285501c07 |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\cryptography.hazmat.bindings._constant_time.pyd
| MD5 | 166bf01c2382676cbfbcba57c30f02ff |
| SHA1 | c7ef11d11bdd3d5d9cec9cf1592228cf086dbb7e |
| SHA256 | 729be9d7fb0e62a55c275c0496a8873e63164b4d53a20b7b3c1545deab836d91 |
| SHA512 | 4a0eb752cbe70b1cbda87c9233e6736f9f4363623a57d40e3e612dce5f851ad09f2a52fa21f2119b0ffa3b5c085eae2f2fae5bdb4b58a9f5fff343affc201e59 |
memory/900-1669-0x000001C8043C0000-0x000001C8043D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI42202\unicodedata.pyd
| MD5 | 7aff74ee0bc42f0862e1d58d8147c081 |
| SHA1 | 8cfe4fbcb9c35828e8ad611dc680bf1fe383f99a |
| SHA256 | 7a0e39ef1bd3991cb18374c69c47b24a0e4b25cded4727e50ce645f5e751a213 |
| SHA512 | 60e50c66a1bca1ad0f12c38d4d6ca9181acb26f67e1a1d439dc597c019df808d3cc89e3739b67827162890a9f4d8344dcfb8516d0cc6ad9e55a0e53f08871e41 |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\tk85.dll
| MD5 | 9d2e6eb30f4905b4a19089332d0430b5 |
| SHA1 | d8d134b0dc7cb9b88f3e35fc5bb30dce4eb40312 |
| SHA256 | c3739fa11a966b550b6a4c8c68aea5915e9f4d11f7e55cf055f2ef5316133926 |
| SHA512 | a39bfbedbaaaa9e5f449cb66f67dc08328f964136135a4de52352fe01c44ac2df8ac6c0fb188395f41bbf9696bfe00128d6f1f7749692286a0a564d5dc1234b7 |
C:\Users\Admin\AppData\Local\Temp\_MEI42~1\tk85.dll
| MD5 | b02a075cc286edc0dbe933939080cf70 |
| SHA1 | 589f68b1ffa119556d30c9024395a8ce610d5962 |
| SHA256 | 7931f5c15a54c28a7bc6c51c7e47490afd9a0f286ee2d5518819cee8b083aa21 |
| SHA512 | f10a0e14575745a07af0f797c726851afc88888f01989efb4d48572d00543e401de4567da5179a049ee52423eb51f24a92a31987922bb0399776636e82abf9ce |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\tcl85.dll
| MD5 | 837f6e21b4edf1e09bc470131e8ed4ec |
| SHA1 | 3f2c0fc9d39941712299183a300fe287bd25960d |
| SHA256 | 613af62f42e4d4329c7fed824f7c91b30e2869a5a80defe80b7e1364b0e38e7a |
| SHA512 | 754c23829e3e41556e49f867525746e61ff151a227daf09a7eade85eee53d311c8a8fe53640c2c065b3dfc64faab26c88c34cf62aed1b73f0fe15600a2e800b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\_tkinter.pyd
| MD5 | d3fe1d1bfbb9b55bd8874bf7a428dc8c |
| SHA1 | 3052aeeffe1f535ec3fcb6a45edddb10e95fad92 |
| SHA256 | 266cd843beaed33af053545226568cf43c2bccab03e5545310cf76e09b1ececf |
| SHA512 | 6b58d3fd233f82ff331d1bca41401eb4ff7993697536280a073dbd27d63161a1e8b4ecc1f06c09a343f8f528a38517bc1f25bacf577ffa67a325792feefefb79 |
C:\Users\Admin\AppData\Local\Temp\_MEI42202\pywintypes27.dll
| MD5 | ec16db0ad80be2fb40600df034797ecb |
| SHA1 | 6d5bce3b8fb8c7dff0aa179d503af47887e3f0c2 |
| SHA256 | 959bece25a592bf32d3b3e602bb8ebe88039db2f58916f593db3b66795258074 |
| SHA512 | e0827664a6ff06093c16b520da354af77d85ee10a364fd827ecd345d61c322005104354c12cee9778560e44e6ae7a4aa7e4070f388ef8799f139ea8c5c0c97fb |
memory/3796-1674-0x000001649FD80000-0x000001649FD8A000-memory.dmp
memory/3796-1677-0x00007FF8E08E0000-0x00007FF8E13A2000-memory.dmp