Analysis Overview
Threat Level: Known bad
The file https://www.upload.ee/download/15657107/813ac1d2bfa81d7f177e/XWorm-V5.0.rar was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Executes dropped EXE
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Looks up external IP address via web service
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
NTFS ADS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 09:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 09:13
Reported
2024-04-11 09:15
Platform
win11-20240214-en
Max time kernel
127s
Max time network
130s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0D8A97C8\XWormLoader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\lodctr.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\7zO0D8A97C8\XWormLoader.exe:Zone.Identifier | C:\Program Files\7-Zip\7zFM.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe:Zone.Identifier | C:\Program Files\7-Zip\7zFM.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe:Zone.Identifier | C:\Program Files\7-Zip\7zFM.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\7zO4887D108\Fixer.bat:Zone.Identifier | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.upload.ee/download/15657107/813ac1d2bfa81d7f177e/XWorm-V5.0.rar
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb44513cb8,0x7ffb44513cc8,0x7ffb44513cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 /prefetch:8
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"
C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO4887D108\Fixer.bat" "
C:\Windows\system32\lodctr.exe
lodctr /r
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\7zO0D8A97C8\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0D8A97C8\XWormLoader.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,5684607820838287716,10341636931499098527,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1332 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| BE | 104.68.81.91:443 | s7.addthis.com | tcp |
| BE | 104.68.81.91:443 | s7.addthis.com | tcp |
| GB | 18.154.80.96:443 | du0pud0sdlmzf.cloudfront.net | tcp |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 91.81.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.80.154.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| BE | 64.233.166.155:443 | stats.g.doubleclick.net | tcp |
| FR | 18.164.52.17:443 | madehimalowbo.info | tcp |
| GB | 18.244.140.102:443 | ghabovethec.info | tcp |
| US | 104.21.82.213:443 | edallthroughthe.info | tcp |
| GB | 18.245.253.19:443 | funjoobpolicester.info | tcp |
| GB | 13.224.132.70:443 | catukhyistke.info | tcp |
| GB | 13.224.132.70:443 | catukhyistke.info | tcp |
| US | 104.21.82.213:443 | edallthroughthe.info | tcp |
| US | 104.21.82.213:443 | edallthroughthe.info | tcp |
| US | 104.21.24.208:443 | pogothere.xyz | tcp |
| US | 104.21.24.208:443 | pogothere.xyz | tcp |
| US | 104.21.24.208:443 | pogothere.xyz | tcp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| BE | 74.125.206.84:443 | accounts.google.com | tcp |
| BE | 74.125.206.84:443 | accounts.google.com | tcp |
| BE | 23.14.90.91:80 | apps.identrust.com | tcp |
| BE | 74.125.206.84:443 | accounts.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| FR | 18.164.52.17:443 | madehimalowbo.info | tcp |
| NL | 139.45.197.239:443 | dukirliaon.com | tcp |
| NL | 139.45.195.8:443 | my.rtmark.net | tcp |
| NL | 139.45.197.236:443 | yonmewon.com | tcp |
| NL | 139.45.195.253:443 | datatechone.com | tcp |
| BE | 104.68.85.7:443 | best.aliexpress.com | tcp |
| BE | 104.68.85.7:443 | best.aliexpress.com | tcp |
| BE | 104.68.85.7:443 | best.aliexpress.com | tcp |
| BE | 104.68.85.7:443 | best.aliexpress.com | tcp |
| BE | 104.68.85.7:443 | best.aliexpress.com | tcp |
| BE | 104.68.85.7:443 | best.aliexpress.com | tcp |
| BE | 104.68.85.7:443 | best.aliexpress.com | tcp |
| US | 163.181.154.233:443 | img.alicdn.com | tcp |
| BE | 23.55.96.49:443 | ae01.alicdn.com | tcp |
| BE | 23.55.96.49:443 | ae01.alicdn.com | tcp |
| BE | 23.55.96.49:443 | ae01.alicdn.com | tcp |
| BE | 23.55.96.49:443 | ae01.alicdn.com | tcp |
| BE | 23.55.96.49:443 | ae01.alicdn.com | tcp |
| BE | 23.55.96.49:443 | ae01.alicdn.com | tcp |
| BE | 23.14.90.72:443 | time-ae.akamaized.net | tcp |
| SG | 47.246.110.43:443 | ae.mmstat.com | tcp |
| NL | 23.62.61.58:443 | ae04.alicdn.com | tcp |
| DE | 47.246.146.199:443 | de-wum.aliexpress.com | tcp |
| RU | 47.246.133.204:443 | login.aliexpress.ru | tcp |
| CN | 124.239.14.250:443 | fourier.taobao.com | tcp |
| CN | 124.239.14.250:443 | fourier.taobao.com | tcp |
| CN | 124.239.14.250:443 | fourier.taobao.com | tcp |
| US | 163.181.154.233:443 | img.alicdn.com | tcp |
| DE | 47.246.146.223:443 | fourier.aliexpress.com | tcp |
| DE | 47.246.146.52:443 | us.ynuf.aliapp.org | tcp |
| NL | 212.117.190.201:443 | sr7pv7n5x.com | tcp |
| DE | 47.254.175.252:443 | 82wtz5.tdum.alibaba.com | tcp |
| CN | 124.239.14.253:443 | ynuf.aliapp.org | tcp |
| CN | 124.239.14.253:443 | ynuf.aliapp.org | tcp |
| CN | 124.239.14.250:443 | fourier.taobao.com | tcp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| CN | 124.239.14.253:443 | ynuf.aliapp.org | tcp |
| CN | 124.239.14.252:443 | ynuf.aliapp.org | tcp |
| CN | 124.239.14.252:443 | ynuf.aliapp.org | tcp |
| CN | 124.239.14.252:443 | ynuf.aliapp.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ec7568123e3bee98a389e115698dffeb |
| SHA1 | 1542627dbcbaf7d93fcadb771191f18c2248238c |
| SHA256 | 5b5e61fe004e83477411dd2b6194e90591d36f2f145cc3b4faa20cf7ae266a75 |
| SHA512 | 4a53fbbd7281a1a391f0040f6ff5515cedf6e1f97f2dae4ab495b4f76eb4f929dcda6b347f9bf7f66a899330f8897e1ed117314945d1de27b035cc170fa447d3 |
\??\pipe\LOCAL\crashpad_1152_EHCLZXBSDFBOZUIB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7045e999e68d5e16e4114d222e492230 |
| SHA1 | 4446c4e07ff3bdf94a9f240ba2942ba508e1fc0d |
| SHA256 | a1639a59c7e5cb68e850a8d0f5393d9bee7e7c8bccdce87719e36ccd57a76927 |
| SHA512 | fd304b0046dbac47df777585b81031be3ec6b80a976297f1e9c4bda16e2f00d2391e026587cb40b60daa625e777cc3bb50a473b4214642b1910ddbc508adfd74 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_best.aliexpress.com_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 33bbd0324ead328b48cc93ff53943dd1 |
| SHA1 | 07284d6598d0d5200dd3bde7f2a06b281284d2de |
| SHA256 | 2616f2075c17255e4b3104cc08770a69ef61c8ddddba2bdc1da9a3292a5929a3 |
| SHA512 | 718dc581ffeb9dc05f4857afc66164bddd5be38a04984ae5317d19724ddd0204529df36898011a922157f3fecf41de05b10abe3ce79508966471dcc63d705fb7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b3c71ac75e9813f5c8de22f30dd1030c |
| SHA1 | 1c6ec0caab3cb023cae958ee2c130f11d7345dd5 |
| SHA256 | a3c87e3e86cce79010752cce53f811bfd78f598086006678521acb2ddd645b1f |
| SHA512 | f16d494cd3cf8a76ac0b58bd48c78bbd168c51e4bd7c7ea7bc1314b9fd0c44c4b4b87ce208396b8141b742baa4ea6e65baf24efaa9745560b43cde7a3072ff6b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 0ba15f72ffb0a37243558588d3e78221 |
| SHA1 | 814bdfffd723f7de9f8d6d6a0bc8d85a9f275cc0 |
| SHA256 | 3d0223e1f8bb35870db41872cfbbe467f65bf9a1208dcb4d4ad874e250ccc10a |
| SHA512 | 02b168ef9cc226a08955092173c3745a55b28faa438b8152acb90d3bc1d9f433de7d8341def8b452db1986392a59cabc7c69689ad00825c58371ca78021183be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579710.TMP
| MD5 | 22c37d6194310d043f883d9f823480fe |
| SHA1 | 8d1208b2db287714c9132077f046024ac85e5b53 |
| SHA256 | dc633d7b1e0fa47bd6823f52b7902d8eff6dd2ab3d81ff52982b4a2803fefc37 |
| SHA512 | 2f1c423d663b07ed8083f21ed68c0603d1d09bd5231ffa8e9311f8ada6caab75707f7f722ef599f25df3ffbd7962c65f48d865dec6d1ba331904649c648e3eae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b9b9ef3f134923bc067a000a7ec3e4ba |
| SHA1 | 83618c94a08ff1de58b61150f61ac7b24d9370bb |
| SHA256 | aab47ff008b2e9b50807cdcbc12e99132c08510192b4279a68ae6d9062a574ce |
| SHA512 | 7081e5b264f6ac93317488bc97b719c9b742cbcfef4afc00ce3d473bcd3080757d58b4f2371f7dc1dd2ffec142a97282f50f6820a1fd757ce5c5daf599e492f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f7e77c15d64adfe9b92ccd86c0f5608d |
| SHA1 | 1fe3f03b059f2d24f75c51d5e407f7c5cd977627 |
| SHA256 | 2e94661c02ca24a061cff054b312a6be7416a447d592e16feda9fc4f245db562 |
| SHA512 | 32f5d9a12fbfef9a9370faa67d8fbe09d3f2b191a3dcffc8392413a020829beb14879b0f3efdb49fcc34adbc4a60b12f6cf60469333b8b1d610ab12971872160 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 1c67c18f8db855bbccd39309196f8199 |
| SHA1 | e20fc5546867d7ac2165ae2c7cec62e7b9d1553d |
| SHA256 | 04355cadb52c956aeb28131911eb81e4214f0002a3f557ab5413285815feb815 |
| SHA512 | eab9672877296a7f4a2882e94cd765511af39bc8600c619a7b3403c3beab492021913ff5ec5d08b605149075f18ca51492724f63c716e07c28b8d1a44db38897 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b2c5.TMP
| MD5 | 6187aea8dea8c451a0c78ce5a9c6f286 |
| SHA1 | 51caf1505cbc54a77c5803fc616e71766156d730 |
| SHA256 | 06d93d0d630115ba9edfc820e63fc2feda04d4dd6a555a84b5403602f6b80314 |
| SHA512 | a98c16b118e45bed8038fd84d6e74a9f8079e475274fe5371b02a70d9bd2002358c21a53fc8169b41db717373c27ade88f0fc0223c25d9b18343a2127e8e06db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 410aeff345df7fc1748b91533d63d0e0 |
| SHA1 | d30e6d1a73c7aadd5ff379fea94440e65008ad9c |
| SHA256 | b537049ee17df9da1dd7c785b38786048a6ca59f6d294fa7b686dd96beaa40a0 |
| SHA512 | 291f9e118056c2552375498bcadb99f27219c907eadda7ae30959227ad2f3f7af8617fcdccc9b570537ed1d6cc08c5416bebfa88b08c489e87d452fae9af888d |
C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\Downloads\XWorm-V5.0.rar
| MD5 | f778fc725ed79c15d3ad889e7a33bea8 |
| SHA1 | 6dfce5a46e080fb2436b09a5ed68b98b4c28c17d |
| SHA256 | c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa |
| SHA512 | ecb5365ae67963d1d246851a852fda53d7ed100e99377d340124b432a3d502044d4ae3abf2e67f7b1224dd08e42e45906d173fcf0e667ec1f052102a4196745a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8bf8b9b76943ce1011ab20254ce5fd7d |
| SHA1 | 9fbc5ee67b424f84ddd5970639c8efcd18ac0b92 |
| SHA256 | 72e8d0e90349a24eb596007b720be366f577be881d30192ce75c8705c6914a15 |
| SHA512 | edcb0b3e18adec08a28bff51e8b3f2b132ba862a0c9e5bb8181a2423a3fa8c038e0c0c3d3c3aeb126e7cf2e34de8433a77ffa95c3c0e418b6d09997d8b63d39b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fe34d465b786776fba2e3b60e8384a8c |
| SHA1 | 61c6df45d9f4ccbe237ea4046499ab954ddb7959 |
| SHA256 | b8c4a52dd8857fdabaf71a5a835962e3a5eb3a84fb683056a57ad8a0a6299b93 |
| SHA512 | 37bf3f2520ef3842782020b6c809a38c2251e7e453a7180a5ac91d23adaeb5f04e25a318bc6251beddf985485dd31c9d7d2ea356c00d9f34f0b642a8236b61ff |
C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe
| MD5 | 227494b22a4ee99f48a269c362fd5f19 |
| SHA1 | d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9 |
| SHA256 | 7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2 |
| SHA512 | 71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0 |
C:\Users\Admin\AppData\Local\Temp\7zO4886CFC7\XWorm V5.0.exe:Zone.Identifier
| MD5 | a2e495f1719d91e2b9cec930ec6a457c |
| SHA1 | 2a730b7705adc4305769dc267afa426604abd788 |
| SHA256 | 8913694049d59706ff287e282b6c4493938728de16225b97d7ec6d355a261a02 |
| SHA512 | 6038d4931670d22e594f769e53e4d2c0e6a0811fe957e4db3224dea950baf9d5f4f8b0e6deb8188685e4dec8fdb70d1cfcc7983c9cb79e3b4677f64f7ba91175 |
memory/756-639-0x000001D189F30000-0x000001D18A9A2000-memory.dmp
memory/756-640-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
| MD5 | a239b7cac8be034a23e7e231d3bcc6df |
| SHA1 | ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d |
| SHA256 | 063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8 |
| SHA512 | c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524 |
memory/756-648-0x000001D18C5B0000-0x000001D18C5C0000-memory.dmp
memory/756-649-0x000001D1A5550000-0x000001D1A6106000-memory.dmp
memory/756-650-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO48844628\XWormLoader.exe
| MD5 | 9158e38c3bacd6cc50e4355783fead8b |
| SHA1 | c30c982c2d061e4bd8b5e0e3f89693b3939a0833 |
| SHA256 | 1f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda |
| SHA512 | 98683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd |
memory/3540-672-0x0000000000DD0000-0x0000000000DF2000-memory.dmp
memory/3540-673-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/3540-677-0x000000001BAA0000-0x000000001BAB0000-memory.dmp
memory/1580-687-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/1580-688-0x0000026499D10000-0x0000026499D20000-memory.dmp
memory/1580-689-0x0000026499D10000-0x0000026499D20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxlcnk4t.2zt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1580-690-0x00000264FFF80000-0x00000264FFFA2000-memory.dmp
memory/1580-699-0x0000026499D10000-0x0000026499D20000-memory.dmp
memory/1580-702-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
memory/4248-704-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/4248-705-0x000002771E5F0000-0x000002771E600000-memory.dmp
memory/4248-706-0x000002771E5F0000-0x000002771E600000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
memory/4248-723-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/3540-724-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/2700-725-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/2700-726-0x00000170403A0000-0x00000170403B0000-memory.dmp
memory/2700-728-0x00000170403A0000-0x00000170403B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 781da0576417bf414dc558e5a315e2be |
| SHA1 | 215451c1e370be595f1c389f587efeaa93108b4c |
| SHA256 | 41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe |
| SHA512 | 24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737 |
memory/2700-737-0x00000170403A0000-0x00000170403B0000-memory.dmp
memory/3540-738-0x000000001BAA0000-0x000000001BAB0000-memory.dmp
memory/2700-746-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/1144-747-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/1144-758-0x000002D05BB30000-0x000002D05BB40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e07eea85a8893f23fb814cf4b3ed974c |
| SHA1 | 8a8125b2890bbddbfc3531d0ee4393dbbf5936fe |
| SHA256 | 83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea |
| SHA512 | 9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df |
memory/1144-757-0x000002D05BB30000-0x000002D05BB40000-memory.dmp
memory/1144-759-0x000002D05BB30000-0x000002D05BB40000-memory.dmp
memory/1144-761-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO4887D108\Fixer.bat
| MD5 | 2dabc46ce85aaff29f22cd74ec074f86 |
| SHA1 | 208ae3e48d67b94cc8be7bbfd9341d373fa8a730 |
| SHA256 | a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55 |
| SHA512 | 6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3 |
C:\Windows\System32\perfh009.dat
| MD5 | 1ad05e460c6fbb5f7b96e059a4ab6cef |
| SHA1 | 1c3e4e455fa0630aaa78a1d19537d5ff787960cf |
| SHA256 | 0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71 |
| SHA512 | c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f |
C:\Windows\System32\perfc009.dat
| MD5 | d7d7fd6e4781222b87731bd7cefd6288 |
| SHA1 | 59f857b4a34b48189b9550082c7ce5546ec7592a |
| SHA256 | 8e5fcb1cd62a5ebcd23e2a7d6bd8086875e006bdb6f42472d0dfb1591c86e34f |
| SHA512 | a8fa248991e37c1b5b5a05624e05b35a600528070253a56a4225a2e0db806442eb2401339786e3a86c150b9032834e90c6e29b88161465d964241a09a780d1fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2361f466e6964a68ea9e19022006d19f |
| SHA1 | c5b0af293d126e7c0e522e4a8cfd833682abc90d |
| SHA256 | 3aa4271257075e5b6ac81d42eedf9d14def64f0307e72b9d0da945c574a59028 |
| SHA512 | 7ca49753c067750c48b9a1e6fda84a0a751a2e11784aa626f4a69a0d6e9534dc8eb768f88d957456d0448e457b438d676a939301be27f797c65d65360c584742 |
memory/1360-1099-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/1360-1101-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/1140-1126-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp
memory/1140-1128-0x00007FFB30A10000-0x00007FFB314D2000-memory.dmp