Malware Analysis Report

2024-11-13 16:14

Sample ID 240411-rg151sgc3v
Target http://telegra.ph/XWorm-50-09-06
Tags
xworm agilenet rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://telegra.ph/XWorm-50-09-06 was found to be: Known bad.

Malicious Activity Summary

xworm agilenet rat trojan

Detect Xworm Payload

Xworm

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Looks up external IP address via web service

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies registry class

Enumerates system info in registry

Uses Task Scheduler COM API

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 14:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 14:10

Reported

2024-04-11 14:15

Platform

win11-20240221-en

Max time kernel

298s

Max time network

307s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://telegra.ph/XWorm-50-09-06

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings C:\Program Files\7-Zip\7zFM.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\7zO0208BE3B\XWorm V5.0.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File opened for modification C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO0F234F38\XWorm V5.0.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO0F298639\Fixer.bat:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO80F95F1A\XWormLoader.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO80FE64EA\FixNoStart.txt:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO02029A2B\XWormLoader.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO0F26BCB8\Fix64.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO0F2FF049\FixNoStart.txt:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO020EC24B\Fixer.bat:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO80F55A2A\XWorm V5.0.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO80FE298A\FixNoStart.txt:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO80FDD38A\Fix64.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO80F9A69A\Fix64.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO0F23FB88\XWorm V5.0.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO0F2CCCF9\XWorm V5.0.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zO0202A29B\XWorm V5.0.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO0F234F38\XWorm V5.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO0F23FB88\XWorm V5.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO0F2CCCF9\XWorm V5.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO80F95F1A\XWormLoader.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsDefender.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO80F55A2A\XWorm V5.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO02029A2B\XWormLoader.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO0208BE3B\XWorm V5.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsDefender.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO0202A29B\XWorm V5.0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 4348 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4348 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 4836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://telegra.ph/XWorm-50-09-06

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff83f2f3cb8,0x7ff83f2f3cc8,0x7ff83f2f3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:8

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"

C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe

"C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4376 -ip 4376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 872

C:\Users\Admin\AppData\Local\Temp\7zO0F234F38\XWorm V5.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO0F234F38\XWorm V5.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO0F23FB88\XWorm V5.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO0F23FB88\XWorm V5.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO0F26BCB8\Fix64.exe

"C:\Users\Admin\AppData\Local\Temp\7zO0F26BCB8\Fix64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4152 -ip 4152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 872

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0F2FF049\FixNoStart.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6928 /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO0F298639\Fixer.bat" "

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Users\Admin\AppData\Local\Temp\7zO0F2CCCF9\XWorm V5.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO0F2CCCF9\XWorm V5.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe

"C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"

C:\Users\Admin\AppData\Local\Temp\7zO80F95F1A\XWormLoader.exe

"C:\Users\Admin\AppData\Local\Temp\7zO80F95F1A\XWormLoader.exe"

C:\Users\Admin\AppData\Local\Temp\7zO80F55A2A\XWorm V5.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO80F55A2A\XWorm V5.0.exe"

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO80FE64EA\FixNoStart.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO80FE298A\FixNoStart.txt

C:\Users\Admin\AppData\Local\Temp\7zO80FDD38A\Fix64.exe

"C:\Users\Admin\AppData\Local\Temp\7zO80FDD38A\Fix64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1940 -ip 1940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 844

C:\Users\Admin\AppData\Local\Temp\7zO80F9A69A\Fix64.exe

"C:\Users\Admin\AppData\Local\Temp\7zO80F9A69A\Fix64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 844

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"

C:\Users\Admin\AppData\Local\Temp\7zO02029A2B\XWormLoader.exe

"C:\Users\Admin\AppData\Local\Temp\7zO02029A2B\XWormLoader.exe"

C:\Users\Admin\AppData\Local\Temp\7zO0208BE3B\XWorm V5.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO0208BE3B\XWorm V5.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO020EC24B\Fixer.bat" "

C:\Windows\system32\lodctr.exe

lodctr /r

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\Users\Admin\AppData\Local\Temp\7zO0202A29B\XWorm V5.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO0202A29B\XWorm V5.0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegra.ph udp
NL 149.154.164.13:80 edit.telegra.ph tcp
NL 149.154.164.13:80 edit.telegra.ph tcp
NL 149.154.164.13:443 edit.telegra.ph tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
N/A 224.0.0.251:5353 udp
FR 51.91.30.159:443 www.upload.ee tcp
FR 51.91.30.159:443 www.upload.ee tcp
BE 104.68.81.91:443 s7.addthis.com tcp
GB 18.154.80.85:443 du0pud0sdlmzf.cloudfront.net tcp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 ghabovethec.info udp
DE 52.222.236.125:443 catukhyistke.info tcp
US 172.67.164.1:443 edallthroughthe.info tcp
DE 52.222.236.125:443 catukhyistke.info tcp
FR 18.164.52.17:443 madehimalowbo.info tcp
GB 18.244.140.102:443 ghabovethec.info tcp
FR 52.222.149.107:443 funjoobpolicester.info tcp
US 172.64.111.13:443 pogothere.xyz tcp
US 172.64.111.13:443 pogothere.xyz tcp
BE 23.14.90.73:80 apps.identrust.com tcp
US 172.64.111.13:443 pogothere.xyz tcp
US 172.67.164.1:443 edallthroughthe.info tcp
US 172.67.164.1:443 edallthroughthe.info tcp
US 8.8.8.8:53 102.140.244.18.in-addr.arpa udp
US 8.8.8.8:53 1.164.67.172.in-addr.arpa udp
US 8.8.8.8:53 125.236.222.52.in-addr.arpa udp
US 8.8.8.8:53 17.52.164.18.in-addr.arpa udp
US 8.8.8.8:53 107.149.222.52.in-addr.arpa udp
US 8.8.8.8:53 13.111.64.172.in-addr.arpa udp
US 8.8.8.8:53 43.39.156.108.in-addr.arpa udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
BE 74.125.206.84:443 accounts.google.com tcp
BE 74.125.206.84:443 accounts.google.com tcp
GB 163.70.151.35:443 www.facebook.com tcp
BE 64.233.166.157:443 stats.g.doubleclick.net tcp
BE 74.125.206.84:443 accounts.google.com udp
BE 64.233.166.157:443 stats.g.doubleclick.net tcp
GB 142.250.200.33:443 tpc.googlesyndication.com tcp
GB 142.250.200.33:443 tpc.googlesyndication.com udp
GB 142.250.178.4:443 www.google.com tcp
NL 139.45.197.239:443 dukirliaon.com tcp
NL 139.45.195.8:443 my.rtmark.net tcp
NL 139.45.197.236:443 yonmewon.com tcp
NL 37.48.68.71:443 datatechone.com tcp
BE 104.68.85.7:443 login.aliexpress.com tcp
BE 104.68.85.7:443 login.aliexpress.com tcp
BE 104.68.85.7:443 login.aliexpress.com tcp
BE 104.68.85.7:443 login.aliexpress.com tcp
BE 104.68.85.7:443 login.aliexpress.com tcp
BE 104.68.85.7:443 login.aliexpress.com tcp
US 163.181.154.233:443 g.alicdn.com tcp
BE 23.55.96.49:443 ae01.alicdn.com tcp
BE 23.55.96.49:443 ae01.alicdn.com tcp
BE 23.55.96.49:443 ae01.alicdn.com tcp
BE 23.55.96.49:443 ae01.alicdn.com tcp
BE 23.14.90.81:443 time-ae.akamaized.net tcp
SG 47.246.110.45:443 ae.mmstat.com tcp
BE 88.221.83.211:443 ae04.alicdn.com tcp
DE 47.246.146.201:443 acs.aliexpress.com tcp
RU 47.246.133.22:443 login.aliexpress.ru tcp
NL 212.117.190.201:443 sr7pv7n5x.com tcp
BE 104.68.85.7:443 login.aliexpress.com tcp
DE 47.246.146.202:443 wp.aliexpress.com tcp
US 47.246.136.175:443 pcookie.aliexpress.com tcp
US 208.95.112.1:80 ip-api.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 577e1c0c1d7ab0053d280fcc67377478
SHA1 60032085bb950466bba9185ba965e228ec8915e5
SHA256 1d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158
SHA512 39d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5

\??\pipe\LOCAL\crashpad_4364_TVCSBLGXKAFJTZRA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d4604cbec2768d84c36d8ab35dfed413
SHA1 a5b3db6d2a1fa5a8de9999966172239a9b1340c2
SHA256 4ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2
SHA512 c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 080697ee611e232b344032f618ce9950
SHA1 c84ba2f4ee8fd4e1d7d2bdadb0112f8e4e2ab3cc
SHA256 d98f97e71ab479ae6818a3cb26c410277957ac211225f89ef92f020c8510628c
SHA512 b24077e9181ca455ba8e70d7955d9dfaec19027da465283a52cc309a02e6a0d88964a8e7cfb99a27106ced7f11145e7827f6a65789f20ec5b226dbc1fdd46753

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 72cecbcc82c8163fb76d17990e999b2c
SHA1 a67a85c4098a31c0ba43422df8d09cbb364db82c
SHA256 460e27513c2f5f272e636f5d82bfb357eeba9f6c9ee789a33ea3721a04620ab7
SHA512 56f75a8f9002735fdb5def7cb98ea99f94e0873f4fff62490747dbbf874ef471fbd502d37e50b28667abf6770b3a579708fda72f6f6182add0726aca356d7b02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7ba9266e06b6424c9566276b0585d225
SHA1 fcda45affa3fb9dd40f3df247dfbc7eb0d0179c6
SHA256 e5c33c8d740202177909a7fe1ccf23039b918485ca8265ec704d9240bf18bdb2
SHA512 054d87766d7dab6f7be790607f77a4259500b1b5b657bc05c1c425a42e282000997d4effef863abf610a5a51b9a7eee77941c357f7adb94cc4a76947b481a8e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8e662b8ecd410760c9a6a9f73570cdd5
SHA1 6b59c6cc0e124d55a24b72d1868b163b77a9b979
SHA256 d444708a6aedb81cdf3d250ccbc5f06d25b4b4b2a15708707848805de8040c92
SHA512 6ed49297722fcf08a991dad36b0d25b9afe08f4106cdb992d27ea57680b4fb3421e59cc13d75a2d096759d5394356cd80beb5b0b878e6ac3ffa01ab66bcae675

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 72faa99835d113982c4e3409e1f2a72e
SHA1 b8aa0aa74e18ac12bb87b35a599ef2d59d6f335a
SHA256 cd6b8d86f97f3f83cb84de9611c46715350d9884e5caeb0d1f13b00192022bda
SHA512 7eb14642038410aa6a02ff1a336982f60d2ac288beb4fa0729856775928803380bbe2e6a848b2092c13c1a902c88758db29d4414650531ec0275175c83a7672a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ff40.TMP

MD5 7ae6f06b4f7d33468de605d3ddf3b77f
SHA1 902558f795b44b3ca5034636111a24fb5f50b468
SHA256 93ae5041eafd946f922601e32069d8457d024450371a2e8b869ca340e557e0b6
SHA512 7b3a738af401ded64a297ab823227e644361f8a1c641dc64235678131e504f0aaaafd1f6c76b791b247d0b776655e2ffc6acdfe5e2dd70d2606e920cda661041

C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\Downloads\XWorm-V5.0.rar

MD5 f778fc725ed79c15d3ad889e7a33bea8
SHA1 6dfce5a46e080fb2436b09a5ed68b98b4c28c17d
SHA256 c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa
SHA512 ecb5365ae67963d1d246851a852fda53d7ed100e99377d340124b432a3d502044d4ae3abf2e67f7b1224dd08e42e45906d173fcf0e667ec1f052102a4196745a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 8f13c1e871ec6f02652b38b31cfcba9a
SHA1 992d553ea0cac9f8e95434418dcf8c3bf618d5f6
SHA256 3764b0ce3b692039ae60e9da386a7070dc6c98cede0df101504186746659568d
SHA512 2d15217c773c1c1c33c4af93fff26edbe891fadea2b789d493735f5284c99a643d86489bdca678a55ebb1793c8ce37a80b37d2b393722d4c134865ad100bf456

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 10dd1382343e8556643dec6bd3222bf5
SHA1 ae0512dbe0639109a31fe7872ca46bd80e26dff0
SHA256 16a38dce4a55f58695de0895da297bcc7c55a3be1544f89bd973431d3ed4ba60
SHA512 9e1f2bd9362e4f0531b617cba00ea185f815fae092030350f4a108d217a4df34513f17acccac542fc30d59188ab392fcc411f0fd296bfb190cec9b92e364827e

C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe:Zone.Identifier

MD5 2e9fc08e958c9c759f5453ce430cc8ce
SHA1 4a9e35901267cec3d9a66b057d2e829a3645c61e
SHA256 ce12b7f8deeb2c8c86ff0c4bfe89918605cd1050c2f9bb5d516ff040b801b7a5
SHA512 a895710af8ee9cea3453c2c1d0aeb4825d2078e2eb19b4952abdf9362f5fea2b161bf3ab6699fa9c694c16e9360029103209bab1800ebbb2d65ae962543a4d41

C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe

MD5 3bd72a361ce4e5514c2e6eee83f08545
SHA1 a5089aa08760b87c7940e6e1e0eac39509a1a9da
SHA256 62a14b870bde8d57e50360039d3474210d1fdaf490afdd1bf36ce92fbaff893b
SHA512 4cc7da68e5b766be6ace9d9ae0458fd09b827fc565dc545ad9d43b4f87638e622f3d280189c23e521dbac3311c583f66d96a9ce751b9aa985036a46b0f2cbc7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582e3f.TMP

MD5 368fd9b0cf868c7873a285c00d31af92
SHA1 cc613f4545f152b99d5336e0714ff7cae23909dc
SHA256 1624a8da19084a3e5defe985e761befe7cd4f9d73d4ef506eb5fd05de6feef9a
SHA512 414296c18cd9b5513277195683a16fd2d8a1312874261d9de3b82a9f14b1b9044a7e4abcb910edd370fbf00165fdb1eae8c7757a5bc551f918641c56c527c49c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 91d271306fa0b9b581bb2f5eeceb59e2
SHA1 8415067a76887f1d93ccd72413e6d2ce70814747
SHA256 69cb11be05655da9b7ac1b3aed46766d6c118fe00448e8dd57936c487fccae80
SHA512 707c499eef7738e5a26def1860b6471b86d74fe7bc34c7a9c67f72a08869edd2368665606d8d63ba038e70cd182f94e6ecc120ed40fc60f948fff83a26606557

memory/4376-381-0x0000000000CF0000-0x0000000000D0E000-memory.dmp

memory/4376-382-0x0000000074D00000-0x00000000754B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 21dc328b80ea14c96337e7e379a93187
SHA1 ca988018e5c0dca9893e6063e26b49d3f1d8b3b9
SHA256 d5f211975a4353450919ce05ee6dd3d38843dbff4edd53f52ccaeeae6860d847
SHA512 12026740ba91a666a5f6bc790722d391a4ccfc3dfb73c3176709d2a083e4f2a7cc07ca7d8aa7980eff61253cb7b0d69eb32aee4bedcadbe9638a0e8876ecb518

memory/4376-388-0x0000000074D00000-0x00000000754B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO0F234F38\XWorm V5.0.exe

MD5 227494b22a4ee99f48a269c362fd5f19
SHA1 d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9
SHA256 7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2
SHA512 71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0

memory/1028-428-0x00007FF8376C0000-0x00007FF838182000-memory.dmp

memory/1028-429-0x000001C962450000-0x000001C962EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll

MD5 a239b7cac8be034a23e7e231d3bcc6df
SHA1 ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256 063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512 c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

memory/1028-443-0x000001C964B60000-0x000001C964B70000-memory.dmp

memory/1028-444-0x000001C97DB60000-0x000001C97E716000-memory.dmp

memory/1028-445-0x00007FF8376C0000-0x00007FF838182000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 db01c8bd8a523977913ca58f7b04fa95
SHA1 7cbb95b4bfebc9dae13994a913e772cd5bbdd115
SHA256 604958c8738454d21c9caf240b60ea5342c071e7529e1156ac3fb504e3b770e7
SHA512 23673a825f8cc6d03d00ffcf4eea1ca52f0bd5f71dbe944b1b98157bb5684f6e18abf8c305ba7c243e2908e5ae46d007caa7aca30b528fca6254dae5534878cc

memory/3564-492-0x00007FF8376C0000-0x00007FF838182000-memory.dmp

memory/3564-495-0x00007FF8376C0000-0x00007FF838182000-memory.dmp

memory/4152-517-0x0000000000BC0000-0x0000000000BDE000-memory.dmp

memory/4152-518-0x0000000074D00000-0x00000000754B1000-memory.dmp

memory/4152-519-0x0000000074D00000-0x00000000754B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO0F2FF049\FixNoStart.txt

MD5 d29fc8fa55dbe2092a0557dc967be12e
SHA1 96e829d1c325514c1ac86432a6bb101512a8b58e
SHA256 454871b7ec4e5870757ad7ca884f70aee89116c154d6126078d2a7d43c2106fd
SHA512 c0e2bfca18fb719c1f84145438c8afdeb53012fdf82d14b9bd128da2495352ed2140e6ae9a5e52e2f0b01e371db71d5126ae9f7ba6225349ebd9c79ba370ad2f

C:\Users\Admin\AppData\Local\Temp\7zO0F298639\Fixer.bat

MD5 2dabc46ce85aaff29f22cd74ec074f86
SHA1 208ae3e48d67b94cc8be7bbfd9341d373fa8a730
SHA256 a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55
SHA512 6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

C:\Windows\System32\perfh009.dat

MD5 50362589add3f92e63c918a06d664416
SHA1 e1f96e10fb0f9d3bec9ea89f07f97811ccc78182
SHA256 9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce
SHA512 e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468

C:\Windows\System32\perfc009.dat

MD5 7f41bddfccdfe4a298b0bfcf14a20836
SHA1 8acacdd3503c65fb2ddc4fbb9f41811ae8550276
SHA256 446d064235ee69494d5797e01e4039eca0a026c9b801cacf0670334104eedbbb
SHA512 bb984e7660899c293eb3e8c14156cee5237e0cd2b0ada7b03c850f027a08d728fe8774f7a377e911ed54bd788ac5c88fd6e24b41fda6d5020dc6fae0e4980c85

memory/1952-859-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/1952-861-0x0000019381D60000-0x0000019381D70000-memory.dmp

memory/1952-862-0x00007FF837890000-0x00007FF838352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe

MD5 9158e38c3bacd6cc50e4355783fead8b
SHA1 c30c982c2d061e4bd8b5e0e3f89693b3939a0833
SHA256 1f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda
SHA512 98683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd

memory/3800-893-0x0000000000290000-0x00000000002B2000-memory.dmp

memory/3800-894-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3800-895-0x0000000000AF0000-0x0000000000B00000-memory.dmp

memory/3288-896-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3288-897-0x000001D6BFA20000-0x000001D6BFA30000-memory.dmp

memory/3288-898-0x000001D6BFA20000-0x000001D6BFA30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3zmvd2k.xop.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3288-899-0x000001D6BFA30000-0x000001D6BFA52000-memory.dmp

memory/3288-908-0x000001D6BFA20000-0x000001D6BFA30000-memory.dmp

memory/3288-911-0x00007FF837890000-0x00007FF838352000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

memory/3960-921-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3960-922-0x0000022F78770000-0x0000022F78780000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6903d57eed54e89b68ebb957928d1b99
SHA1 fade011fbf2e4bc044d41e380cf70bd6a9f73212
SHA256 36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52
SHA512 c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

memory/3800-923-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3960-926-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3720-927-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3800-928-0x0000000000AF0000-0x0000000000B00000-memory.dmp

memory/3720-929-0x000002A29B160000-0x000002A29B170000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 051a74485331f9d9f5014e58ec71566c
SHA1 4ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA256 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA512 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

memory/3720-939-0x000002A29B160000-0x000002A29B170000-memory.dmp

memory/3720-941-0x00007FF837890000-0x00007FF838352000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 119f072cb44ba7b650fdcf73c670cef0
SHA1 c2c60b6f946a7b06f86ee1f50c2487e6d4c44f3a
SHA256 bd76b46dd2400be6c57f805ca3ed77e87a55440d1e2bdbc822b984e07cea8bdb
SHA512 f56c37835af1c800362f248344bb00cbab528a2be60d9a8c7e14ffa214b55c9a802769d60151c954051fc52df5a67895d899c18819ee89c1116a5bb66064cf73

memory/3456-951-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3456-952-0x00000231F2FB0000-0x00000231F2FC0000-memory.dmp

memory/3456-953-0x00000231F2FB0000-0x00000231F2FC0000-memory.dmp

memory/3456-954-0x00000231F2FB0000-0x00000231F2FC0000-memory.dmp

memory/3456-956-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3740-979-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3740-993-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/2116-1003-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/2116-1005-0x00000223D21D0000-0x00000223D21E0000-memory.dmp

memory/664-1008-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/2116-1009-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/664-1011-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/1940-1048-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/1940-1047-0x00000000001D0000-0x00000000001EE000-memory.dmp

memory/1940-1049-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/5016-1070-0x0000000000850000-0x000000000086E000-memory.dmp

memory/5016-1071-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/5016-1072-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/2728-1092-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/2728-1105-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/1120-1113-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/1120-1114-0x000002854C310000-0x000002854C320000-memory.dmp

memory/1120-1128-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/4572-1422-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/4572-1423-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3836-1445-0x00007FF837890000-0x00007FF838352000-memory.dmp

memory/3836-1446-0x000001EB60680000-0x000001EB60690000-memory.dmp

memory/3836-1447-0x00007FF837890000-0x00007FF838352000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9df49f7ea06a964408561ae55094ab32
SHA1 4deefb4776aa71926885d1ccadd6c2fa522fc205
SHA256 5dc41c86b3f391e5312939271567a23210aef29c914feae7cf44346e48e158b1
SHA512 81e67ac308620206453a67c5258f8c92294b1bbe7bf136f14ba024360fada3d8a28ced1c23dde8bcd217e8fd1c9ca2143ac9d0a70d661e246428fcc959167659

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 351478e9a0ab1edc0064f5339e7e8c4d
SHA1 8d91d67af4e07f5cc31e0e00eb8f8a14a1965f27
SHA256 52b88e3c62534564ab60f293789227a4ba5516174fa7111d1fda98672bbf20b0
SHA512 1fe5e6cdc763e9f5f6f393a84377a11918d2461cba5acd745e49a50ea0628af42bfa0ed26e489c1c14252548b85423da215fb48bf5d2186b12b561a16569a23a