Analysis
-
max time kernel
664s -
max time network
669s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
12-04-2024 11:39
General
-
Target
http://telegra.ph/XWorm-50-09-06
Malware Config
Extracted
xworm
5.0
testarosa.duckdns.org:7110
Rg1w8TcZ1AXGhMnB
-
Install_directory
%ProgramData%
-
install_file
WindowsDefender.exe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
AgentTesla payload 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Executes dropped EXE 19 IoCs
-
Loads dropped DLL 4 IoCs
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 22 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 5 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 61 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://telegra.ph/XWorm-50-09-061⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\XWorm-V5.0.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe"C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd83⤵
-
C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe"C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe"C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5580 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2512 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6852 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x000000000000046C1⤵
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\XWorm-main\XHVNC.exe"C:\Users\Admin\Desktop\XWorm-main\XHVNC.exe"1⤵
-
C:\Users\Admin\Desktop\XWorm-main\XWorm.exe"C:\Users\Admin\Desktop\XWorm-main\XWorm.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mail.google.com/mail/u/0/#search/[email protected]2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd83⤵
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\XWorm-main\XWorm.vshost.exe"C:\Users\Admin\Desktop\XWorm-main\XWorm.vshost.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 8242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1144 -ip 11441⤵
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L2⤵
-
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"1⤵
- NTFS ADS
-
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp67B5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp67B5.tmp.bat3⤵
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 5460"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind ":"4⤵
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f5⤵
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f6⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L2⤵
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqdh1nwu\qqdh1nwu.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES815E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2540AC9920DA419999417719697E8320.TMP"3⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b3rkb.exe"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b3rkb.exe"1⤵
- Executes dropped EXE
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\WindowsDefender.exeC:\ProgramData\WindowsDefender.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7cf50f83-cabd-4085-8516-43f0c270f42a.tmpFilesize
12KB
MD5ff9ff9dc54b22efbd9f5b0f054aef2fc
SHA1f2beea0aab1fff4de1bcc940c0838c1d82cee3d1
SHA256ab23ff5555e0375e851e126181dbd7e82bf4b4a9eac987fefa43c4791a4cff58
SHA51231d878074f669476a843a9d527cb8e70f0a55563fb778fc88bb9f1157f58d7c8ad652edbffa26f3e1e2df2e15c9044071ced04bee39fff79424e199a4dd44113
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d4604cbec2768d84c36d8ab35dfed413
SHA1a5b3db6d2a1fa5a8de9999966172239a9b1340c2
SHA2564ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2
SHA512c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5577e1c0c1d7ab0053d280fcc67377478
SHA160032085bb950466bba9185ba965e228ec8915e5
SHA2561d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158
SHA51239d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5deb4a291b36e799cdd8ec8aca9b72dde
SHA18f6248f0b498a0491b62d75cc8d573192c10f739
SHA256720e170d73ed3896ad7d536a1cdb12f9375e1b76ff48279da39d44914b2417aa
SHA51250e6761c49a89e7b945f953cdca1695c77282cd011fbd88815dc898560b046eb0ce34050340be40b273d29bda093d0382ee8018fbb7523a4be9e6052b7b62e81
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\66cbe582-5da7-4c2e-8668-41d2c12b7f30.tmpFilesize
2KB
MD55f73f47287e375a362355370b13bf364
SHA18def488e09b1f318eb44eb854daaca649f3431dd
SHA25666f9060639a5a0b2dde514b0aa211475a681cccc897cc9738964b971bfc310f3
SHA5123fa7041090f53e50854d1cd0c8191cd14c651e4f44dedb611420d281a6f2a325e81ea2c3bea1da5bdb18f18027d2f9dfaa2803bb2ae6b00e8bbd9492adcbb56d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017Filesize
67KB
MD5d2d55f8057f8b03c94a81f3839b348b9
SHA137c399584539734ff679e3c66309498c8b2dd4d9
SHA2566e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c
SHA5127bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018Filesize
36KB
MD5dfa06a2cf726c1772e54d6f0e7b57fe8
SHA16c843917d374a2f5f4fbc2e3cb620737c56f864f
SHA256a99b0f8a4e209bf564f0570d79edc20f08244edae0a50da214ff32afc56d89fc
SHA512046af2d7537f6985db4c55368d5d0865713dd955ef094ff3743b0899e8699edc17029c29bd15fdabe4f1258fd1e502372f0073bd2ed0e8d5060e384c0a397e2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001aFilesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001bFilesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001cFilesize
1.1MB
MD5d404b61450122b2ad393c3ece0597317
SHA1d18809185baef8ec6bbbaca300a2fdb4b76a1f56
SHA25603551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb
SHA512cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002dFilesize
1024KB
MD563ffcdb54b5997ad2fd7f1c92f2645fc
SHA1edbac4eff97e603f220303e301d09de1f5e0c190
SHA25690616f5caa0559e2342c6dd9cb7dde14dac7721369a0fdd9039b07a771d9a28e
SHA512d567b013c6751e57aba75421e80e47d7f216d4d160263d0dbd13428fba301bda285d52b7149de89b923669abc544e29b32b5352d3d08acad155b72f8beec2633
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5fd357dba5db36aac4375166768507691
SHA1cad900407dc04fb23123ddb830e60e81e04ca0f7
SHA2562c25e111a02b512d9e46fed1cbd6e83d4c95c574337b52ec3c077b45d457092a
SHA512fa73ca139b29ca24d845169c78a28b410f207b12e2c67250d952e3c22312ee15ce2a2642530464c76a60486cae678607809090ceb7663e07975fac8b44406f49
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5399dd7c8da61549e29b9c12163876207
SHA16ae4a7f2f2fcb5db3410d6f6ffb338f0306f774c
SHA256f10e02f9e123cb4bb5b5ed1843c31349d844688c9c4f8a7c6d831ac018baf13c
SHA5122d4d101c619bdc8d9e67f81623286c11e4eee1d194b6f5a206d183be1706a481f00e5f592e87b01b8916b5078e9cf4aff188a5ecec7c043b808d334806e64688
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
624B
MD5ecfc137a0b35d7949a9f4480ec607442
SHA1fdac72587705c61fb6ed9b381402150a0af56e95
SHA2566308a9129e2a9026bc1bd4bca694c722c00c6dec37df423a25d72724eabfbccd
SHA5126e1b277d914606f54d90b885d328a6715c439a2a8c5934c5c92d4c491d6f56213406b78cd7247fc4fe434b30c89fa0d4f5b09c310d11bdae9a03c7eefb68af22
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
600B
MD52f79ba62d8127ff2df094433cd686241
SHA19c1643f4ac111c70d92844cc40ab9227517250da
SHA2568913419905590e40aa8dcce5486fa66453559070cac8ac02bbbe82a43d73c71b
SHA51290c684adeb6a79d86cb813f105d86eb90d34ef9491120d0feb9d51b4e6c955efab4a799b3e283359f49471c20e2e969e42739147f7ed05d309c76c61afec6b35
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5c832262863545da67107e19d82b5d93b
SHA1a4ffb1e5ac1e8f53a6ae5691a88862fc97f94196
SHA25626d5b0581d05ec0d8aa91f22f9ea2d1d27d32e04a085d52aad00dec1e587122a
SHA512ab2426141b44b0f4943dbca716ff45b1c8b0acb39f6eff589c5b2d2db2e4f3e2293f261049d2a4f9f1fdbde4f0f4b1e1cb32cb413298cc0ca5e4d00800207b1b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\FaviconsFilesize
20KB
MD5247cff831f5861ffc8bafb08347c760c
SHA19b871133c34b381c42d4f1e85556dea5f373a5a2
SHA25615b2abf6bec8d0e7f192547537bbf587e54436e8b2bcc05e339c87c91343639d
SHA512fa6b85dbca7a3aeac68e279fbc6278eff33c71e994a2adca978672588fb01537969b0f2d0364ccabf921dd64fb55fe74d335d1d9759567f8a7e3facd8c716851
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD576a7bac8b9df43ee10b2a136abe4628f
SHA1cf0b4eb34612d1acc8aca7e9e09901af2aa559ca
SHA256d9618c288c0fdca92420a8c9b98456545c50d25bd2d1c484fdab3d07c8519a35
SHA512bac20214497248347a6ce9cb213a101abbeae40ca1dcd1ee4e3cb89d055a41ae2fff4100ae717e19a4e81819ac40b25135911ae49210e1b37bc4fbf5eacd0181
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
128KB
MD5ab08edc34f6fb36fe70c0340af92154f
SHA1130614b9b278df69284ddf96584df061ab1e4605
SHA25666c6da589476cd10201b676fa458598b1a2afc796ddc4943f070672e212daf25
SHA5125532ff66a425171aa229d2e2886275b6fd78bc8767e7acd2bdc822e8659b85d8036860e61ed09bc7d69bcbe01f2a8d4b7e70476ef7542bd99376802d6bdbe14c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
12KB
MD5c8a3e225366051fb0b57c4a3a936eb0a
SHA1f6f70b6859745f4e61f03dae8986ee58b46935a4
SHA2564af98c7ebda274b3c19d52f2cfc46c7c4c1c52cf509113b2677f8b6098dcec5a
SHA512700d314efa7ca50d6712fb784daf85f32539a714f5227c69401a81c3aa6e4cb7355524aa9bd327ef0fc0c36c8d94f5cddebce29fa801f099043f90ad18d96835
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
4KB
MD514387acdb95aec78fd5abfd43030d735
SHA1ef5596fdf4c6ba65af55fc14c6b838e600571cf9
SHA256798dec53f9189ecb90e6386990faf3821f8e9b86cf76c8b6d872105739091954
SHA512624cc044d8316d110d20a5fbe55e0fbec882fab233ad53549adf08595680f0e753296510f524a64722dd4ce9c45a29fd7dd81ce8f73babe5d42ef09697a4b537
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
4KB
MD5b06c13abaec1fa625d6c19d22024381c
SHA15cde5231dfdf03adad89316fb7c870f95a00803b
SHA256e80b7cb093dffb9a539ac613e5dbf8389bca2a3415e87e5df2b8c6ce74ca12e0
SHA5126768c59af28ca9d635d8baa7a6e5d1fc519918644c8334b2eb9f447d271f135ad6dc5035f17510acda9ccace569ee2fd6f79b00e98fd1aee87c9c879a50740e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
5KB
MD5e531d17a95609bf850e86aa305a8791e
SHA1159860340540535bd3b0d382dc0580fd11a9af71
SHA256feb05c0413f17ef7c7846e1d292b83b6f12727610b50bd701f7764955dfdf87c
SHA51202d05aa58fc439a1cb04b2b1ec5e6b6b462cccd7ce40a5c4fd815dabec1e08878dcb623dee1110f7cf5fb9d76e7674c32c957bd0a72fbc50f68fa5b1b8fc009c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD5d929eae0c27ec80033f4958e692d5077
SHA1ce19dfdf3a04daa32c07c3ed5eb1acf0d5ad876e
SHA25662b75517d3398c4d1b510b789cfe4326d4cf1d7627847fb24d1e554fd83dee59
SHA512e07a0bdca00cf958ab7b273329bee77d4aaf73cfa191b3d4b791440059da8d27d19bdaad1d799d76e5ee2ed4a9def11df72fe285e9b7fe669df377e366739c7e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD556f6ebe4fd8e56c36ec14207b9982dcb
SHA197dc7638a34a0fbfccbbb66b0cca8eb9ac78eeed
SHA25645d48585d92b33235b868e51822a044395f351d1d0664e2547754c7fdeb04349
SHA5124b969567cf789bafb98d5b275798812e8e2dbed3d52c94a4d10c08ea2c2ba0bfd3ee3471080c010bd54fa8fbf69e764c9c75b3c2fa91e95c2848b231a0ee3829
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD59a219af1b3eb228e0ce8aeb4136e8789
SHA1fbf618c9dc5575e232eb6842f1fd2819001c9c0d
SHA25652da2a039455bae5857f1088c9967f694b0ca0d34d81706e0ad33bc972317e7d
SHA51243609d8504b49ff680fb7028ee202ba001d8298007c9f204dd9b8f3f56101869cc132526d863ec085ea918a29e2dccc0ed9fa713ed315cd1870ba9dfedbd6a8b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD591839ff64926d6cfe8af63ea77c29c04
SHA1e9afee6450250e7ce102b60a499721d873af141a
SHA2568f8f196b631d554bfb99eca8a4a587b885578748ab31a4cc0b24babcae6a989d
SHA51222a8c14c7235d4fe484217f82ab6c0b541a9b7fab71105d00aba7b244a51e41b17b06be0e7240683cd95a4f2511a5b4f2262091250e0d85f90df7416d425b55c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
10KB
MD59719333d78964fd4c63b6bce28587d65
SHA15e4ec709ead5655fef9517e5cf6dbd040d7a55f3
SHA2562fafb5034dcc321c68124509cb75023303439b1f2c58ae6d0bb9e6555641ae24
SHA512ae13cb445c0a78acbe68169bc2dc34d1565048013b8e9ae46455c04529552485d1bc175ec2bbda65bbc1a81bd91dc8a1478a24908c359e711bd302b410bfb83b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
10KB
MD51bcf3d8a7255dd5e712e26651523922e
SHA15d0087ea12017e9eeb377bbccb478a52dc1d0341
SHA256476648c4a4a1e640c29293a191f875d9022d02d0e51625104f4acb7378219903
SHA5125d4b7870bbce9e5df2d5b8ead688ce7222bc0420355d2adb0c3d57387385e68ec04a8dc12498c777cc10ea65bd5e4e7c8327cbc3028e2650c89debf1a1407e17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5868bb1eddec5df64789d89777da44e5c
SHA1774d7d6249f70d10318ab2bd14a62b1ba5a52e82
SHA256fd8ff1a304eea777473f26546f4536f48fc55f1dffe26a701199f622bbd843f8
SHA5127df91d656e14e00d915dc9118897bcbec7e5c814c536becf40e24deed52bab74a9ea999f6b44d8e3ddda16374ec28d17ebfabb06d14783495673707074a96d6c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5a9f119a972735fd5fc1bf1c1527d9976
SHA18f7c69f81ca5fe8c654d763d214d222115860de6
SHA256ad80b9f0573d75155935a57618628ebfc2a288883b70bb83d1a61f495b644dc2
SHA512fa8a1548d11aa0394078ed73e44e8c5bf5766527d1e2f09312f85727a67c4ab475418c45105899b9c68503f8adf6827dff3f8f3d8e386ce930b26cbc451172ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5a997fc654ab159e5dd8d89f18d35daf9
SHA1ba404bb21b170752d3fa15641d0f4ca6b66a8236
SHA256234e8c87436c01bc6ec1b05526ce9c16d49f01512d702fbbcfbfb6bd28716bb6
SHA512a78ed1ef81edb8bb500404619914ea3590fa1f0b70d7896f7689b4ea207e51973c11e890c2448cffc588e76c3a107c9953ba660c254cd4838130e977016f9cd6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5245760dc74e6d5c17fe105dffd87e132
SHA1b5530a6a7309e27b35fa82fb1c7356bcb55152f8
SHA2564cb408c304d61b1d3d1ed4375f82803d46b2253f901e4389be9bb68daea28b48
SHA512a1843449c656b0f715bd7b52f28f615f1ef78e3f0f3444a9cd672c6666b72f74f8f56e27b4f050978a4fe935a77c38bcdad1ed9bcc138c0043aa735a9569c933
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5b6ec0c4e6d2aa4f9a29299775f842c8e
SHA183f983228572476b6863c09e447fcf0bc5b364f4
SHA256fd3356d22e47adb95b802a7de89eee584bab07bea6b57a5079da2d95e717941c
SHA512a7fb05e240d59295d9065fe2c9f140bab39d09ad91dde8760947b5fe3a2f7c53b42b174de19fb15d41e53231315d34940dae4668af8e197795aa86fbc4369ade
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5fb7d4b77461292d0b781d9a15228dfe6
SHA11338a1d7808b6b1acfb9bac83a3f58e7b6dae66f
SHA256cfbe54149281af7d7be1398a8f0c7015f29b575bc3807b91ffa02b999e8a0677
SHA5126168590bbd1b2efbecb8bb7bb800a4573a4af8e369a634ecc3a8543d5f119b8829e6899423db16d640e726583eb6cbb2dc9ce8129708c5bcebc6b57cca272da2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5811d9b2fc8ce3c5425a2dbb17d38ad60
SHA1d79e15c8e2465d4c3d1d76b8ca3ccb58c5187287
SHA256da9141ad985b82c9676d623812fcfb542af3826de1e8ff7c4c61861c5fd5afda
SHA5124d1b907c0df82d55d883c0da2a7cc9b0c7245ed48a7123abc81e38768a3cb33e38f7987b2844ecdf7a5468fcb7d9f642649fbfef0b0e0536325fb820fe7c4537
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
10KB
MD57fc88169a711dd91bae97c9f02154eaa
SHA1ec4e07ebf8bbbab6d7cf8c1fd6fcfb5b9d322b24
SHA25650b2d24c9c2842cdd0393ccfa6e9a33cce8251b1990c3355897cbaa7eed06ae7
SHA5121aacecbc2d541f490dd82a79fbb07cfcd2b4f7efc75a87f06682011aa4102e58e9d9d9ff63ed0e0af4f54937820615e05d04debe9d9f525abf8f737a5ff52faa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5d7b58b18653178b3593cf64a3cf76ead
SHA1f8106889a708a8432e4edac19174815c6259354c
SHA25691aa5d3a1fc23d7776753ecadfa23f36c9b9fe35784ca03fb92425df9b52dc00
SHA51235ad04516a2adf07bb0573dd79516a7266298f2663f71da12910de8f867912fb665e2954aec5e0ffea6e7b312f0fd7fd9afc4326c17fdc0063529cbc81f4ace6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13357395614373915Filesize
26KB
MD5ae6475e96e68985c211082fd4710146e
SHA122c1e11fff8d089c8fc02b1fee3bb86c5fa67870
SHA256db8143e6fb282f1bfbed445a76990e1dde02c49b03e56668a3cc78d98a306c85
SHA512dc8e84151a3231961bfa9ab90d9673f8305c7f2786a33016d11f19237ace799a687d6d2e3d83eee3b4f7e340bcab210734319b0acd5800fcd7baae8eb14521d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.logFilesize
184B
MD53b6d52cd03dbf8387788a9a40e5894b7
SHA174824fdda4d2b41cac43e2f79e9324874f06281d
SHA256a6dde344c5c8b31a5ce715a0baff684d1f08fcbb205ad85ce1ebc4e715b4d9d8
SHA5129688bc1f0a9fd9a454e8a987d806f85d6a15f4f98522b5791b07e1af6434a2cda9e5c14820c1fca68cb00b742fe18e91a3e0e10b0df4b130cce998dcddba4a64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
350B
MD59e1812ab6011a346a4d7deb764eed2a6
SHA1eed3aee5359887659662ef988d9e8fe45f3080cb
SHA256285278c2dd3bac5f3226fec60d805e414114b21c9efc936aad20ba49e50cce89
SHA512ee3db86545f76e2dc16db93b3e9d63cc281fe741fc6731c5f29e8367e391a88715ea6e945f46c558b1e849001ea9765acc1e6944847dee3eeac2a3aba5116fa5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD57d7fb5dc720c8d861724aa838721cac4
SHA12ceee2a1bb96741812e16aad0b72dc5a57b59286
SHA2564d87a34b2790320238a476c46ea752da7ac096e77ee8ba3270dab2f8a1082c43
SHA512ee9484568d8f73f9a39f770a0459e706bc8e10159e19236ac418d4122e3b2fcc66480723c16d159a5322810b7bcf72976f77d933102110ab52a68258db8dcf20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
4KB
MD5d8b2ec7f054aa0dc8c535ecf1e348313
SHA1503688c2396047db9c3077958452fe1cb437a811
SHA256006b85c0222da3a91040668dae6d8253883d080a85186e582b1c0c3e1cc7d2a0
SHA512738c95701f9785bb6d98dec5c76ec87aa455552550ae8394052a0e0a8e0eed0f6ad557837e0ba1def11f177d3a1befd207f76ca8b4677f97615f1024953cc5cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
4KB
MD535a85fe857891ce3df3797e949b3e1ad
SHA1dfe371c9400632678dbf573741458003d4ca303d
SHA256f33de28ba20c646f575309ceabad3ff21d0059420c27daceb7aa21325862470b
SHA5122e3b494520558601c9a507d6cb5777192f0dcc5127da0a5c79cc6fd6bbbe45c7729b1f1780eb58f3d655b8ff68f2a63cf398a569b94f12bf6922c662d4088f2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5f01e235fec7e7ddf91c100881d395f09
SHA12c46fd98558eadf10e1bb0c0374911dd05ebcc8b
SHA2568d3ac1b7820e7d9ba3ac72c51f6a3e2bd23dd116f9d6463923c38985b7aa158f
SHA51294d9df8e2694b38072ed8775204b212c697dfeb12144c52a86703aba92bda64898c76dcc8473426f386c84dbdae760f2de575eb61b3d888832243c95e98580a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
4KB
MD52befcfce6d0b698ca16146176b71bfa9
SHA1969dbbae4d89fc9da9929530fe76c2458917c11d
SHA256e5805762bbe0f5ae2285e3775f5b67b21d73b4e7774966a4ab0b421e98b70488
SHA512e7bc31e0296bda7f8f51c4c94352a7e6248b78b70ffc8d90935f58e3e1c77a4171029975305013d10c65971c177af16b5ea656a7db20e436403fca2bca6bb7cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
4KB
MD50bb260fc1d4a32c4f497ef3ba4a17898
SHA14b7cbaf6f671859a174ec0ced03e704f68ab9572
SHA2564ae711c1688c1a061f7c5be8d1a9708aa901ec3561b0b9a9bbc9c66ce3e05cdc
SHA512658ba79e78121522b6e793c63625160a349c69cf58d21bdce2384d09e65a66a62c378100003e3a44c7b850e4f3ee7b27f98be132afeb13af935d0bdb3ee88162
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
4KB
MD5effa0951a3659ece909e1b5d522aaff1
SHA10f6090c10717b6ce045448a8f87f6a27d060539f
SHA256c127515fa00e249eae2049bd6623388db2bd05e639325343993bf93df90aa3c7
SHA512581214b48d767d2aada24e5e532ed40c5c8433a83df68bef42447dcf385c52d9be0252ad7d506186ca458b5cb62a64b950c7b1d3b5facd7d53a8059f43347ca6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
4KB
MD5bc0cad9294ce2521fb830f32dc1791a9
SHA10da2fec7acd99465feb0a933348f7fcc21b9a17a
SHA256dfbbc24fc06460569a6aa9aecb44a5d5fe4839dea166d5c8b49140d8e032e035
SHA512d17f3f08935604af4eac91d912b4be3246e2e9f3d383a915650c71d79b43d38bd9efeb9032c6471fb0b48904e0cb0b5a50576c55c729e13c9f473b0a573f996f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD593affefc3aa22541df6e1d2ec38468ed
SHA177505b079f94ae3d674b9b2f0dcee642d61acc8b
SHA256ebd1570cd9fcab5b1aa9bd4e7dc909030e1d36f988248acb5a43a709567a3529
SHA512dbe98330b63fbc0454464f07fd02c386e42b86855ae884d4e0340033f44feeec7a74ea6fb0343d02a88c7e7fd99d64613351459d7a163adfcd9866885fd23908
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5eed06ea67d7296927e80b6c4d39be4a5
SHA1d6dfe2783a4e214eaafdfb74f0cef10a596c043b
SHA2565e765b9791e35c29bf47ad348f8d6fb48f86baabe35d0830ad550b849f674eda
SHA512bd244a343be14edff2a0f8d408072c9055e9554232176bab3b0c5f2f36ab7b2c4f3dc56d6c65c3859ba9862b456c72a82e9017ce91b70a0f7b8bcd771b0b7880
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD5d55d8b9a0f3771b80a9e6abe99681d6b
SHA186bcabe441a084524e26bf236fb1456a90c03499
SHA256bcc3b16373841345cdba2647a8573b6884120a5e01aa14d5c76d90db0c0264b4
SHA51210bbd3543cd2706b08feec9bc2433e6c6339d9085a003c805767fe7c68d1a20cbe889b37b4514d9e17c8e3cbfa479bf521c862f8ac68887cb8108e3606120de4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-walFilesize
2.0MB
MD5cc5098d02a0afc539600bfed660497c7
SHA1c5e0ca4a98ae0be5eaf0cafea545a2fd3dcd53a7
SHA2569c51383f41b2dfd1cd56cebe5bf04b3cde8d8717170c77709c9c46819df3cf73
SHA51233e52acf4bc69de59ffae56945cf8ce0e328b2ec537af573077e6c276992363ba1c188c5c4fa1b9a1e6cd8bb563cc563138a98a30588199f22862c2dd348f8c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
318B
MD5d5340f27fd619d269b4b3923908a9f31
SHA17c3a36bc152889464469e0e7745386dd011af34e
SHA256fd2bb5374a8436e36ab338a2864b6436b2a640bbbf1ef00f18fbe4513273f080
SHA5126d863256d415c000a180a15d558f135ab687772c5a8ed62e41cae52c3dd7e4534f4560f836d62983b3ece69e8d327012eeb4a23f684c32c3a7a18f784d20297c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
340B
MD5ab73808d848c37e52f61f525e551ce53
SHA16d32e734d7e21e3bf4eccace3cbb5df908eb3933
SHA2568e7207a5bc9112821f85c7c76b23df8ea870ba5f59cb0cc0d6bf00c553bba728
SHA512d2b9a90877bc973d43ad93bd9c6cbe6a3379343d12b21f486b395f765d1ff0b3d0ba9af2095831ec5d70d448b374cd9bf535a8502359447e869b0f2b2e73841d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ae9763f43df03bc61720d2f2539223d0
SHA10c094a29c42502e46c721f80927fcc62c9593fb4
SHA25641f0b864107c9e64a4c5437e5dbabce0af31ced9b4eee29706f02570d841753a
SHA5127c9a573e24bc2d6e7713b2ad48fdb31f889927e0594fccb490a7eacd67f92d688d409ba0e18b5ff76ffac84170731be77420c6934646c78f278b1b028efd3d11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5d3f3f72cb3b1d435e177ac78101a5ae4
SHA1650af0ec7620b05a5e37c33ca1ea9d9d8d55124f
SHA25650652b2cb10948580bf262c689927a0a59d55d5745b2a54f651fccfae00614ed
SHA5127c8b6562c09b5872ac629aac6136445e264816540dfb9dc97499e1481d2f755a72b72f40da5d12cf371f21b3e94d48fb11b6ef4162676342a2acfb3a2bf91045
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51bea41abe862fe121d01b3f5c8c66829
SHA1de82a0a1e3dc929cac945e63d5ddc84053929da9
SHA256b46b4db6452bd90af2d902d7c2f2f9755b75c16d92a7365f7e4791ae8bb1836b
SHA5124b4a47db38a536faae3fdd9dd21c46130b871688bf66f42037e9afa48975e42c3a35307edcf14d95f929eaa33ed6cfea2774a3fb338dfada2d42e10395dee612
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5c07ae8574b2a7a9013617f7c29dfcee0
SHA1709669acad783e1fe72d4e87517404f307a5a71f
SHA256f8f918b12ae9c41781703eb5ee8c56fdc62997dc72990c360f596f3f09d6d034
SHA512efc209c80121a7224870ea64fc8b38b184be4ad4d52d1abe35b4ca8978f874d35b818ffb313c42527030f63d9eef8326e3fac7c6a5529da088f1d5acf5228054
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5c7bbdae9e2efbd6bff44c0b2b019f144
SHA12592f3d6c4685993ffeca105354b939ec4e97c51
SHA256578c971cac5ff12e90e2b93129c3fdb93adf0c57fdf4664558e8c9f2438cf037
SHA512d975b4119e5a05e23702ea1dcef8b36328366be74dd62f2db6dfab9a662080e130ac8408913239d2af52f74a26146002a7bfe143c699177be9a62c2c0881427b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5cae9b418508a62923c60af0dbcf2575a
SHA175b056e6a9e1e711790721ed05e3a04484cc2653
SHA256f0f3553fb761e06f968690a2a81cac51362784690d40f8083c02403c804d1f1a
SHA5122e1c9863172fd1ad3cbea916de137bdf2228a05c9e20b38acc248de82c64032b37044393d64db96987a914c7453c72e0ca4f466d70bdbe2c17f208f78250e813
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5a0e03a7e736384beb8a7035845f78e3c
SHA105d245c936ce0253924980040ae18f3682545b03
SHA25668648e9ab4d9b96f56ef73c58d3e276b291198b5fc5565adc38b5bc6cdf79db0
SHA51202990db209c6a43bc034faa2a65da8e64d089a341cb6bd3aa2fa42105d881bc1faf2f5f9d2b630cb5d420241169a2e3e0b15df57665c1ef93ec628ac23d35559
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD527f29369690d3be827be79844b5e3180
SHA1e95cca532ad087ceeef7aa148ff53d84ca08e3f3
SHA25683088d60e465ff3c8ea4a77fdb5b90db211c907c595ad0d713b01015f9078e50
SHA512c000b0f39aeab95e5744235bb3b0b575d38a8d5c804c8a07bed91ccf4d599a4cf06452c369fbf0ebdc3ac34b52afe32d524a5533b86b40c83f145f16c740f2fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5408641808e457ab6e23d62e59b767753
SHA14205cfa0dfdfee6be08e8c0041d951dcec1d3946
SHA2563921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258
SHA512e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5549ecc6e6baef14e62306531602260ed
SHA1cad898d58fd9cbf92760d030a00130ea8f797e09
SHA256c5fe493720e278fcb114cc810f01d6455b7894c5fd834312b64476f8477e5770
SHA5127a83e840836d91d5deb1a7b6e2c78be10b2e2d5d29e92334c565f30d0be7df0e0753700a716c6d3cf3cc063a1605268de999f8b57d8c7c25844164f442b6638e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD580707036df540b6657f9d443b449e3c3
SHA1b3e7d5d97274942164bf93c8c4b8a9b68713f46f
SHA2566651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0
SHA51265e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f
-
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
C:\Users\Admin\AppData\Local\Temp\7zE8A3A2F38\XWorm-V5.0\Icons\icon (15).icoFilesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dllFilesize
112KB
MD5a239b7cac8be034a23e7e231d3bcc6df
SHA1ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exeFilesize
5.6MB
MD5b8703418e6c3d1ccd83b8d178ab9f4c9
SHA16fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
SHA256d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
SHA51275ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe:Zone.IdentifierFilesize
86B
MD5bab0aa318ce4eea30e3187174311e43c
SHA143832db3f0581c9ed8154b7c3e536adb6dd5ad99
SHA25670ce3369c2d3f46e4001f9a1b737f02e668a3cf17945d319fa4e6905a2dbf3be
SHA51259a3131f45f4c407f57f29c3fb0570468662748dca2f295dba2f1893daf9949b1b396554161a86c48a60872b2cd7aec716ef872e375230797abda5928e20016d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4qdr3v0.i0a.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Desktop\XWorm-V5.0.rarFilesize
28.8MB
MD5f778fc725ed79c15d3ad889e7a33bea8
SHA16dfce5a46e080fb2436b09a5ed68b98b4c28c17d
SHA256c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa
SHA512ecb5365ae67963d1d246851a852fda53d7ed100e99377d340124b432a3d502044d4ae3abf2e67f7b1224dd08e42e45906d173fcf0e667ec1f052102a4196745a
-
C:\Users\Admin\Desktop\XWorm-V5.0\GeoIP.datFilesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
C:\Users\Admin\Desktop\XWorm-V5.0\Guna.UI2.dllFilesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
C:\Users\Admin\Desktop\XWorm-V5.0\Icons\icon (14).ico.ENCFilesize
361KB
MD5fee81a41a1a3e154d56c8f494a4e63ee
SHA100bd09c44db873922249ca2459c3ef4aef0f7632
SHA256577b1cea35f044464bb0c5e931ca05a804a01a8e9c24d888e152d9c90073bacd
SHA5128ef7ab2aa2585410ecc0a5f80aaf399a8860ffbe920c399a6d5a0611ad7589a0a41c26aa779c79cca3238c79607ebba1d8904078da5f45fe312c460eb4cb384f
-
C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exeFilesize
10.4MB
MD5227494b22a4ee99f48a269c362fd5f19
SHA1d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9
SHA2567471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2
SHA51271070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0
-
C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe.configFilesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exeFilesize
111KB
MD59158e38c3bacd6cc50e4355783fead8b
SHA1c30c982c2d061e4bd8b5e0e3f89693b3939a0833
SHA2561f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda
SHA51298683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd
-
C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENCFilesize
16B
MD5393ca5ea1f661fa3abb5064e6c73e4d4
SHA1bb922d84e6835e301f47ab265332c8d9e91eab82
SHA25611b59d8ed80ab71252576900fc474b4bb34e203e3d87b765b20defcd9ebb7b9a
SHA51285e332a3219b423eff0adca652eb2c9cdd198d136a229f9a02bfb2e3894d8958e4f4cea91b1c1f7434e256a77adba12d63c1f3476e207012b1e31183a629cead
-
\??\pipe\LOCAL\crashpad_2904_AZDRWXLJKFRJPZGBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/420-1107-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/420-1106-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/436-490-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/436-513-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/436-511-0x000001EC25020000-0x000001EC25030000-memory.dmpFilesize
64KB
-
memory/436-491-0x000001EC25020000-0x000001EC25030000-memory.dmpFilesize
64KB
-
memory/448-419-0x0000022EC42C0000-0x0000022EC42E2000-memory.dmpFilesize
136KB
-
memory/448-421-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/448-425-0x0000022EABEF0000-0x0000022EABF00000-memory.dmpFilesize
64KB
-
memory/448-430-0x0000022EABEF0000-0x0000022EABF00000-memory.dmpFilesize
64KB
-
memory/448-437-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/784-433-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmpFilesize
64KB
-
memory/784-431-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/784-392-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/784-393-0x000002CDD05A0000-0x000002CDD1012000-memory.dmpFilesize
10.4MB
-
memory/784-401-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmpFilesize
64KB
-
memory/784-402-0x000002CDEBC20000-0x000002CDEC7D6000-memory.dmpFilesize
11.7MB
-
memory/784-404-0x000002CDECBB0000-0x000002CDECDA4000-memory.dmpFilesize
2.0MB
-
memory/784-492-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmpFilesize
64KB
-
memory/784-405-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmpFilesize
64KB
-
memory/784-406-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmpFilesize
64KB
-
memory/784-682-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/784-434-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmpFilesize
64KB
-
memory/784-439-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmpFilesize
64KB
-
memory/784-450-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmpFilesize
64KB
-
memory/868-1847-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1144-1247-0x0000000074BC0000-0x0000000075371000-memory.dmpFilesize
7.7MB
-
memory/1144-1245-0x00000000007B0000-0x00000000007B8000-memory.dmpFilesize
32KB
-
memory/1144-1246-0x0000000074BC0000-0x0000000075371000-memory.dmpFilesize
7.7MB
-
memory/1200-719-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/1200-726-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/1432-1140-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/1432-1136-0x0000000074BC0000-0x0000000075371000-memory.dmpFilesize
7.7MB
-
memory/1432-1135-0x0000000000170000-0x0000000000882000-memory.dmpFilesize
7.1MB
-
memory/1432-1137-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/1432-1138-0x00000000052D0000-0x00000000052DA000-memory.dmpFilesize
40KB
-
memory/1432-1204-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/1432-1203-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/1432-1202-0x0000000074BC0000-0x0000000075371000-memory.dmpFilesize
7.7MB
-
memory/1432-1260-0x0000000074BC0000-0x0000000075371000-memory.dmpFilesize
7.7MB
-
memory/1432-1139-0x0000000005670000-0x00000000056C6000-memory.dmpFilesize
344KB
-
memory/2236-417-0x000000001AFC0000-0x000000001AFD0000-memory.dmpFilesize
64KB
-
memory/2236-409-0x00000000000B0000-0x00000000000D2000-memory.dmpFilesize
136KB
-
memory/2236-469-0x000000001AFC0000-0x000000001AFD0000-memory.dmpFilesize
64KB
-
memory/2236-410-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/2236-452-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/2936-1832-0x00000000735C0000-0x000000007364A000-memory.dmpFilesize
552KB
-
memory/3228-455-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/3228-432-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/3404-468-0x0000029935210000-0x0000029935220000-memory.dmpFilesize
64KB
-
memory/3404-471-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/3404-467-0x0000029935210000-0x0000029935220000-memory.dmpFilesize
64KB
-
memory/3404-466-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/4044-1244-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/4044-1225-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/4396-1109-0x00000000002D0000-0x00000000004BA000-memory.dmpFilesize
1.9MB
-
memory/4396-1112-0x0000000005020000-0x00000000050BC000-memory.dmpFilesize
624KB
-
memory/4396-1110-0x0000000005530000-0x0000000005AD6000-memory.dmpFilesize
5.6MB
-
memory/4396-1108-0x0000000074BC0000-0x0000000075371000-memory.dmpFilesize
7.7MB
-
memory/4396-1111-0x0000000004F80000-0x0000000005012000-memory.dmpFilesize
584KB
-
memory/4396-1125-0x0000000074BC0000-0x0000000075371000-memory.dmpFilesize
7.7MB
-
memory/4396-1114-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB
-
memory/4396-1113-0x00000000050C0000-0x0000000005126000-memory.dmpFilesize
408KB
-
memory/4668-448-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB
-
memory/4668-449-0x000001CAE8F30000-0x000001CAE8F40000-memory.dmpFilesize
64KB
-
memory/4668-456-0x00007FF955240000-0x00007FF955D02000-memory.dmpFilesize
10.8MB