Malware Analysis Report

2024-11-13 16:14

Sample ID 240412-nsrtyaab36
Target http://telegra.ph/XWorm-50-09-06
Tags
agenttesla xworm agilenet keylogger persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://telegra.ph/XWorm-50-09-06 was found to be: Known bad.

Malicious Activity Summary

agenttesla xworm agilenet keylogger persistence rat spyware stealer trojan

AgentTesla

Detect Xworm Payload

Xworm

AgentTesla payload

Modifies Installed Components in the registry

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Loads dropped DLL

Uses the VBS compiler for execution

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Enumerates system info in registry

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Delays execution with timeout.exe

Modifies registry key

Enumerates processes with tasklist

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Creates scheduled task(s)

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 11:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 11:39

Reported

2024-04-12 11:51

Platform

win11-20240221-en

Max time kernel

664s

Max time network

669s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://telegra.ph/XWorm-50-09-06

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLogger\\Update.exe" C:\Windows\system32\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\XWorm-main\XWorm.vshost.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Pictures" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Documents" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-627134735-902745853-4257352768-1000\{7CB90F4E-1042-4D8E-AF1C-074F3129864A} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 02000000010000000300000000000000ffffffff C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000020000000000000001000000ffffffff C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\SniffedFolderType = "Documents" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000004000000030000000200000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 74003100000000008c58af5d100058574f524d2d7e312e312d4d0000580009000400efbe8c58af5d8c58af5d2e000000d0aa02000000060000000000000000000000000000003eff9d00580057006f0072006d002d005200410054002d00560032002e0031002d006d00610069006e0000001c000000 C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe\:Zone.Identifier:$DATA C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe N/A
File created C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe\:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
File opened for modification C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\XWorm-main.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsDefender.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsDefender.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsDefender.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsDefender.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsDefender.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsDefender.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 3292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2904 wrote to memory of 3964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://telegra.ph/XWorm-50-09-06

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\XWorm-V5.0.rar"

C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe

"C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe"

C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe

"C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe'

C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe

"C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:8

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5580 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3476 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x000000000000046C

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 /prefetch:8

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\Users\Admin\Desktop\XWorm-main\XHVNC.exe

"C:\Users\Admin\Desktop\XWorm-main\XHVNC.exe"

C:\Users\Admin\Desktop\XWorm-main\XWorm.exe

"C:\Users\Admin\Desktop\XWorm-main\XWorm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mail.google.com/mail/u/0/#search/[email protected]

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2512 /prefetch:2

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\Users\Admin\Desktop\XWorm-main\XWorm.vshost.exe

"C:\Users\Admin\Desktop\XWorm-main\XWorm.vshost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6852 /prefetch:8

C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe

"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe"

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe

"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe

"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L

C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe

"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"

C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe

"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"

C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe

"C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp67B5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp67B5.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 5460"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe

"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe

"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe

"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqdh1nwu\qqdh1nwu.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES815E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2540AC9920DA419999417719697E8320.TMP"

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b3rkb.exe

"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b3rkb.exe"

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

C:\ProgramData\WindowsDefender.exe

Network

Country Destination Domain Proto
NL 149.154.164.13:80 telegra.ph tcp
NL 149.154.164.13:80 telegra.ph tcp
NL 149.154.164.13:443 telegra.ph tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.164.154.149.in-addr.arpa udp
NL 149.154.167.99:443 telegram.org tcp
FR 51.91.30.159:443 www.upload.ee tcp
FR 51.91.30.159:443 www.upload.ee tcp
BE 104.68.81.91:443 s7.addthis.com tcp
BE 104.68.81.91:443 s7.addthis.com tcp
FR 52.84.40.194:443 du0pud0sdlmzf.cloudfront.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 18.244.140.102:443 ghabovethec.info tcp
US 172.67.174.113:443 ringashewasfl.info tcp
FR 18.164.52.33:443 madehimalowbo.info tcp
GB 18.244.114.86:443 tentioniaukmla.info tcp
GB 18.244.114.86:443 tentioniaukmla.info tcp
FR 52.222.149.117:443 funjoobpolicester.info tcp
US 172.67.174.113:443 ringashewasfl.info tcp
US 172.67.174.113:443 ringashewasfl.info tcp
US 172.67.220.203:443 pogothere.xyz tcp
US 172.67.220.203:443 pogothere.xyz tcp
US 172.67.220.203:443 pogothere.xyz tcp
BE 64.233.166.157:443 stats.g.doubleclick.net tcp
BE 142.251.173.84:443 accounts.google.com tcp
BE 142.251.173.84:443 accounts.google.com tcp
GB 163.70.151.35:443 www.facebook.com tcp
BE 142.251.173.84:443 accounts.google.com udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 102.140.244.18.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 86.114.244.18.in-addr.arpa udp
US 8.8.8.8:53 117.149.222.52.in-addr.arpa udp
US 8.8.8.8:53 203.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 157.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 84.173.251.142.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 33.52.164.18.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
FR 18.164.52.33:443 madehimalowbo.info tcp
NL 139.45.197.239:443 dukirliaon.com tcp
GB 142.250.200.33:443 tpc.googlesyndication.com tcp
GB 142.250.200.33:443 tpc.googlesyndication.com udp
NL 139.45.197.236:443 yonmewon.com tcp
NL 139.45.195.8:443 my.rtmark.net tcp
GB 142.250.178.4:443 www.google.com tcp
NL 37.48.68.71:443 datatechone.com tcp
BE 104.68.85.7:443 assets.alicdn.com tcp
BE 104.68.85.7:443 assets.alicdn.com tcp
US 163.181.154.233:443 g.alicdn.com tcp
BE 104.68.85.7:443 assets.alicdn.com tcp
BE 104.68.85.7:443 assets.alicdn.com tcp
BE 2.21.16.52:443 ae01.alicdn.com tcp
NL 212.117.190.201:443 sr7pv7n5x.com tcp
BE 23.14.90.81:443 time-ae.akamaized.net tcp
SG 47.246.110.42:443 ae.mmstat.com tcp
DE 47.246.146.79:443 acs.aliexpress.com tcp
BE 23.41.178.97:443 ae04.alicdn.com tcp
BE 104.68.85.7:443 assets.alicdn.com tcp
RU 47.246.133.87:443 login.aliexpress.ru tcp
US 208.95.112.1:80 ip-api.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.35.152:443 cdn4.cdn-telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
BE 2.17.196.121:443 www.bing.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
BE 2.17.196.131:443 www.bing.com tcp
BE 2.17.196.131:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
IE 40.126.31.67:443 login.microsoftonline.com tcp
US 13.107.5.80:443 services.bingapis.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 user-images.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 user-images.githubusercontent.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
US 140.82.112.21:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.216:443 codeload.github.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
GB 172.217.16.229:443 mail.google.com tcp
GB 172.217.16.229:443 mail.google.com tcp
BE 142.251.173.84:443 accounts.google.com udp
BE 142.251.173.84:443 accounts.google.com tcp
GB 142.250.187.206:443 play.google.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
GB 142.250.178.4:443 www.google.com udp
GB 20.26.156.210:443 api.github.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
GB 142.250.187.206:443 play.google.com udp
GB 142.250.187.206:443 play.google.com udp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
BE 142.251.173.84:443 accounts.google.com udp
BE 142.251.173.84:443 accounts.google.com tcp
BE 2.17.196.184:443 www.bing.com tcp
BE 2.17.196.184:443 www.bing.com tcp
BE 2.17.196.185:443 www.bing.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
GB 20.26.156.215:443 github.com tcp
US 140.82.113.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
GB 20.26.156.216:443 codeload.github.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
NL 104.97.15.59:443 aefd.nelreports.net tcp
NL 104.97.15.59:443 aefd.nelreports.net udp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
GB 184.25.204.27:443 tcp
US 52.182.143.213:443 browser.pipe.aria.microsoft.com tcp
BE 2.17.196.185:443 www.bing.com tcp
BE 2.17.196.185:443 www.bing.com tcp
BE 2.17.196.185:443 www.bing.com tcp
BE 2.17.196.185:443 www.bing.com tcp
BE 2.17.196.185:443 www.bing.com tcp
BE 2.17.196.185:443 www.bing.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.109.133:443 user-images.githubusercontent.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.109.133:443 user-images.githubusercontent.com tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
DE 94.131.109.101:7110 testarosa.duckdns.org tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 577e1c0c1d7ab0053d280fcc67377478
SHA1 60032085bb950466bba9185ba965e228ec8915e5
SHA256 1d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158
SHA512 39d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5

\??\pipe\LOCAL\crashpad_2904_AZDRWXLJKFRJPZGB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d4604cbec2768d84c36d8ab35dfed413
SHA1 a5b3db6d2a1fa5a8de9999966172239a9b1340c2
SHA256 4ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2
SHA512 c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 868bb1eddec5df64789d89777da44e5c
SHA1 774d7d6249f70d10318ab2bd14a62b1ba5a52e82
SHA256 fd8ff1a304eea777473f26546f4536f48fc55f1dffe26a701199f622bbd843f8
SHA512 7df91d656e14e00d915dc9118897bcbec7e5c814c536becf40e24deed52bab74a9ea999f6b44d8e3ddda16374ec28d17ebfabb06d14783495673707074a96d6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ae9763f43df03bc61720d2f2539223d0
SHA1 0c094a29c42502e46c721f80927fcc62c9593fb4
SHA256 41f0b864107c9e64a4c5437e5dbabce0af31ced9b4eee29706f02570d841753a
SHA512 7c9a573e24bc2d6e7713b2ad48fdb31f889927e0594fccb490a7eacd67f92d688d409ba0e18b5ff76ffac84170731be77420c6934646c78f278b1b028efd3d11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a9f119a972735fd5fc1bf1c1527d9976
SHA1 8f7c69f81ca5fe8c654d763d214d222115860de6
SHA256 ad80b9f0573d75155935a57618628ebfc2a288883b70bb83d1a61f495b644dc2
SHA512 fa8a1548d11aa0394078ed73e44e8c5bf5766527d1e2f09312f85727a67c4ab475418c45105899b9c68503f8adf6827dff3f8f3d8e386ce930b26cbc451172ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cae9b418508a62923c60af0dbcf2575a
SHA1 75b056e6a9e1e711790721ed05e3a04484cc2653
SHA256 f0f3553fb761e06f968690a2a81cac51362784690d40f8083c02403c804d1f1a
SHA512 2e1c9863172fd1ad3cbea916de137bdf2228a05c9e20b38acc248de82c64032b37044393d64db96987a914c7453c72e0ca4f466d70bdbe2c17f208f78250e813

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\66cbe582-5da7-4c2e-8668-41d2c12b7f30.tmp

MD5 5f73f47287e375a362355370b13bf364
SHA1 8def488e09b1f318eb44eb854daaca649f3431dd
SHA256 66f9060639a5a0b2dde514b0aa211475a681cccc897cc9738964b971bfc310f3
SHA512 3fa7041090f53e50854d1cd0c8191cd14c651e4f44dedb611420d281a6f2a325e81ea2c3bea1da5bdb18f18027d2f9dfaa2803bb2ae6b00e8bbd9492adcbb56d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b6ec0c4e6d2aa4f9a29299775f842c8e
SHA1 83f983228572476b6863c09e447fcf0bc5b364f4
SHA256 fd3356d22e47adb95b802a7de89eee584bab07bea6b57a5079da2d95e717941c
SHA512 a7fb05e240d59295d9065fe2c9f140bab39d09ad91dde8760947b5fe3a2f7c53b42b174de19fb15d41e53231315d34940dae4668af8e197795aa86fbc4369ade

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2f79ba62d8127ff2df094433cd686241
SHA1 9c1643f4ac111c70d92844cc40ab9227517250da
SHA256 8913419905590e40aa8dcce5486fa66453559070cac8ac02bbbe82a43d73c71b
SHA512 90c684adeb6a79d86cb813f105d86eb90d34ef9491120d0feb9d51b4e6c955efab4a799b3e283359f49471c20e2e969e42739147f7ed05d309c76c61afec6b35

C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\Desktop\XWorm-V5.0.rar

MD5 f778fc725ed79c15d3ad889e7a33bea8
SHA1 6dfce5a46e080fb2436b09a5ed68b98b4c28c17d
SHA256 c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa
SHA512 ecb5365ae67963d1d246851a852fda53d7ed100e99377d340124b432a3d502044d4ae3abf2e67f7b1224dd08e42e45906d173fcf0e667ec1f052102a4196745a

C:\Users\Admin\AppData\Local\Temp\7zE8A3A2F38\XWorm-V5.0\Icons\icon (15).ico

MD5 e3143e8c70427a56dac73a808cba0c79
SHA1 63556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256 b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA512 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe

MD5 227494b22a4ee99f48a269c362fd5f19
SHA1 d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9
SHA256 7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2
SHA512 71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0

C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe.config

MD5 66f09a3993dcae94acfe39d45b553f58
SHA1 9d09f8e22d464f7021d7f713269b8169aed98682
SHA256 7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512 c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

memory/784-392-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/784-393-0x000002CDD05A0000-0x000002CDD1012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll

MD5 a239b7cac8be034a23e7e231d3bcc6df
SHA1 ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256 063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512 c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

memory/784-401-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp

memory/784-402-0x000002CDEBC20000-0x000002CDEC7D6000-memory.dmp

C:\Users\Admin\Desktop\XWorm-V5.0\Guna.UI2.dll

MD5 bcc0fe2b28edd2da651388f84599059b
SHA1 44d7756708aafa08730ca9dbdc01091790940a4f
SHA256 c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA512 3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

memory/784-404-0x000002CDECBB0000-0x000002CDECDA4000-memory.dmp

memory/784-405-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp

memory/784-406-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp

C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe

MD5 9158e38c3bacd6cc50e4355783fead8b
SHA1 c30c982c2d061e4bd8b5e0e3f89693b3939a0833
SHA256 1f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda
SHA512 98683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd

memory/2236-409-0x00000000000B0000-0x00000000000D2000-memory.dmp

memory/2236-410-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/2236-417-0x000000001AFC0000-0x000000001AFD0000-memory.dmp

memory/448-419-0x0000022EC42C0000-0x0000022EC42E2000-memory.dmp

memory/448-421-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/448-425-0x0000022EABEF0000-0x0000022EABF00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4qdr3v0.i0a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/448-430-0x0000022EABEF0000-0x0000022EABF00000-memory.dmp

memory/784-431-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/3228-432-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/784-433-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp

memory/784-434-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp

memory/448-437-0x00007FF955240000-0x00007FF955D02000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

memory/784-439-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp

memory/4668-448-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/4668-449-0x000001CAE8F30000-0x000001CAE8F40000-memory.dmp

memory/784-450-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 408641808e457ab6e23d62e59b767753
SHA1 4205cfa0dfdfee6be08e8c0041d951dcec1d3946
SHA256 3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258
SHA512 e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

memory/2236-452-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/3228-455-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/4668-456-0x00007FF955240000-0x00007FF955D02000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 549ecc6e6baef14e62306531602260ed
SHA1 cad898d58fd9cbf92760d030a00130ea8f797e09
SHA256 c5fe493720e278fcb114cc810f01d6455b7894c5fd834312b64476f8477e5770
SHA512 7a83e840836d91d5deb1a7b6e2c78be10b2e2d5d29e92334c565f30d0be7df0e0753700a716c6d3cf3cc063a1605268de999f8b57d8c7c25844164f442b6638e

memory/3404-466-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/3404-468-0x0000029935210000-0x0000029935220000-memory.dmp

memory/3404-467-0x0000029935210000-0x0000029935220000-memory.dmp

memory/2236-469-0x000000001AFC0000-0x000000001AFD0000-memory.dmp

memory/3404-471-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/436-490-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/436-491-0x000001EC25020000-0x000001EC25030000-memory.dmp

memory/784-492-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 80707036df540b6657f9d443b449e3c3
SHA1 b3e7d5d97274942164bf93c8c4b8a9b68713f46f
SHA256 6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0
SHA512 65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d929eae0c27ec80033f4958e692d5077
SHA1 ce19dfdf3a04daa32c07c3ed5eb1acf0d5ad876e
SHA256 62b75517d3398c4d1b510b789cfe4326d4cf1d7627847fb24d1e554fd83dee59
SHA512 e07a0bdca00cf958ab7b273329bee77d4aaf73cfa191b3d4b791440059da8d27d19bdaad1d799d76e5ee2ed4a9def11df72fe285e9b7fe669df377e366739c7e

memory/436-511-0x000001EC25020000-0x000001EC25030000-memory.dmp

memory/436-513-0x00007FF955240000-0x00007FF955D02000-memory.dmp

C:\Users\Admin\Desktop\XWorm-V5.0\GeoIP.dat

MD5 8ef41798df108ce9bd41382c9721b1c9
SHA1 1e6227635a12039f4d380531b032bf773f0e6de0
SHA256 bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA512 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1bea41abe862fe121d01b3f5c8c66829
SHA1 de82a0a1e3dc929cac945e63d5ddc84053929da9
SHA256 b46b4db6452bd90af2d902d7c2f2f9755b75c16d92a7365f7e4791ae8bb1836b
SHA512 4b4a47db38a536faae3fdd9dd21c46130b871688bf66f42037e9afa48975e42c3a35307edcf14d95f929eaa33ed6cfea2774a3fb338dfada2d42e10395dee612

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ecfc137a0b35d7949a9f4480ec607442
SHA1 fdac72587705c61fb6ed9b381402150a0af56e95
SHA256 6308a9129e2a9026bc1bd4bca694c722c00c6dec37df423a25d72724eabfbccd
SHA512 6e1b277d914606f54d90b885d328a6715c439a2a8c5934c5c92d4c491d6f56213406b78cd7247fc4fe434b30c89fa0d4f5b09c310d11bdae9a03c7eefb68af22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fb7d4b77461292d0b781d9a15228dfe6
SHA1 1338a1d7808b6b1acfb9bac83a3f58e7b6dae66f
SHA256 cfbe54149281af7d7be1398a8f0c7015f29b575bc3807b91ffa02b999e8a0677
SHA512 6168590bbd1b2efbecb8bb7bb800a4573a4af8e369a634ecc3a8543d5f119b8829e6899423db16d640e726583eb6cbb2dc9ce8129708c5bcebc6b57cca272da2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 56f6ebe4fd8e56c36ec14207b9982dcb
SHA1 97dc7638a34a0fbfccbbb66b0cca8eb9ac78eeed
SHA256 45d48585d92b33235b868e51822a044395f351d1d0664e2547754c7fdeb04349
SHA512 4b969567cf789bafb98d5b275798812e8e2dbed3d52c94a4d10c08ea2c2ba0bfd3ee3471080c010bd54fa8fbf69e764c9c75b3c2fa91e95c2848b231a0ee3829

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 93affefc3aa22541df6e1d2ec38468ed
SHA1 77505b079f94ae3d674b9b2f0dcee642d61acc8b
SHA256 ebd1570cd9fcab5b1aa9bd4e7dc909030e1d36f988248acb5a43a709567a3529
SHA512 dbe98330b63fbc0454464f07fd02c386e42b86855ae884d4e0340033f44feeec7a74ea6fb0343d02a88c7e7fd99d64613351459d7a163adfcd9866885fd23908

memory/784-682-0x00007FF955240000-0x00007FF955D02000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13357395614373915

MD5 ae6475e96e68985c211082fd4710146e
SHA1 22c1e11fff8d089c8fc02b1fee3bb86c5fa67870
SHA256 db8143e6fb282f1bfbed445a76990e1dde02c49b03e56668a3cc78d98a306c85
SHA512 dc8e84151a3231961bfa9ab90d9673f8305c7f2786a33016d11f19237ace799a687d6d2e3d83eee3b4f7e340bcab210734319b0acd5800fcd7baae8eb14521d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 ab08edc34f6fb36fe70c0340af92154f
SHA1 130614b9b278df69284ddf96584df061ab1e4605
SHA256 66c6da589476cd10201b676fa458598b1a2afc796ddc4943f070672e212daf25
SHA512 5532ff66a425171aa229d2e2886275b6fd78bc8767e7acd2bdc822e8659b85d8036860e61ed09bc7d69bcbe01f2a8d4b7e70476ef7542bd99376802d6bdbe14c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 76a7bac8b9df43ee10b2a136abe4628f
SHA1 cf0b4eb34612d1acc8aca7e9e09901af2aa559ca
SHA256 d9618c288c0fdca92420a8c9b98456545c50d25bd2d1c484fdab3d07c8519a35
SHA512 bac20214497248347a6ce9cb213a101abbeae40ca1dcd1ee4e3cb89d055a41ae2fff4100ae717e19a4e81819ac40b25135911ae49210e1b37bc4fbf5eacd0181

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

MD5 cc5098d02a0afc539600bfed660497c7
SHA1 c5e0ca4a98ae0be5eaf0cafea545a2fd3dcd53a7
SHA256 9c51383f41b2dfd1cd56cebe5bf04b3cde8d8717170c77709c9c46819df3cf73
SHA512 33e52acf4bc69de59ffae56945cf8ce0e328b2ec537af573077e6c276992363ba1c188c5c4fa1b9a1e6cd8bb563cc563138a98a30588199f22862c2dd348f8c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 deb4a291b36e799cdd8ec8aca9b72dde
SHA1 8f6248f0b498a0491b62d75cc8d573192c10f739
SHA256 720e170d73ed3896ad7d536a1cdb12f9375e1b76ff48279da39d44914b2417aa
SHA512 50e6761c49a89e7b945f953cdca1695c77282cd011fbd88815dc898560b046eb0ce34050340be40b273d29bda093d0382ee8018fbb7523a4be9e6052b7b62e81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

MD5 c8a3e225366051fb0b57c4a3a936eb0a
SHA1 f6f70b6859745f4e61f03dae8986ee58b46935a4
SHA256 4af98c7ebda274b3c19d52f2cfc46c7c4c1c52cf509113b2677f8b6098dcec5a
SHA512 700d314efa7ca50d6712fb784daf85f32539a714f5227c69401a81c3aa6e4cb7355524aa9bd327ef0fc0c36c8d94f5cddebce29fa801f099043f90ad18d96835

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

MD5 3b6d52cd03dbf8387788a9a40e5894b7
SHA1 74824fdda4d2b41cac43e2f79e9324874f06281d
SHA256 a6dde344c5c8b31a5ce715a0baff684d1f08fcbb205ad85ce1ebc4e715b4d9d8
SHA512 9688bc1f0a9fd9a454e8a987d806f85d6a15f4f98522b5791b07e1af6434a2cda9e5c14820c1fca68cb00b742fe18e91a3e0e10b0df4b130cce998dcddba4a64

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 9e1812ab6011a346a4d7deb764eed2a6
SHA1 eed3aee5359887659662ef988d9e8fe45f3080cb
SHA256 285278c2dd3bac5f3226fec60d805e414114b21c9efc936aad20ba49e50cce89
SHA512 ee3db86545f76e2dc16db93b3e9d63cc281fe741fc6731c5f29e8367e391a88715ea6e945f46c558b1e849001ea9765acc1e6944847dee3eeac2a3aba5116fa5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 7d7fb5dc720c8d861724aa838721cac4
SHA1 2ceee2a1bb96741812e16aad0b72dc5a57b59286
SHA256 4d87a34b2790320238a476c46ea752da7ac096e77ee8ba3270dab2f8a1082c43
SHA512 ee9484568d8f73f9a39f770a0459e706bc8e10159e19236ac418d4122e3b2fcc66480723c16d159a5322810b7bcf72976f77d933102110ab52a68258db8dcf20

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 d55d8b9a0f3771b80a9e6abe99681d6b
SHA1 86bcabe441a084524e26bf236fb1456a90c03499
SHA256 bcc3b16373841345cdba2647a8573b6884120a5e01aa14d5c76d90db0c0264b4
SHA512 10bbd3543cd2706b08feec9bc2433e6c6339d9085a003c805767fe7c68d1a20cbe889b37b4514d9e17c8e3cbfa479bf521c862f8ac68887cb8108e3606120de4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 247cff831f5861ffc8bafb08347c760c
SHA1 9b871133c34b381c42d4f1e85556dea5f373a5a2
SHA256 15b2abf6bec8d0e7f192547537bbf587e54436e8b2bcc05e339c87c91343639d
SHA512 fa6b85dbca7a3aeac68e279fbc6278eff33c71e994a2adca978672588fb01537969b0f2d0364ccabf921dd64fb55fe74d335d1d9759567f8a7e3facd8c716851

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 ab73808d848c37e52f61f525e551ce53
SHA1 6d32e734d7e21e3bf4eccace3cbb5df908eb3933
SHA256 8e7207a5bc9112821f85c7c76b23df8ea870ba5f59cb0cc0d6bf00c553bba728
SHA512 d2b9a90877bc973d43ad93bd9c6cbe6a3379343d12b21f486b395f765d1ff0b3d0ba9af2095831ec5d70d448b374cd9bf535a8502359447e869b0f2b2e73841d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 b29bcf9cd0e55f93000b4bb265a9810b
SHA1 e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256 f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512 e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

MD5 d5340f27fd619d269b4b3923908a9f31
SHA1 7c3a36bc152889464469e0e7745386dd011af34e
SHA256 fd2bb5374a8436e36ab338a2864b6436b2a640bbbf1ef00f18fbe4513273f080
SHA512 6d863256d415c000a180a15d558f135ab687772c5a8ed62e41cae52c3dd7e4534f4560f836d62983b3ece69e8d327012eeb4a23f684c32c3a7a18f784d20297c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 a0e03a7e736384beb8a7035845f78e3c
SHA1 05d245c936ce0253924980040ae18f3682545b03
SHA256 68648e9ab4d9b96f56ef73c58d3e276b291198b5fc5565adc38b5bc6cdf79db0
SHA512 02990db209c6a43bc034faa2a65da8e64d089a341cb6bd3aa2fa42105d881bc1faf2f5f9d2b630cb5d420241169a2e3e0b15df57665c1ef93ec628ac23d35559

memory/1200-719-0x00007FF955240000-0x00007FF955D02000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 245760dc74e6d5c17fe105dffd87e132
SHA1 b5530a6a7309e27b35fa82fb1c7356bcb55152f8
SHA256 4cb408c304d61b1d3d1ed4375f82803d46b2253f901e4389be9bb68daea28b48
SHA512 a1843449c656b0f715bd7b52f28f615f1ef78e3f0f3444a9cd672c6666b72f74f8f56e27b4f050978a4fe935a77c38bcdad1ed9bcc138c0043aa735a9569c933

memory/1200-726-0x00007FF955240000-0x00007FF955D02000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d7b58b18653178b3593cf64a3cf76ead
SHA1 f8106889a708a8432e4edac19174815c6259354c
SHA256 91aa5d3a1fc23d7776753ecadfa23f36c9b9fe35784ca03fb92425df9b52dc00
SHA512 35ad04516a2adf07bb0573dd79516a7266298f2663f71da12910de8f867912fb665e2954aec5e0ffea6e7b312f0fd7fd9afc4326c17fdc0063529cbc81f4ace6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9a219af1b3eb228e0ce8aeb4136e8789
SHA1 fbf618c9dc5575e232eb6842f1fd2819001c9c0d
SHA256 52da2a039455bae5857f1088c9967f694b0ca0d34d81706e0ad33bc972317e7d
SHA512 43609d8504b49ff680fb7028ee202ba001d8298007c9f204dd9b8f3f56101869cc132526d863ec085ea918a29e2dccc0ed9fa713ed315cd1870ba9dfedbd6a8b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 eed06ea67d7296927e80b6c4d39be4a5
SHA1 d6dfe2783a4e214eaafdfb74f0cef10a596c043b
SHA256 5e765b9791e35c29bf47ad348f8d6fb48f86baabe35d0830ad550b849f674eda
SHA512 bd244a343be14edff2a0f8d408072c9055e9554232176bab3b0c5f2f36ab7b2c4f3dc56d6c65c3859ba9862b456c72a82e9017ce91b70a0f7b8bcd771b0b7880

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a997fc654ab159e5dd8d89f18d35daf9
SHA1 ba404bb21b170752d3fa15641d0f4ca6b66a8236
SHA256 234e8c87436c01bc6ec1b05526ce9c16d49f01512d702fbbcfbfb6bd28716bb6
SHA512 a78ed1ef81edb8bb500404619914ea3590fa1f0b70d7896f7689b4ea207e51973c11e890c2448cffc588e76c3a107c9953ba660c254cd4838130e977016f9cd6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f01e235fec7e7ddf91c100881d395f09
SHA1 2c46fd98558eadf10e1bb0c0374911dd05ebcc8b
SHA256 8d3ac1b7820e7d9ba3ac72c51f6a3e2bd23dd116f9d6463923c38985b7aa158f
SHA512 94d9df8e2694b38072ed8775204b212c697dfeb12144c52a86703aba92bda64898c76dcc8473426f386c84dbdae760f2de575eb61b3d888832243c95e98580a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7cf50f83-cabd-4085-8516-43f0c270f42a.tmp

MD5 ff9ff9dc54b22efbd9f5b0f054aef2fc
SHA1 f2beea0aab1fff4de1bcc940c0838c1d82cee3d1
SHA256 ab23ff5555e0375e851e126181dbd7e82bf4b4a9eac987fefa43c4791a4cff58
SHA512 31d878074f669476a843a9d527cb8e70f0a55563fb778fc88bb9f1157f58d7c8ad652edbffa26f3e1e2df2e15c9044071ced04bee39fff79424e199a4dd44113

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c832262863545da67107e19d82b5d93b
SHA1 a4ffb1e5ac1e8f53a6ae5691a88862fc97f94196
SHA256 26d5b0581d05ec0d8aa91f22f9ea2d1d27d32e04a085d52aad00dec1e587122a
SHA512 ab2426141b44b0f4943dbca716ff45b1c8b0acb39f6eff589c5b2d2db2e4f3e2293f261049d2a4f9f1fdbde4f0f4b1e1cb32cb413298cc0ca5e4d00800207b1b

memory/420-1106-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/420-1107-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/4396-1109-0x00000000002D0000-0x00000000004BA000-memory.dmp

memory/4396-1108-0x0000000074BC0000-0x0000000075371000-memory.dmp

memory/4396-1110-0x0000000005530000-0x0000000005AD6000-memory.dmp

memory/4396-1111-0x0000000004F80000-0x0000000005012000-memory.dmp

memory/4396-1112-0x0000000005020000-0x00000000050BC000-memory.dmp

memory/4396-1113-0x00000000050C0000-0x0000000005126000-memory.dmp

memory/4396-1114-0x0000000005210000-0x0000000005220000-memory.dmp

memory/4396-1125-0x0000000074BC0000-0x0000000075371000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b06c13abaec1fa625d6c19d22024381c
SHA1 5cde5231dfdf03adad89316fb7c870f95a00803b
SHA256 e80b7cb093dffb9a539ac613e5dbf8389bca2a3415e87e5df2b8c6ce74ca12e0
SHA512 6768c59af28ca9d635d8baa7a6e5d1fc519918644c8334b2eb9f447d271f135ad6dc5035f17510acda9ccace569ee2fd6f79b00e98fd1aee87c9c879a50740e6

memory/1432-1136-0x0000000074BC0000-0x0000000075371000-memory.dmp

memory/1432-1135-0x0000000000170000-0x0000000000882000-memory.dmp

memory/1432-1137-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/1432-1138-0x00000000052D0000-0x00000000052DA000-memory.dmp

memory/1432-1139-0x0000000005670000-0x00000000056C6000-memory.dmp

memory/1432-1140-0x00000000054D0000-0x00000000054E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

MD5 63ffcdb54b5997ad2fd7f1c92f2645fc
SHA1 edbac4eff97e603f220303e301d09de1f5e0c190
SHA256 90616f5caa0559e2342c6dd9cb7dde14dac7721369a0fdd9039b07a771d9a28e
SHA512 d567b013c6751e57aba75421e80e47d7f216d4d160263d0dbd13428fba301bda285d52b7149de89b923669abc544e29b32b5352d3d08acad155b72f8beec2633

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d3f3f72cb3b1d435e177ac78101a5ae4
SHA1 650af0ec7620b05a5e37c33ca1ea9d9d8d55124f
SHA256 50652b2cb10948580bf262c689927a0a59d55d5745b2a54f651fccfae00614ed
SHA512 7c8b6562c09b5872ac629aac6136445e264816540dfb9dc97499e1481d2f755a72b72f40da5d12cf371f21b3e94d48fb11b6ef4162676342a2acfb3a2bf91045

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 91839ff64926d6cfe8af63ea77c29c04
SHA1 e9afee6450250e7ce102b60a499721d873af141a
SHA256 8f8f196b631d554bfb99eca8a4a587b885578748ab31a4cc0b24babcae6a989d
SHA512 22a8c14c7235d4fe484217f82ab6c0b541a9b7fab71105d00aba7b244a51e41b17b06be0e7240683cd95a4f2511a5b4f2262091250e0d85f90df7416d425b55c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2befcfce6d0b698ca16146176b71bfa9
SHA1 969dbbae4d89fc9da9929530fe76c2458917c11d
SHA256 e5805762bbe0f5ae2285e3775f5b67b21d73b4e7774966a4ab0b421e98b70488
SHA512 e7bc31e0296bda7f8f51c4c94352a7e6248b78b70ffc8d90935f58e3e1c77a4171029975305013d10c65971c177af16b5ea656a7db20e436403fca2bca6bb7cd

memory/1432-1202-0x0000000074BC0000-0x0000000075371000-memory.dmp

memory/1432-1203-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/1432-1204-0x00000000054D0000-0x00000000054E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 35a85fe857891ce3df3797e949b3e1ad
SHA1 dfe371c9400632678dbf573741458003d4ca303d
SHA256 f33de28ba20c646f575309ceabad3ff21d0059420c27daceb7aa21325862470b
SHA512 2e3b494520558601c9a507d6cb5777192f0dcc5127da0a5c79cc6fd6bbbe45c7729b1f1780eb58f3d655b8ff68f2a63cf398a569b94f12bf6922c662d4088f2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fd357dba5db36aac4375166768507691
SHA1 cad900407dc04fb23123ddb830e60e81e04ca0f7
SHA256 2c25e111a02b512d9e46fed1cbd6e83d4c95c574337b52ec3c077b45d457092a
SHA512 fa73ca139b29ca24d845169c78a28b410f207b12e2c67250d952e3c22312ee15ce2a2642530464c76a60486cae678607809090ceb7663e07975fac8b44406f49

memory/4044-1225-0x00007FF955240000-0x00007FF955D02000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c7bbdae9e2efbd6bff44c0b2b019f144
SHA1 2592f3d6c4685993ffeca105354b939ec4e97c51
SHA256 578c971cac5ff12e90e2b93129c3fdb93adf0c57fdf4664558e8c9f2438cf037
SHA512 d975b4119e5a05e23702ea1dcef8b36328366be74dd62f2db6dfab9a662080e130ac8408913239d2af52f74a26146002a7bfe143c699177be9a62c2c0881427b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 811d9b2fc8ce3c5425a2dbb17d38ad60
SHA1 d79e15c8e2465d4c3d1d76b8ca3ccb58c5187287
SHA256 da9141ad985b82c9676d623812fcfb542af3826de1e8ff7c4c61861c5fd5afda
SHA512 4d1b907c0df82d55d883c0da2a7cc9b0c7245ed48a7123abc81e38768a3cb33e38f7987b2844ecdf7a5468fcb7d9f642649fbfef0b0e0536325fb820fe7c4537

memory/4044-1244-0x00007FF955240000-0x00007FF955D02000-memory.dmp

memory/1144-1245-0x00000000007B0000-0x00000000007B8000-memory.dmp

memory/1144-1246-0x0000000074BC0000-0x0000000075371000-memory.dmp

memory/1144-1247-0x0000000074BC0000-0x0000000075371000-memory.dmp

memory/1432-1260-0x0000000074BC0000-0x0000000075371000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 14387acdb95aec78fd5abfd43030d735
SHA1 ef5596fdf4c6ba65af55fc14c6b838e600571cf9
SHA256 798dec53f9189ecb90e6386990faf3821f8e9b86cf76c8b6d872105739091954
SHA512 624cc044d8316d110d20a5fbe55e0fbec882fab233ad53549adf08595680f0e753296510f524a64722dd4ce9c45a29fd7dd81ce8f73babe5d42ef09697a4b537

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9719333d78964fd4c63b6bce28587d65
SHA1 5e4ec709ead5655fef9517e5cf6dbd040d7a55f3
SHA256 2fafb5034dcc321c68124509cb75023303439b1f2c58ae6d0bb9e6555641ae24
SHA512 ae13cb445c0a78acbe68169bc2dc34d1565048013b8e9ae46455c04529552485d1bc175ec2bbda65bbc1a81bd91dc8a1478a24908c359e711bd302b410bfb83b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

MD5 d2d55f8057f8b03c94a81f3839b348b9
SHA1 37c399584539734ff679e3c66309498c8b2dd4d9
SHA256 6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c
SHA512 7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

MD5 2e86a72f4e82614cd4842950d2e0a716
SHA1 d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256 c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA512 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

MD5 dfa06a2cf726c1772e54d6f0e7b57fe8
SHA1 6c843917d374a2f5f4fbc2e3cb620737c56f864f
SHA256 a99b0f8a4e209bf564f0570d79edc20f08244edae0a50da214ff32afc56d89fc
SHA512 046af2d7537f6985db4c55368d5d0865713dd955ef094ff3743b0899e8699edc17029c29bd15fdabe4f1258fd1e502372f0073bd2ed0e8d5060e384c0a397e2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

MD5 d6b36c7d4b06f140f860ddc91a4c659c
SHA1 ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA256 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA512 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

MD5 b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1 386ba241790252df01a6a028b3238de2f995a559
SHA256 b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512 546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

MD5 d404b61450122b2ad393c3ece0597317
SHA1 d18809185baef8ec6bbbaca300a2fdb4b76a1f56
SHA256 03551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb
SHA512 cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d8b2ec7f054aa0dc8c535ecf1e348313
SHA1 503688c2396047db9c3077958452fe1cb437a811
SHA256 006b85c0222da3a91040668dae6d8253883d080a85186e582b1c0c3e1cc7d2a0
SHA512 738c95701f9785bb6d98dec5c76ec87aa455552550ae8394052a0e0a8e0eed0f6ad557837e0ba1def11f177d3a1befd207f76ca8b4677f97615f1024953cc5cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1bcf3d8a7255dd5e712e26651523922e
SHA1 5d0087ea12017e9eeb377bbccb478a52dc1d0341
SHA256 476648c4a4a1e640c29293a191f875d9022d02d0e51625104f4acb7378219903
SHA512 5d4b7870bbce9e5df2d5b8ead688ce7222bc0420355d2adb0c3d57387385e68ec04a8dc12498c777cc10ea65bd5e4e7c8327cbc3028e2650c89debf1a1407e17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0bb260fc1d4a32c4f497ef3ba4a17898
SHA1 4b7cbaf6f671859a174ec0ced03e704f68ab9572
SHA256 4ae711c1688c1a061f7c5be8d1a9708aa901ec3561b0b9a9bbc9c66ce3e05cdc
SHA512 658ba79e78121522b6e793c63625160a349c69cf58d21bdce2384d09e65a66a62c378100003e3a44c7b850e4f3ee7b27f98be132afeb13af935d0bdb3ee88162

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 bc0cad9294ce2521fb830f32dc1791a9
SHA1 0da2fec7acd99465feb0a933348f7fcc21b9a17a
SHA256 dfbbc24fc06460569a6aa9aecb44a5d5fe4839dea166d5c8b49140d8e032e035
SHA512 d17f3f08935604af4eac91d912b4be3246e2e9f3d383a915650c71d79b43d38bd9efeb9032c6471fb0b48904e0cb0b5a50576c55c729e13c9f473b0a573f996f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 399dd7c8da61549e29b9c12163876207
SHA1 6ae4a7f2f2fcb5db3410d6f6ffb338f0306f774c
SHA256 f10e02f9e123cb4bb5b5ed1843c31349d844688c9c4f8a7c6d831ac018baf13c
SHA512 2d4d101c619bdc8d9e67f81623286c11e4eee1d194b6f5a206d183be1706a481f00e5f592e87b01b8916b5078e9cf4aff188a5ecec7c043b808d334806e64688

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c07ae8574b2a7a9013617f7c29dfcee0
SHA1 709669acad783e1fe72d4e87517404f307a5a71f
SHA256 f8f918b12ae9c41781703eb5ee8c56fdc62997dc72990c360f596f3f09d6d034
SHA512 efc209c80121a7224870ea64fc8b38b184be4ad4d52d1abe35b4ca8978f874d35b818ffb313c42527030f63d9eef8326e3fac7c6a5529da088f1d5acf5228054

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7fc88169a711dd91bae97c9f02154eaa
SHA1 ec4e07ebf8bbbab6d7cf8c1fd6fcfb5b9d322b24
SHA256 50b2d24c9c2842cdd0393ccfa6e9a33cce8251b1990c3355897cbaa7eed06ae7
SHA512 1aacecbc2d541f490dd82a79fbb07cfcd2b4f7efc75a87f06682011aa4102e58e9d9d9ff63ed0e0af4f54937820615e05d04debe9d9f525abf8f737a5ff52faa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 effa0951a3659ece909e1b5d522aaff1
SHA1 0f6090c10717b6ce045448a8f87f6a27d060539f
SHA256 c127515fa00e249eae2049bd6623388db2bd05e639325343993bf93df90aa3c7
SHA512 581214b48d767d2aada24e5e532ed40c5c8433a83df68bef42447dcf385c52d9be0252ad7d506186ca458b5cb62a64b950c7b1d3b5facd7d53a8059f43347ca6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e531d17a95609bf850e86aa305a8791e
SHA1 159860340540535bd3b0d382dc0580fd11a9af71
SHA256 feb05c0413f17ef7c7846e1d292b83b6f12727610b50bd701f7764955dfdf87c
SHA512 02d05aa58fc439a1cb04b2b1ec5e6b6b462cccd7ce40a5c4fd815dabec1e08878dcb623dee1110f7cf5fb9d76e7674c32c957bd0a72fbc50f68fa5b1b8fc009c

C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/2936-1832-0x00000000735C0000-0x000000007364A000-memory.dmp

memory/868-1847-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 27f29369690d3be827be79844b5e3180
SHA1 e95cca532ad087ceeef7aa148ff53d84ca08e3f3
SHA256 83088d60e465ff3c8ea4a77fdb5b90db211c907c595ad0d713b01015f9078e50
SHA512 c000b0f39aeab95e5744235bb3b0b575d38a8d5c804c8a07bed91ccf4d599a4cf06452c369fbf0ebdc3ac34b52afe32d524a5533b86b40c83f145f16c740f2fa

C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe:Zone.Identifier

MD5 bab0aa318ce4eea30e3187174311e43c
SHA1 43832db3f0581c9ed8154b7c3e536adb6dd5ad99
SHA256 70ce3369c2d3f46e4001f9a1b737f02e668a3cf17945d319fa4e6905a2dbf3be
SHA512 59a3131f45f4c407f57f29c3fb0570468662748dca2f295dba2f1893daf9949b1b396554161a86c48a60872b2cd7aec716ef872e375230797abda5928e20016d

C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe

MD5 b8703418e6c3d1ccd83b8d178ab9f4c9
SHA1 6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
SHA256 d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
SHA512 75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f

C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 393ca5ea1f661fa3abb5064e6c73e4d4
SHA1 bb922d84e6835e301f47ab265332c8d9e91eab82
SHA256 11b59d8ed80ab71252576900fc474b4bb34e203e3d87b765b20defcd9ebb7b9a
SHA512 85e332a3219b423eff0adca652eb2c9cdd198d136a229f9a02bfb2e3894d8958e4f4cea91b1c1f7434e256a77adba12d63c1f3476e207012b1e31183a629cead

C:\Users\Admin\Desktop\XWorm-V5.0\Icons\icon (14).ico.ENC

MD5 fee81a41a1a3e154d56c8f494a4e63ee
SHA1 00bd09c44db873922249ca2459c3ef4aef0f7632
SHA256 577b1cea35f044464bb0c5e931ca05a804a01a8e9c24d888e152d9c90073bacd
SHA512 8ef7ab2aa2585410ecc0a5f80aaf399a8860ffbe920c399a6d5a0611ad7589a0a41c26aa779c79cca3238c79607ebba1d8904078da5f45fe312c460eb4cb384f