Analysis Overview
Threat Level: Known bad
The file http://telegra.ph/XWorm-50-09-06 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Detect Xworm Payload
Xworm
AgentTesla payload
Modifies Installed Components in the registry
Executes dropped EXE
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Loads dropped DLL
Uses the VBS compiler for execution
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Uses Volume Shadow Copy service COM API
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Enumerates system info in registry
Checks processor information in registry
Uses Volume Shadow Copy WMI provider
Delays execution with timeout.exe
Modifies registry key
Enumerates processes with tasklist
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Creates scheduled task(s)
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-12 11:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-12 11:39
Reported
2024-04-12 11:51
Platform
win11-20240221-en
Max time kernel
664s
Max time network
669s
Command Line
Signatures
AgentTesla
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLogger\\Update.exe" | C:\Windows\system32\reg.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4044 set thread context of 868 | N/A | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 5560 set thread context of 5668 | N/A | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 5612 set thread context of 5840 | N/A | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\XWorm-main\XWorm.vshost.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Pictures" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-627134735-902745853-4257352768-1000\{7CB90F4E-1042-4D8E-AF1C-074F3129864A} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 02000000010000000300000000000000ffffffff | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000020000000000000001000000ffffffff | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000004000000030000000200000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 74003100000000008c58af5d100058574f524d2d7e312e312d4d0000580009000400efbe8c58af5d8c58af5d2e000000d0aa02000000060000000000000000000000000000003eff9d00580057006f0072006d002d005200410054002d00560032002e0031002d006d00610069006e0000001c000000 | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main.zip:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe\:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe\:Zone.Identifier:$DATA | C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\XWorm-main.zip:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://telegra.ph/XWorm-50-09-06
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\XWorm-V5.0.rar"
C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe
"C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe"
C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe
"C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe'
C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe
"C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,6015577965180891212,12270707570076862597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:8
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5580 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3476 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x000000000000046C
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 /prefetch:8
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\Users\Admin\Desktop\XWorm-main\XHVNC.exe
"C:\Users\Admin\Desktop\XWorm-main\XHVNC.exe"
C:\Users\Admin\Desktop\XWorm-main\XWorm.exe
"C:\Users\Admin\Desktop\XWorm-main\XWorm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mail.google.com/mail/u/0/#search/[email protected]
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff96aa93cb8,0x7ff96aa93cc8,0x7ff96aa93cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2512 /prefetch:2
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\Users\Admin\Desktop\XWorm-main\XWorm.vshost.exe
"C:\Users\Admin\Desktop\XWorm-main\XWorm.vshost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1144 -ip 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 824
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,12929990381465959830,8713682205854353268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6852 /prefetch:8
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe
"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe"
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe
"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe
"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe
"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
"C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp67B5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp67B5.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 5460"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe
"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe /f
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe
"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b23k.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EFOH28 127.0.0.1 8000 VBO23L
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe
"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqdh1nwu\qqdh1nwu.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES815E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2540AC9920DA419999417719697E8320.TMP"
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b3rkb.exe
"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-main\XWorm RAT V2.1\b3rkb.exe"
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
Network
| Country | Destination | Domain | Proto |
| NL | 149.154.164.13:80 | telegra.ph | tcp |
| NL | 149.154.164.13:80 | telegra.ph | tcp |
| NL | 149.154.164.13:443 | telegra.ph | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.164.154.149.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| BE | 104.68.81.91:443 | s7.addthis.com | tcp |
| BE | 104.68.81.91:443 | s7.addthis.com | tcp |
| FR | 52.84.40.194:443 | du0pud0sdlmzf.cloudfront.net | tcp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 18.244.140.102:443 | ghabovethec.info | tcp |
| US | 172.67.174.113:443 | ringashewasfl.info | tcp |
| FR | 18.164.52.33:443 | madehimalowbo.info | tcp |
| GB | 18.244.114.86:443 | tentioniaukmla.info | tcp |
| GB | 18.244.114.86:443 | tentioniaukmla.info | tcp |
| FR | 52.222.149.117:443 | funjoobpolicester.info | tcp |
| US | 172.67.174.113:443 | ringashewasfl.info | tcp |
| US | 172.67.174.113:443 | ringashewasfl.info | tcp |
| US | 172.67.220.203:443 | pogothere.xyz | tcp |
| US | 172.67.220.203:443 | pogothere.xyz | tcp |
| US | 172.67.220.203:443 | pogothere.xyz | tcp |
| BE | 64.233.166.157:443 | stats.g.doubleclick.net | tcp |
| BE | 142.251.173.84:443 | accounts.google.com | tcp |
| BE | 142.251.173.84:443 | accounts.google.com | tcp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| BE | 142.251.173.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 2.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.140.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.114.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.149.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.220.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.173.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.52.164.18.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 18.164.52.33:443 | madehimalowbo.info | tcp |
| NL | 139.45.197.239:443 | dukirliaon.com | tcp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | udp |
| NL | 139.45.197.236:443 | yonmewon.com | tcp |
| NL | 139.45.195.8:443 | my.rtmark.net | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| NL | 37.48.68.71:443 | datatechone.com | tcp |
| BE | 104.68.85.7:443 | assets.alicdn.com | tcp |
| BE | 104.68.85.7:443 | assets.alicdn.com | tcp |
| US | 163.181.154.233:443 | g.alicdn.com | tcp |
| BE | 104.68.85.7:443 | assets.alicdn.com | tcp |
| BE | 104.68.85.7:443 | assets.alicdn.com | tcp |
| BE | 2.21.16.52:443 | ae01.alicdn.com | tcp |
| NL | 212.117.190.201:443 | sr7pv7n5x.com | tcp |
| BE | 23.14.90.81:443 | time-ae.akamaized.net | tcp |
| SG | 47.246.110.42:443 | ae.mmstat.com | tcp |
| DE | 47.246.146.79:443 | acs.aliexpress.com | tcp |
| BE | 23.41.178.97:443 | ae04.alicdn.com | tcp |
| BE | 104.68.85.7:443 | assets.alicdn.com | tcp |
| RU | 47.246.133.87:443 | login.aliexpress.ru | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 34.111.35.152:443 | cdn4.cdn-telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| BE | 2.17.196.121:443 | www.bing.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| BE | 2.17.196.131:443 | www.bing.com | tcp |
| BE | 2.17.196.131:443 | www.bing.com | tcp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| IE | 40.126.31.67:443 | login.microsoftonline.com | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| GB | 172.217.16.229:443 | mail.google.com | tcp |
| GB | 172.217.16.229:443 | mail.google.com | tcp |
| BE | 142.251.173.84:443 | accounts.google.com | udp |
| BE | 142.251.173.84:443 | accounts.google.com | tcp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| GB | 142.250.187.206:443 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | udp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| BE | 142.251.173.84:443 | accounts.google.com | udp |
| BE | 142.251.173.84:443 | accounts.google.com | tcp |
| BE | 2.17.196.184:443 | www.bing.com | tcp |
| BE | 2.17.196.184:443 | www.bing.com | tcp |
| BE | 2.17.196.185:443 | www.bing.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| NL | 104.97.15.59:443 | aefd.nelreports.net | tcp |
| NL | 104.97.15.59:443 | aefd.nelreports.net | udp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| GB | 184.25.204.27:443 | tcp | |
| US | 52.182.143.213:443 | browser.pipe.aria.microsoft.com | tcp |
| BE | 2.17.196.185:443 | www.bing.com | tcp |
| BE | 2.17.196.185:443 | www.bing.com | tcp |
| BE | 2.17.196.185:443 | www.bing.com | tcp |
| BE | 2.17.196.185:443 | www.bing.com | tcp |
| BE | 2.17.196.185:443 | www.bing.com | tcp |
| BE | 2.17.196.185:443 | www.bing.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.199.109.133:443 | user-images.githubusercontent.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.199.109.133:443 | user-images.githubusercontent.com | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp | |
| N/A | 127.0.0.1:8000 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 577e1c0c1d7ab0053d280fcc67377478 |
| SHA1 | 60032085bb950466bba9185ba965e228ec8915e5 |
| SHA256 | 1d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158 |
| SHA512 | 39d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5 |
\??\pipe\LOCAL\crashpad_2904_AZDRWXLJKFRJPZGB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d4604cbec2768d84c36d8ab35dfed413 |
| SHA1 | a5b3db6d2a1fa5a8de9999966172239a9b1340c2 |
| SHA256 | 4ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2 |
| SHA512 | c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 868bb1eddec5df64789d89777da44e5c |
| SHA1 | 774d7d6249f70d10318ab2bd14a62b1ba5a52e82 |
| SHA256 | fd8ff1a304eea777473f26546f4536f48fc55f1dffe26a701199f622bbd843f8 |
| SHA512 | 7df91d656e14e00d915dc9118897bcbec7e5c814c536becf40e24deed52bab74a9ea999f6b44d8e3ddda16374ec28d17ebfabb06d14783495673707074a96d6c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ae9763f43df03bc61720d2f2539223d0 |
| SHA1 | 0c094a29c42502e46c721f80927fcc62c9593fb4 |
| SHA256 | 41f0b864107c9e64a4c5437e5dbabce0af31ced9b4eee29706f02570d841753a |
| SHA512 | 7c9a573e24bc2d6e7713b2ad48fdb31f889927e0594fccb490a7eacd67f92d688d409ba0e18b5ff76ffac84170731be77420c6934646c78f278b1b028efd3d11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a9f119a972735fd5fc1bf1c1527d9976 |
| SHA1 | 8f7c69f81ca5fe8c654d763d214d222115860de6 |
| SHA256 | ad80b9f0573d75155935a57618628ebfc2a288883b70bb83d1a61f495b644dc2 |
| SHA512 | fa8a1548d11aa0394078ed73e44e8c5bf5766527d1e2f09312f85727a67c4ab475418c45105899b9c68503f8adf6827dff3f8f3d8e386ce930b26cbc451172ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cae9b418508a62923c60af0dbcf2575a |
| SHA1 | 75b056e6a9e1e711790721ed05e3a04484cc2653 |
| SHA256 | f0f3553fb761e06f968690a2a81cac51362784690d40f8083c02403c804d1f1a |
| SHA512 | 2e1c9863172fd1ad3cbea916de137bdf2228a05c9e20b38acc248de82c64032b37044393d64db96987a914c7453c72e0ca4f466d70bdbe2c17f208f78250e813 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\66cbe582-5da7-4c2e-8668-41d2c12b7f30.tmp
| MD5 | 5f73f47287e375a362355370b13bf364 |
| SHA1 | 8def488e09b1f318eb44eb854daaca649f3431dd |
| SHA256 | 66f9060639a5a0b2dde514b0aa211475a681cccc897cc9738964b971bfc310f3 |
| SHA512 | 3fa7041090f53e50854d1cd0c8191cd14c651e4f44dedb611420d281a6f2a325e81ea2c3bea1da5bdb18f18027d2f9dfaa2803bb2ae6b00e8bbd9492adcbb56d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b6ec0c4e6d2aa4f9a29299775f842c8e |
| SHA1 | 83f983228572476b6863c09e447fcf0bc5b364f4 |
| SHA256 | fd3356d22e47adb95b802a7de89eee584bab07bea6b57a5079da2d95e717941c |
| SHA512 | a7fb05e240d59295d9065fe2c9f140bab39d09ad91dde8760947b5fe3a2f7c53b42b174de19fb15d41e53231315d34940dae4668af8e197795aa86fbc4369ade |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2f79ba62d8127ff2df094433cd686241 |
| SHA1 | 9c1643f4ac111c70d92844cc40ab9227517250da |
| SHA256 | 8913419905590e40aa8dcce5486fa66453559070cac8ac02bbbe82a43d73c71b |
| SHA512 | 90c684adeb6a79d86cb813f105d86eb90d34ef9491120d0feb9d51b4e6c955efab4a799b3e283359f49471c20e2e969e42739147f7ed05d309c76c61afec6b35 |
C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\Desktop\XWorm-V5.0.rar
| MD5 | f778fc725ed79c15d3ad889e7a33bea8 |
| SHA1 | 6dfce5a46e080fb2436b09a5ed68b98b4c28c17d |
| SHA256 | c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa |
| SHA512 | ecb5365ae67963d1d246851a852fda53d7ed100e99377d340124b432a3d502044d4ae3abf2e67f7b1224dd08e42e45906d173fcf0e667ec1f052102a4196745a |
C:\Users\Admin\AppData\Local\Temp\7zE8A3A2F38\XWorm-V5.0\Icons\icon (15).ico
| MD5 | e3143e8c70427a56dac73a808cba0c79 |
| SHA1 | 63556c7ad9e778d5bd9092f834b5cc751e419d16 |
| SHA256 | b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188 |
| SHA512 | 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc |
C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe
| MD5 | 227494b22a4ee99f48a269c362fd5f19 |
| SHA1 | d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9 |
| SHA256 | 7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2 |
| SHA512 | 71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0 |
C:\Users\Admin\Desktop\XWorm-V5.0\XWorm V5.0.exe.config
| MD5 | 66f09a3993dcae94acfe39d45b553f58 |
| SHA1 | 9d09f8e22d464f7021d7f713269b8169aed98682 |
| SHA256 | 7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7 |
| SHA512 | c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed |
memory/784-392-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/784-393-0x000002CDD05A0000-0x000002CDD1012000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
| MD5 | a239b7cac8be034a23e7e231d3bcc6df |
| SHA1 | ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d |
| SHA256 | 063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8 |
| SHA512 | c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524 |
memory/784-401-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp
memory/784-402-0x000002CDEBC20000-0x000002CDEC7D6000-memory.dmp
C:\Users\Admin\Desktop\XWorm-V5.0\Guna.UI2.dll
| MD5 | bcc0fe2b28edd2da651388f84599059b |
| SHA1 | 44d7756708aafa08730ca9dbdc01091790940a4f |
| SHA256 | c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef |
| SHA512 | 3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8 |
memory/784-404-0x000002CDECBB0000-0x000002CDECDA4000-memory.dmp
memory/784-405-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp
memory/784-406-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp
C:\Users\Admin\Desktop\XWorm-V5.0\XWormLoader.exe
| MD5 | 9158e38c3bacd6cc50e4355783fead8b |
| SHA1 | c30c982c2d061e4bd8b5e0e3f89693b3939a0833 |
| SHA256 | 1f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda |
| SHA512 | 98683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd |
memory/2236-409-0x00000000000B0000-0x00000000000D2000-memory.dmp
memory/2236-410-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/2236-417-0x000000001AFC0000-0x000000001AFD0000-memory.dmp
memory/448-419-0x0000022EC42C0000-0x0000022EC42E2000-memory.dmp
memory/448-421-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/448-425-0x0000022EABEF0000-0x0000022EABF00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4qdr3v0.i0a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/448-430-0x0000022EABEF0000-0x0000022EABF00000-memory.dmp
memory/784-431-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/3228-432-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/784-433-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp
memory/784-434-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp
memory/448-437-0x00007FF955240000-0x00007FF955D02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
memory/784-439-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp
memory/4668-448-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/4668-449-0x000001CAE8F30000-0x000001CAE8F40000-memory.dmp
memory/784-450-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 408641808e457ab6e23d62e59b767753 |
| SHA1 | 4205cfa0dfdfee6be08e8c0041d951dcec1d3946 |
| SHA256 | 3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258 |
| SHA512 | e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb |
memory/2236-452-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/3228-455-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/4668-456-0x00007FF955240000-0x00007FF955D02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 549ecc6e6baef14e62306531602260ed |
| SHA1 | cad898d58fd9cbf92760d030a00130ea8f797e09 |
| SHA256 | c5fe493720e278fcb114cc810f01d6455b7894c5fd834312b64476f8477e5770 |
| SHA512 | 7a83e840836d91d5deb1a7b6e2c78be10b2e2d5d29e92334c565f30d0be7df0e0753700a716c6d3cf3cc063a1605268de999f8b57d8c7c25844164f442b6638e |
memory/3404-466-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/3404-468-0x0000029935210000-0x0000029935220000-memory.dmp
memory/3404-467-0x0000029935210000-0x0000029935220000-memory.dmp
memory/2236-469-0x000000001AFC0000-0x000000001AFD0000-memory.dmp
memory/3404-471-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/436-490-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/436-491-0x000001EC25020000-0x000001EC25030000-memory.dmp
memory/784-492-0x000002CDD14C0000-0x000002CDD14D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80707036df540b6657f9d443b449e3c3 |
| SHA1 | b3e7d5d97274942164bf93c8c4b8a9b68713f46f |
| SHA256 | 6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0 |
| SHA512 | 65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | d929eae0c27ec80033f4958e692d5077 |
| SHA1 | ce19dfdf3a04daa32c07c3ed5eb1acf0d5ad876e |
| SHA256 | 62b75517d3398c4d1b510b789cfe4326d4cf1d7627847fb24d1e554fd83dee59 |
| SHA512 | e07a0bdca00cf958ab7b273329bee77d4aaf73cfa191b3d4b791440059da8d27d19bdaad1d799d76e5ee2ed4a9def11df72fe285e9b7fe669df377e366739c7e |
memory/436-511-0x000001EC25020000-0x000001EC25030000-memory.dmp
memory/436-513-0x00007FF955240000-0x00007FF955D02000-memory.dmp
C:\Users\Admin\Desktop\XWorm-V5.0\GeoIP.dat
| MD5 | 8ef41798df108ce9bd41382c9721b1c9 |
| SHA1 | 1e6227635a12039f4d380531b032bf773f0e6de0 |
| SHA256 | bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740 |
| SHA512 | 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1bea41abe862fe121d01b3f5c8c66829 |
| SHA1 | de82a0a1e3dc929cac945e63d5ddc84053929da9 |
| SHA256 | b46b4db6452bd90af2d902d7c2f2f9755b75c16d92a7365f7e4791ae8bb1836b |
| SHA512 | 4b4a47db38a536faae3fdd9dd21c46130b871688bf66f42037e9afa48975e42c3a35307edcf14d95f929eaa33ed6cfea2774a3fb338dfada2d42e10395dee612 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ecfc137a0b35d7949a9f4480ec607442 |
| SHA1 | fdac72587705c61fb6ed9b381402150a0af56e95 |
| SHA256 | 6308a9129e2a9026bc1bd4bca694c722c00c6dec37df423a25d72724eabfbccd |
| SHA512 | 6e1b277d914606f54d90b885d328a6715c439a2a8c5934c5c92d4c491d6f56213406b78cd7247fc4fe434b30c89fa0d4f5b09c310d11bdae9a03c7eefb68af22 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fb7d4b77461292d0b781d9a15228dfe6 |
| SHA1 | 1338a1d7808b6b1acfb9bac83a3f58e7b6dae66f |
| SHA256 | cfbe54149281af7d7be1398a8f0c7015f29b575bc3807b91ffa02b999e8a0677 |
| SHA512 | 6168590bbd1b2efbecb8bb7bb800a4573a4af8e369a634ecc3a8543d5f119b8829e6899423db16d640e726583eb6cbb2dc9ce8129708c5bcebc6b57cca272da2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 56f6ebe4fd8e56c36ec14207b9982dcb |
| SHA1 | 97dc7638a34a0fbfccbbb66b0cca8eb9ac78eeed |
| SHA256 | 45d48585d92b33235b868e51822a044395f351d1d0664e2547754c7fdeb04349 |
| SHA512 | 4b969567cf789bafb98d5b275798812e8e2dbed3d52c94a4d10c08ea2c2ba0bfd3ee3471080c010bd54fa8fbf69e764c9c75b3c2fa91e95c2848b231a0ee3829 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 93affefc3aa22541df6e1d2ec38468ed |
| SHA1 | 77505b079f94ae3d674b9b2f0dcee642d61acc8b |
| SHA256 | ebd1570cd9fcab5b1aa9bd4e7dc909030e1d36f988248acb5a43a709567a3529 |
| SHA512 | dbe98330b63fbc0454464f07fd02c386e42b86855ae884d4e0340033f44feeec7a74ea6fb0343d02a88c7e7fd99d64613351459d7a163adfcd9866885fd23908 |
memory/784-682-0x00007FF955240000-0x00007FF955D02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13357395614373915
| MD5 | ae6475e96e68985c211082fd4710146e |
| SHA1 | 22c1e11fff8d089c8fc02b1fee3bb86c5fa67870 |
| SHA256 | db8143e6fb282f1bfbed445a76990e1dde02c49b03e56668a3cc78d98a306c85 |
| SHA512 | dc8e84151a3231961bfa9ab90d9673f8305c7f2786a33016d11f19237ace799a687d6d2e3d83eee3b4f7e340bcab210734319b0acd5800fcd7baae8eb14521d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | ab08edc34f6fb36fe70c0340af92154f |
| SHA1 | 130614b9b278df69284ddf96584df061ab1e4605 |
| SHA256 | 66c6da589476cd10201b676fa458598b1a2afc796ddc4943f070672e212daf25 |
| SHA512 | 5532ff66a425171aa229d2e2886275b6fd78bc8767e7acd2bdc822e8659b85d8036860e61ed09bc7d69bcbe01f2a8d4b7e70476ef7542bd99376802d6bdbe14c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | 76a7bac8b9df43ee10b2a136abe4628f |
| SHA1 | cf0b4eb34612d1acc8aca7e9e09901af2aa559ca |
| SHA256 | d9618c288c0fdca92420a8c9b98456545c50d25bd2d1c484fdab3d07c8519a35 |
| SHA512 | bac20214497248347a6ce9cb213a101abbeae40ca1dcd1ee4e3cb89d055a41ae2fff4100ae717e19a4e81819ac40b25135911ae49210e1b37bc4fbf5eacd0181 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal
| MD5 | cc5098d02a0afc539600bfed660497c7 |
| SHA1 | c5e0ca4a98ae0be5eaf0cafea545a2fd3dcd53a7 |
| SHA256 | 9c51383f41b2dfd1cd56cebe5bf04b3cde8d8717170c77709c9c46819df3cf73 |
| SHA512 | 33e52acf4bc69de59ffae56945cf8ce0e328b2ec537af573077e6c276992363ba1c188c5c4fa1b9a1e6cd8bb563cc563138a98a30588199f22862c2dd348f8c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | deb4a291b36e799cdd8ec8aca9b72dde |
| SHA1 | 8f6248f0b498a0491b62d75cc8d573192c10f739 |
| SHA256 | 720e170d73ed3896ad7d536a1cdb12f9375e1b76ff48279da39d44914b2417aa |
| SHA512 | 50e6761c49a89e7b945f953cdca1695c77282cd011fbd88815dc898560b046eb0ce34050340be40b273d29bda093d0382ee8018fbb7523a4be9e6052b7b62e81 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
| MD5 | c8a3e225366051fb0b57c4a3a936eb0a |
| SHA1 | f6f70b6859745f4e61f03dae8986ee58b46935a4 |
| SHA256 | 4af98c7ebda274b3c19d52f2cfc46c7c4c1c52cf509113b2677f8b6098dcec5a |
| SHA512 | 700d314efa7ca50d6712fb784daf85f32539a714f5227c69401a81c3aa6e4cb7355524aa9bd327ef0fc0c36c8d94f5cddebce29fa801f099043f90ad18d96835 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
| MD5 | 3b6d52cd03dbf8387788a9a40e5894b7 |
| SHA1 | 74824fdda4d2b41cac43e2f79e9324874f06281d |
| SHA256 | a6dde344c5c8b31a5ce715a0baff684d1f08fcbb205ad85ce1ebc4e715b4d9d8 |
| SHA512 | 9688bc1f0a9fd9a454e8a987d806f85d6a15f4f98522b5791b07e1af6434a2cda9e5c14820c1fca68cb00b742fe18e91a3e0e10b0df4b130cce998dcddba4a64 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | 9e1812ab6011a346a4d7deb764eed2a6 |
| SHA1 | eed3aee5359887659662ef988d9e8fe45f3080cb |
| SHA256 | 285278c2dd3bac5f3226fec60d805e414114b21c9efc936aad20ba49e50cce89 |
| SHA512 | ee3db86545f76e2dc16db93b3e9d63cc281fe741fc6731c5f29e8367e391a88715ea6e945f46c558b1e849001ea9765acc1e6944847dee3eeac2a3aba5116fa5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 7d7fb5dc720c8d861724aa838721cac4 |
| SHA1 | 2ceee2a1bb96741812e16aad0b72dc5a57b59286 |
| SHA256 | 4d87a34b2790320238a476c46ea752da7ac096e77ee8ba3270dab2f8a1082c43 |
| SHA512 | ee9484568d8f73f9a39f770a0459e706bc8e10159e19236ac418d4122e3b2fcc66480723c16d159a5322810b7bcf72976f77d933102110ab52a68258db8dcf20 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
| MD5 | d55d8b9a0f3771b80a9e6abe99681d6b |
| SHA1 | 86bcabe441a084524e26bf236fb1456a90c03499 |
| SHA256 | bcc3b16373841345cdba2647a8573b6884120a5e01aa14d5c76d90db0c0264b4 |
| SHA512 | 10bbd3543cd2706b08feec9bc2433e6c6339d9085a003c805767fe7c68d1a20cbe889b37b4514d9e17c8e3cbfa479bf521c862f8ac68887cb8108e3606120de4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
| MD5 | 247cff831f5861ffc8bafb08347c760c |
| SHA1 | 9b871133c34b381c42d4f1e85556dea5f373a5a2 |
| SHA256 | 15b2abf6bec8d0e7f192547537bbf587e54436e8b2bcc05e339c87c91343639d |
| SHA512 | fa6b85dbca7a3aeac68e279fbc6278eff33c71e994a2adca978672588fb01537969b0f2d0364ccabf921dd64fb55fe74d335d1d9759567f8a7e3facd8c716851 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | ab73808d848c37e52f61f525e551ce53 |
| SHA1 | 6d32e734d7e21e3bf4eccace3cbb5df908eb3933 |
| SHA256 | 8e7207a5bc9112821f85c7c76b23df8ea870ba5f59cb0cc0d6bf00c553bba728 |
| SHA512 | d2b9a90877bc973d43ad93bd9c6cbe6a3379343d12b21f486b395f765d1ff0b3d0ba9af2095831ec5d70d448b374cd9bf535a8502359447e869b0f2b2e73841d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | b29bcf9cd0e55f93000b4bb265a9810b |
| SHA1 | e662b8c98bd5eced29495dbe2a8f1930e3f714b8 |
| SHA256 | f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4 |
| SHA512 | e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
| MD5 | d5340f27fd619d269b4b3923908a9f31 |
| SHA1 | 7c3a36bc152889464469e0e7745386dd011af34e |
| SHA256 | fd2bb5374a8436e36ab338a2864b6436b2a640bbbf1ef00f18fbe4513273f080 |
| SHA512 | 6d863256d415c000a180a15d558f135ab687772c5a8ed62e41cae52c3dd7e4534f4560f836d62983b3ece69e8d327012eeb4a23f684c32c3a7a18f784d20297c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | a0e03a7e736384beb8a7035845f78e3c |
| SHA1 | 05d245c936ce0253924980040ae18f3682545b03 |
| SHA256 | 68648e9ab4d9b96f56ef73c58d3e276b291198b5fc5565adc38b5bc6cdf79db0 |
| SHA512 | 02990db209c6a43bc034faa2a65da8e64d089a341cb6bd3aa2fa42105d881bc1faf2f5f9d2b630cb5d420241169a2e3e0b15df57665c1ef93ec628ac23d35559 |
memory/1200-719-0x00007FF955240000-0x00007FF955D02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 245760dc74e6d5c17fe105dffd87e132 |
| SHA1 | b5530a6a7309e27b35fa82fb1c7356bcb55152f8 |
| SHA256 | 4cb408c304d61b1d3d1ed4375f82803d46b2253f901e4389be9bb68daea28b48 |
| SHA512 | a1843449c656b0f715bd7b52f28f615f1ef78e3f0f3444a9cd672c6666b72f74f8f56e27b4f050978a4fe935a77c38bcdad1ed9bcc138c0043aa735a9569c933 |
memory/1200-726-0x00007FF955240000-0x00007FF955D02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d7b58b18653178b3593cf64a3cf76ead |
| SHA1 | f8106889a708a8432e4edac19174815c6259354c |
| SHA256 | 91aa5d3a1fc23d7776753ecadfa23f36c9b9fe35784ca03fb92425df9b52dc00 |
| SHA512 | 35ad04516a2adf07bb0573dd79516a7266298f2663f71da12910de8f867912fb665e2954aec5e0ffea6e7b312f0fd7fd9afc4326c17fdc0063529cbc81f4ace6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9a219af1b3eb228e0ce8aeb4136e8789 |
| SHA1 | fbf618c9dc5575e232eb6842f1fd2819001c9c0d |
| SHA256 | 52da2a039455bae5857f1088c9967f694b0ca0d34d81706e0ad33bc972317e7d |
| SHA512 | 43609d8504b49ff680fb7028ee202ba001d8298007c9f204dd9b8f3f56101869cc132526d863ec085ea918a29e2dccc0ed9fa713ed315cd1870ba9dfedbd6a8b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | eed06ea67d7296927e80b6c4d39be4a5 |
| SHA1 | d6dfe2783a4e214eaafdfb74f0cef10a596c043b |
| SHA256 | 5e765b9791e35c29bf47ad348f8d6fb48f86baabe35d0830ad550b849f674eda |
| SHA512 | bd244a343be14edff2a0f8d408072c9055e9554232176bab3b0c5f2f36ab7b2c4f3dc56d6c65c3859ba9862b456c72a82e9017ce91b70a0f7b8bcd771b0b7880 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a997fc654ab159e5dd8d89f18d35daf9 |
| SHA1 | ba404bb21b170752d3fa15641d0f4ca6b66a8236 |
| SHA256 | 234e8c87436c01bc6ec1b05526ce9c16d49f01512d702fbbcfbfb6bd28716bb6 |
| SHA512 | a78ed1ef81edb8bb500404619914ea3590fa1f0b70d7896f7689b4ea207e51973c11e890c2448cffc588e76c3a107c9953ba660c254cd4838130e977016f9cd6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f01e235fec7e7ddf91c100881d395f09 |
| SHA1 | 2c46fd98558eadf10e1bb0c0374911dd05ebcc8b |
| SHA256 | 8d3ac1b7820e7d9ba3ac72c51f6a3e2bd23dd116f9d6463923c38985b7aa158f |
| SHA512 | 94d9df8e2694b38072ed8775204b212c697dfeb12144c52a86703aba92bda64898c76dcc8473426f386c84dbdae760f2de575eb61b3d888832243c95e98580a2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7cf50f83-cabd-4085-8516-43f0c270f42a.tmp
| MD5 | ff9ff9dc54b22efbd9f5b0f054aef2fc |
| SHA1 | f2beea0aab1fff4de1bcc940c0838c1d82cee3d1 |
| SHA256 | ab23ff5555e0375e851e126181dbd7e82bf4b4a9eac987fefa43c4791a4cff58 |
| SHA512 | 31d878074f669476a843a9d527cb8e70f0a55563fb778fc88bb9f1157f58d7c8ad652edbffa26f3e1e2df2e15c9044071ced04bee39fff79424e199a4dd44113 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c832262863545da67107e19d82b5d93b |
| SHA1 | a4ffb1e5ac1e8f53a6ae5691a88862fc97f94196 |
| SHA256 | 26d5b0581d05ec0d8aa91f22f9ea2d1d27d32e04a085d52aad00dec1e587122a |
| SHA512 | ab2426141b44b0f4943dbca716ff45b1c8b0acb39f6eff589c5b2d2db2e4f3e2293f261049d2a4f9f1fdbde4f0f4b1e1cb32cb413298cc0ca5e4d00800207b1b |
memory/420-1106-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/420-1107-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/4396-1109-0x00000000002D0000-0x00000000004BA000-memory.dmp
memory/4396-1108-0x0000000074BC0000-0x0000000075371000-memory.dmp
memory/4396-1110-0x0000000005530000-0x0000000005AD6000-memory.dmp
memory/4396-1111-0x0000000004F80000-0x0000000005012000-memory.dmp
memory/4396-1112-0x0000000005020000-0x00000000050BC000-memory.dmp
memory/4396-1113-0x00000000050C0000-0x0000000005126000-memory.dmp
memory/4396-1114-0x0000000005210000-0x0000000005220000-memory.dmp
memory/4396-1125-0x0000000074BC0000-0x0000000075371000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | b06c13abaec1fa625d6c19d22024381c |
| SHA1 | 5cde5231dfdf03adad89316fb7c870f95a00803b |
| SHA256 | e80b7cb093dffb9a539ac613e5dbf8389bca2a3415e87e5df2b8c6ce74ca12e0 |
| SHA512 | 6768c59af28ca9d635d8baa7a6e5d1fc519918644c8334b2eb9f447d271f135ad6dc5035f17510acda9ccace569ee2fd6f79b00e98fd1aee87c9c879a50740e6 |
memory/1432-1136-0x0000000074BC0000-0x0000000075371000-memory.dmp
memory/1432-1135-0x0000000000170000-0x0000000000882000-memory.dmp
memory/1432-1137-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/1432-1138-0x00000000052D0000-0x00000000052DA000-memory.dmp
memory/1432-1139-0x0000000005670000-0x00000000056C6000-memory.dmp
memory/1432-1140-0x00000000054D0000-0x00000000054E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d
| MD5 | 63ffcdb54b5997ad2fd7f1c92f2645fc |
| SHA1 | edbac4eff97e603f220303e301d09de1f5e0c190 |
| SHA256 | 90616f5caa0559e2342c6dd9cb7dde14dac7721369a0fdd9039b07a771d9a28e |
| SHA512 | d567b013c6751e57aba75421e80e47d7f216d4d160263d0dbd13428fba301bda285d52b7149de89b923669abc544e29b32b5352d3d08acad155b72f8beec2633 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d3f3f72cb3b1d435e177ac78101a5ae4 |
| SHA1 | 650af0ec7620b05a5e37c33ca1ea9d9d8d55124f |
| SHA256 | 50652b2cb10948580bf262c689927a0a59d55d5745b2a54f651fccfae00614ed |
| SHA512 | 7c8b6562c09b5872ac629aac6136445e264816540dfb9dc97499e1481d2f755a72b72f40da5d12cf371f21b3e94d48fb11b6ef4162676342a2acfb3a2bf91045 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 91839ff64926d6cfe8af63ea77c29c04 |
| SHA1 | e9afee6450250e7ce102b60a499721d873af141a |
| SHA256 | 8f8f196b631d554bfb99eca8a4a587b885578748ab31a4cc0b24babcae6a989d |
| SHA512 | 22a8c14c7235d4fe484217f82ab6c0b541a9b7fab71105d00aba7b244a51e41b17b06be0e7240683cd95a4f2511a5b4f2262091250e0d85f90df7416d425b55c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2befcfce6d0b698ca16146176b71bfa9 |
| SHA1 | 969dbbae4d89fc9da9929530fe76c2458917c11d |
| SHA256 | e5805762bbe0f5ae2285e3775f5b67b21d73b4e7774966a4ab0b421e98b70488 |
| SHA512 | e7bc31e0296bda7f8f51c4c94352a7e6248b78b70ffc8d90935f58e3e1c77a4171029975305013d10c65971c177af16b5ea656a7db20e436403fca2bca6bb7cd |
memory/1432-1202-0x0000000074BC0000-0x0000000075371000-memory.dmp
memory/1432-1203-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/1432-1204-0x00000000054D0000-0x00000000054E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 35a85fe857891ce3df3797e949b3e1ad |
| SHA1 | dfe371c9400632678dbf573741458003d4ca303d |
| SHA256 | f33de28ba20c646f575309ceabad3ff21d0059420c27daceb7aa21325862470b |
| SHA512 | 2e3b494520558601c9a507d6cb5777192f0dcc5127da0a5c79cc6fd6bbbe45c7729b1f1780eb58f3d655b8ff68f2a63cf398a569b94f12bf6922c662d4088f2a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | fd357dba5db36aac4375166768507691 |
| SHA1 | cad900407dc04fb23123ddb830e60e81e04ca0f7 |
| SHA256 | 2c25e111a02b512d9e46fed1cbd6e83d4c95c574337b52ec3c077b45d457092a |
| SHA512 | fa73ca139b29ca24d845169c78a28b410f207b12e2c67250d952e3c22312ee15ce2a2642530464c76a60486cae678607809090ceb7663e07975fac8b44406f49 |
memory/4044-1225-0x00007FF955240000-0x00007FF955D02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c7bbdae9e2efbd6bff44c0b2b019f144 |
| SHA1 | 2592f3d6c4685993ffeca105354b939ec4e97c51 |
| SHA256 | 578c971cac5ff12e90e2b93129c3fdb93adf0c57fdf4664558e8c9f2438cf037 |
| SHA512 | d975b4119e5a05e23702ea1dcef8b36328366be74dd62f2db6dfab9a662080e130ac8408913239d2af52f74a26146002a7bfe143c699177be9a62c2c0881427b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 811d9b2fc8ce3c5425a2dbb17d38ad60 |
| SHA1 | d79e15c8e2465d4c3d1d76b8ca3ccb58c5187287 |
| SHA256 | da9141ad985b82c9676d623812fcfb542af3826de1e8ff7c4c61861c5fd5afda |
| SHA512 | 4d1b907c0df82d55d883c0da2a7cc9b0c7245ed48a7123abc81e38768a3cb33e38f7987b2844ecdf7a5468fcb7d9f642649fbfef0b0e0536325fb820fe7c4537 |
memory/4044-1244-0x00007FF955240000-0x00007FF955D02000-memory.dmp
memory/1144-1245-0x00000000007B0000-0x00000000007B8000-memory.dmp
memory/1144-1246-0x0000000074BC0000-0x0000000075371000-memory.dmp
memory/1144-1247-0x0000000074BC0000-0x0000000075371000-memory.dmp
memory/1432-1260-0x0000000074BC0000-0x0000000075371000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 14387acdb95aec78fd5abfd43030d735 |
| SHA1 | ef5596fdf4c6ba65af55fc14c6b838e600571cf9 |
| SHA256 | 798dec53f9189ecb90e6386990faf3821f8e9b86cf76c8b6d872105739091954 |
| SHA512 | 624cc044d8316d110d20a5fbe55e0fbec882fab233ad53549adf08595680f0e753296510f524a64722dd4ce9c45a29fd7dd81ce8f73babe5d42ef09697a4b537 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9719333d78964fd4c63b6bce28587d65 |
| SHA1 | 5e4ec709ead5655fef9517e5cf6dbd040d7a55f3 |
| SHA256 | 2fafb5034dcc321c68124509cb75023303439b1f2c58ae6d0bb9e6555641ae24 |
| SHA512 | ae13cb445c0a78acbe68169bc2dc34d1565048013b8e9ae46455c04529552485d1bc175ec2bbda65bbc1a81bd91dc8a1478a24908c359e711bd302b410bfb83b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017
| MD5 | d2d55f8057f8b03c94a81f3839b348b9 |
| SHA1 | 37c399584539734ff679e3c66309498c8b2dd4d9 |
| SHA256 | 6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c |
| SHA512 | 7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019
| MD5 | 2e86a72f4e82614cd4842950d2e0a716 |
| SHA1 | d7b4ee0c9af735d098bff474632fc2c0113e0b9c |
| SHA256 | c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f |
| SHA512 | 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018
| MD5 | dfa06a2cf726c1772e54d6f0e7b57fe8 |
| SHA1 | 6c843917d374a2f5f4fbc2e3cb620737c56f864f |
| SHA256 | a99b0f8a4e209bf564f0570d79edc20f08244edae0a50da214ff32afc56d89fc |
| SHA512 | 046af2d7537f6985db4c55368d5d0865713dd955ef094ff3743b0899e8699edc17029c29bd15fdabe4f1258fd1e502372f0073bd2ed0e8d5060e384c0a397e2f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
| MD5 | d6b36c7d4b06f140f860ddc91a4c659c |
| SHA1 | ccf16571637b8d3e4c9423688c5bd06167bfb9e9 |
| SHA256 | 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92 |
| SHA512 | 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b
| MD5 | b38fbbd0b5c8e8b4452b33d6f85df7dc |
| SHA1 | 386ba241790252df01a6a028b3238de2f995a559 |
| SHA256 | b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd |
| SHA512 | 546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c
| MD5 | d404b61450122b2ad393c3ece0597317 |
| SHA1 | d18809185baef8ec6bbbaca300a2fdb4b76a1f56 |
| SHA256 | 03551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb |
| SHA512 | cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d8b2ec7f054aa0dc8c535ecf1e348313 |
| SHA1 | 503688c2396047db9c3077958452fe1cb437a811 |
| SHA256 | 006b85c0222da3a91040668dae6d8253883d080a85186e582b1c0c3e1cc7d2a0 |
| SHA512 | 738c95701f9785bb6d98dec5c76ec87aa455552550ae8394052a0e0a8e0eed0f6ad557837e0ba1def11f177d3a1befd207f76ca8b4677f97615f1024953cc5cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1bcf3d8a7255dd5e712e26651523922e |
| SHA1 | 5d0087ea12017e9eeb377bbccb478a52dc1d0341 |
| SHA256 | 476648c4a4a1e640c29293a191f875d9022d02d0e51625104f4acb7378219903 |
| SHA512 | 5d4b7870bbce9e5df2d5b8ead688ce7222bc0420355d2adb0c3d57387385e68ec04a8dc12498c777cc10ea65bd5e4e7c8327cbc3028e2650c89debf1a1407e17 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0bb260fc1d4a32c4f497ef3ba4a17898 |
| SHA1 | 4b7cbaf6f671859a174ec0ced03e704f68ab9572 |
| SHA256 | 4ae711c1688c1a061f7c5be8d1a9708aa901ec3561b0b9a9bbc9c66ce3e05cdc |
| SHA512 | 658ba79e78121522b6e793c63625160a349c69cf58d21bdce2384d09e65a66a62c378100003e3a44c7b850e4f3ee7b27f98be132afeb13af935d0bdb3ee88162 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bc0cad9294ce2521fb830f32dc1791a9 |
| SHA1 | 0da2fec7acd99465feb0a933348f7fcc21b9a17a |
| SHA256 | dfbbc24fc06460569a6aa9aecb44a5d5fe4839dea166d5c8b49140d8e032e035 |
| SHA512 | d17f3f08935604af4eac91d912b4be3246e2e9f3d383a915650c71d79b43d38bd9efeb9032c6471fb0b48904e0cb0b5a50576c55c729e13c9f473b0a573f996f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 399dd7c8da61549e29b9c12163876207 |
| SHA1 | 6ae4a7f2f2fcb5db3410d6f6ffb338f0306f774c |
| SHA256 | f10e02f9e123cb4bb5b5ed1843c31349d844688c9c4f8a7c6d831ac018baf13c |
| SHA512 | 2d4d101c619bdc8d9e67f81623286c11e4eee1d194b6f5a206d183be1706a481f00e5f592e87b01b8916b5078e9cf4aff188a5ecec7c043b808d334806e64688 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c07ae8574b2a7a9013617f7c29dfcee0 |
| SHA1 | 709669acad783e1fe72d4e87517404f307a5a71f |
| SHA256 | f8f918b12ae9c41781703eb5ee8c56fdc62997dc72990c360f596f3f09d6d034 |
| SHA512 | efc209c80121a7224870ea64fc8b38b184be4ad4d52d1abe35b4ca8978f874d35b818ffb313c42527030f63d9eef8326e3fac7c6a5529da088f1d5acf5228054 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7fc88169a711dd91bae97c9f02154eaa |
| SHA1 | ec4e07ebf8bbbab6d7cf8c1fd6fcfb5b9d322b24 |
| SHA256 | 50b2d24c9c2842cdd0393ccfa6e9a33cce8251b1990c3355897cbaa7eed06ae7 |
| SHA512 | 1aacecbc2d541f490dd82a79fbb07cfcd2b4f7efc75a87f06682011aa4102e58e9d9d9ff63ed0e0af4f54937820615e05d04debe9d9f525abf8f737a5ff52faa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | effa0951a3659ece909e1b5d522aaff1 |
| SHA1 | 0f6090c10717b6ce045448a8f87f6a27d060539f |
| SHA256 | c127515fa00e249eae2049bd6623388db2bd05e639325343993bf93df90aa3c7 |
| SHA512 | 581214b48d767d2aada24e5e532ed40c5c8433a83df68bef42447dcf385c52d9be0252ad7d506186ca458b5cb62a64b950c7b1d3b5facd7d53a8059f43347ca6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e531d17a95609bf850e86aa305a8791e |
| SHA1 | 159860340540535bd3b0d382dc0580fd11a9af71 |
| SHA256 | feb05c0413f17ef7c7846e1d292b83b6f12727610b50bd701f7764955dfdf87c |
| SHA512 | 02d05aa58fc439a1cb04b2b1ec5e6b6b462cccd7ce40a5c4fd815dabec1e08878dcb623dee1110f7cf5fb9d76e7674c32c957bd0a72fbc50f68fa5b1b8fc009c |
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
memory/2936-1832-0x00000000735C0000-0x000000007364A000-memory.dmp
memory/868-1847-0x0000000000400000-0x0000000000416000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 27f29369690d3be827be79844b5e3180 |
| SHA1 | e95cca532ad087ceeef7aa148ff53d84ca08e3f3 |
| SHA256 | 83088d60e465ff3c8ea4a77fdb5b90db211c907c595ad0d713b01015f9078e50 |
| SHA512 | c000b0f39aeab95e5744235bb3b0b575d38a8d5c804c8a07bed91ccf4d599a4cf06452c369fbf0ebdc3ac34b52afe32d524a5533b86b40c83f145f16c740f2fa |
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe:Zone.Identifier
| MD5 | bab0aa318ce4eea30e3187174311e43c |
| SHA1 | 43832db3f0581c9ed8154b7c3e536adb6dd5ad99 |
| SHA256 | 70ce3369c2d3f46e4001f9a1b737f02e668a3cf17945d319fa4e6905a2dbf3be |
| SHA512 | 59a3131f45f4c407f57f29c3fb0570468662748dca2f295dba2f1893daf9949b1b396554161a86c48a60872b2cd7aec716ef872e375230797abda5928e20016d |
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
| MD5 | b8703418e6c3d1ccd83b8d178ab9f4c9 |
| SHA1 | 6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6 |
| SHA256 | d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e |
| SHA512 | 75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f |
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
| MD5 | 393ca5ea1f661fa3abb5064e6c73e4d4 |
| SHA1 | bb922d84e6835e301f47ab265332c8d9e91eab82 |
| SHA256 | 11b59d8ed80ab71252576900fc474b4bb34e203e3d87b765b20defcd9ebb7b9a |
| SHA512 | 85e332a3219b423eff0adca652eb2c9cdd198d136a229f9a02bfb2e3894d8958e4f4cea91b1c1f7434e256a77adba12d63c1f3476e207012b1e31183a629cead |
C:\Users\Admin\Desktop\XWorm-V5.0\Icons\icon (14).ico.ENC
| MD5 | fee81a41a1a3e154d56c8f494a4e63ee |
| SHA1 | 00bd09c44db873922249ca2459c3ef4aef0f7632 |
| SHA256 | 577b1cea35f044464bb0c5e931ca05a804a01a8e9c24d888e152d9c90073bacd |
| SHA512 | 8ef7ab2aa2585410ecc0a5f80aaf399a8860ffbe920c399a6d5a0611ad7589a0a41c26aa779c79cca3238c79607ebba1d8904078da5f45fe312c460eb4cb384f |