Analysis Overview
Threat Level: Known bad
The file https://github.com/Crysiz2631/XWorm-3.1/releases/tag/XWorm was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Drops startup file
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 19:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 19:38
Reported
2024-05-29 19:58
Platform
win10v2004-20240508-en
Max time kernel
1199s
Max time network
1198s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\host.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk | C:\Users\Admin\AppData\Roaming\host.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk | C:\Users\Admin\AppData\Roaming\host.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\host = "C:\\Users\\Admin\\AppData\\Roaming\\host.exe" | C:\Users\Admin\AppData\Roaming\host.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\lodctr.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\host.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Crysiz2631/XWorm-3.1/releases/tag/XWorm
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff810c446f8,0x7ff810c44708,0x7ff810c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\XWorm V3.1.exe
"C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\XWorm V3.1.exe"
C:\Users\Admin\AppData\Roaming\host.exe
"C:\Users\Admin\AppData\Roaming\host.exe"
C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe
"C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\host.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'host.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\host.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "host" /tr "C:\Users\Admin\AppData\Roaming\host.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x388 0x2fc
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\Readme.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\Fixer.bat" "
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\fixing.txt
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\Fixer.bat"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2372 /prefetch:2
C:\Windows\system32\lodctr.exe
lodctr /r
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\XWorm V3.1.exe
"C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\XWorm V3.1.exe"
C:\Users\Admin\AppData\Roaming\host.exe
"C:\Users\Admin\AppData\Roaming\host.exe"
C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe
"C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
C:\Users\Admin\AppData\Roaming\host.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 216.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | next-screening.at.ply.gg | udp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| US | 8.8.8.8:53 | next-screening.at.ply.gg | udp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| US | 8.8.8.8:53 | next-screening.at.ply.gg | udp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| US | 8.8.8.8:53 | next-screening.at.ply.gg | udp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
| DE | 209.25.141.223:48590 | next-screening.at.ply.gg | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 439b5e04ca18c7fb02cf406e6eb24167 |
| SHA1 | e0c5bb6216903934726e3570b7d63295b9d28987 |
| SHA256 | 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654 |
| SHA512 | d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a8e767fd33edd97d306efb6905f93252 |
| SHA1 | a6f80ace2b57599f64b0ae3c7381f34e9456f9d3 |
| SHA256 | c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb |
| SHA512 | 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2b2380f93db858b3a8f2736680744567 |
| SHA1 | 4dc58c92db6f53394b4fb3220517edb89184ab53 |
| SHA256 | 3568f92ef9f5e9596be032cd5f55f646e767c63d170de94bad43a29f921cb4e3 |
| SHA512 | 8ab1dbbc75a64f4024db5c32351b1056bbd993d9a705b9c25597c72de13811e642cf087047f2d9f0c23fcab47618a9c01e2fd5b9e150c1087efc9c510f60c8ba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | abe14ddf2eee4f0091a26ef67152749a |
| SHA1 | 6862dfc99fb89735d4e559a41c35f6e1ed171fd2 |
| SHA256 | 7dfc10212f57a2ad0a5114a408fe5693ae107d84fe8aeffc556c7e0f865eb127 |
| SHA512 | 398a27c2b2c6e2f1c6b5b3a650217b70860f4a9b0e5296e920615971efe8014454bed2933efb1f37eb931c3e26fb8a269816787da6d640883e29db06807c76a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 548ec065e6a6dcb97555eab5675a4f26 |
| SHA1 | 49752098b488fe6bdc3321bed68829ffe5d9fa3f |
| SHA256 | c32b7e7ece02120947064021cc7199cc90085a4f0e247762ebb9fa3fc621593a |
| SHA512 | d3d4cfe6679656d5ed26cc7867c70fa1481175fe12944a886c8a13b9b4b6b3b9d4531596b02204a30df456a2aa88853035cc1c72fdda6222317e905696376e6a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 763fd6532854e971d9d533d0ed36a847 |
| SHA1 | 6a351fd84a15f5c3bf40d3cecf3b4c1e9568e889 |
| SHA256 | 6bd63fdc401cae4fa5dfbdb885688f852e62841b9c4d0d76d603c4c880871525 |
| SHA512 | 9f33da678bdb9906df93cd550b075062085143631d7d394238da3da747856fe6f9de23ff67546332e614ab52c1327ccf9e75aa6b306fb2f82e29c00d10468ffe |
memory/5592-167-0x0000000000BF0000-0x00000000012FC000-memory.dmp
C:\Users\Admin\AppData\Roaming\host.exe
| MD5 | 7ade421a4759874f3edbd351490d2405 |
| SHA1 | b9f73f15595f042ca86314dc52f655c99d2fab71 |
| SHA256 | 9906c3009cd5590b15abc938d24d64e4d54b2518cf05b46ec5987d3d14697695 |
| SHA512 | 7242d26f0ba665575004606b302b192f82433603aaef42e6254d714ed4c66866db5f78abad7ac59f0b064fa7c4f1fb48e3e8f5eecf7ae2b26d9383ddfd90b446 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2025f4acc4defd0a308b854640c09156 |
| SHA1 | ceda62ae44f1e94a2c8f0f43eacdb6de2226bad0 |
| SHA256 | aaa882182ecd62b34739554754494de902ad4f70b151c679dda62de958dc9a7d |
| SHA512 | 4e7266519a2feac2f24604189915439c87095ff9346d232d375d92324f3ec18dea3614f4c55633dbcbcff8ff6fd7191f1b075a75698295fa891862d7ce1ec749 |
memory/5728-184-0x0000000000D90000-0x0000000000DAA000-memory.dmp
C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe
| MD5 | 37a9fdc56e605d2342da88a6e6182b4b |
| SHA1 | 20bc3df33bbbb676d2a3c572cff4c1d58c79055d |
| SHA256 | 422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58 |
| SHA512 | f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V3.1.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/5812-195-0x00000000008F0000-0x0000000000FE6000-memory.dmp
memory/5812-198-0x000000001D590000-0x000000001E0FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpihlspz.obp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5300-210-0x00000201E7750000-0x00000201E7772000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e3161f4edbc9b963debe22e29658050b |
| SHA1 | 45dbf88dadafe5dd1cfee1e987c8a219d3208cdb |
| SHA256 | 1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a |
| SHA512 | 006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 37baf21f6884d62dd3fae3bcac0e3f54 |
| SHA1 | 86387f81e0e639f4b89ac148a2611dbe17c692e5 |
| SHA256 | fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be |
| SHA512 | 13d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461 |
C:\Windows\System32\perfh007.dat
| MD5 | 312d855b1d95ae830e067657cffdd28c |
| SHA1 | 8133c02adeae24916fa9c53e52b3bfe66ac3d5a3 |
| SHA256 | ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf |
| SHA512 | f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14 |
C:\Windows\System32\perfc007.dat
| MD5 | bc3d1639f16cb93350a76b95cd59108b |
| SHA1 | 47f1067b694967d71af236d5e33d31cb99741f4c |
| SHA256 | 004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9 |
| SHA512 | fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249 |
C:\Windows\System32\perfc011.dat
| MD5 | 50681b748a019d0096b5df4ebe1eab74 |
| SHA1 | 0fa741b445f16f05a1984813c7b07cc66097e180 |
| SHA256 | 33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a |
| SHA512 | 568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e |
C:\Windows\System32\perfc00A.dat
| MD5 | 70c7ba068b82106810720fdec5406762 |
| SHA1 | 744c05ee14ea69e9706a07967b4ca1597298729d |
| SHA256 | f3fccee564956fd81a1bba3477a18b04197bccf5efa057713c92a77b266c7b33 |
| SHA512 | 14bb6e89946abcc10f640e2d553623b319c829e31ff872be0976c3d0419bc8ac656e4774333d4040df9507f064e9f92347677f4b20c66317fffaabed5bb1c4b4 |
C:\Windows\System32\perfh011.dat
| MD5 | 394e68a48cbedf2aa4290ad4be6c1254 |
| SHA1 | e9b5a4204bedd201adfee94cd4bd475f92d508a0 |
| SHA256 | 48dbdc9f160e51c14f7cf0f4f31856fc5c51bb5a157eefc9159612227def9d88 |
| SHA512 | 5b3ebefb252a4ea2b5504fdb79fba35f256ee544df6385eeb47a05be4eddd41063fe9a025d5e8393d34cc34abd431810b5c5cc21c777316200c9cfa769fcfd6c |
C:\Windows\System32\perfh009.dat
| MD5 | 367662b55faba4e0728f3c296daa92a7 |
| SHA1 | 1775899bd0f1bb5cf945910db18aa3a9d4d15b7a |
| SHA256 | c2ea1af1c970468f522e354c8e47b121b66a0d0428a8400f4a5cb03216368ce1 |
| SHA512 | 283e9cf2bf6fe904b530bd188347641c1d30b27c95d89552e18aa33be1c7e2840f10a09868a2862ee53bb805cef2cdbb31b8db391ca140b5dda27058dcad11ce |
C:\Windows\System32\perfh010.dat
| MD5 | 4e277d7a9304103e3b68291044c7db6b |
| SHA1 | b23864c76259c674ac2bc0210dab181bfc04dedf |
| SHA256 | 5dc2192236274fda886a0c0f396646f9292000ba33bd0e2061a65bc06639be16 |
| SHA512 | 094477571cb17d7b19f6e81ef237c579f03c944745499b2e537d77972da89f8f4baa0825c3f79993d96116aa071bbc776a96f55cf8ab3f60698c2c4e03e36957 |
C:\Windows\System32\perfc010.dat
| MD5 | 9c127d90b405f6e4e98e60bb83285a93 |
| SHA1 | 358b36827fb8dbfd9f268d7278961ae3309baaa1 |
| SHA256 | 878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578 |
| SHA512 | bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73 |
C:\Windows\System32\perfh00C.dat
| MD5 | 5eab28207b64327afaf81a30af478813 |
| SHA1 | b52ae3c1d6f0969864a20b1166947724ede26976 |
| SHA256 | cc2c02565e337c38a5b57f5e1339652f2189fb31961501f0b0b54be19583e264 |
| SHA512 | a84dfa7e0a5d1689cd9dbfe7814b9965359796d8484d991e1d3a91096074fa866152d49515a6866a761ea97e5d0d696bcaf0ef18f6a1b3cf8ba20462a4f9ea96 |
C:\Windows\System32\perfc00C.dat
| MD5 | 391168ff06e8d68c7a6f90c1ccb088be |
| SHA1 | c3f8c12481c9d3559e8df93ade8f5bfefd271627 |
| SHA256 | 7f2847cbf10a70dec0bfb78ca1bf2e548caa8de43deb290cc21d4d1a47bd7525 |
| SHA512 | 71fe34a07a2107c03fc4735ca78814adc1c55ee3362ce01d6b9983b0ac52315485135b58edecbcd67252c1e27a451138a765bdf3f746e1241834cf35106520c6 |
C:\Windows\System32\perfh00A.dat
| MD5 | 893d78f82b3994cf86b3c8c80cd7ad6a |
| SHA1 | a68cfd50ebc35eee62c84f0fd74d20d1e0bb1476 |
| SHA256 | 411b7581b0af88caa8c75409dc83ac8b521ba4d987d9347402438be16d31097c |
| SHA512 | 7f7cc32aca4f023f34e4ab7a51fbd0ca0b0ea51fde6d79b9a4322bee9b4d55800a981b2d97007ceadfa609767b7d84e9eebd8b3e92f9cb68855625a25767f42b |
C:\Windows\system32\perfc009.dat
| MD5 | 243bb32f23a8a2fa8113e879d73bfdf7 |
| SHA1 | 2f9d0154d65d0b8979a1aeb95b6cf43384114f70 |
| SHA256 | 69012c5b50e669fca5ad692dc405017da474a5a4ec876de70d9748a4f30c046c |
| SHA512 | 34f7663ef59412a12ce950eb5ab947b2fb6bb811d5cfd92d05b6a884bcb2fc31fdc880b8e152a383055ca0efee707eb23bbfe181ace8c1ca112262f2a75bf0a8 |
C:\Users\Admin\AppData\Roaming\Intro.wav
| MD5 | dc28d546b643c5a33c292ae32d7cf43b |
| SHA1 | b1f891265914eea6926df765bce0f73f8d9d6741 |
| SHA256 | 20dcc4f50eb47cafda7926735df9ef8241598b83e233066ea495d4b8aa818851 |
| SHA512 | 9d8c1bb61b6f564044aad931e685387df9bc00a92ab5efe7191b94a3d45c7d98a6f71d8ae5668252d6a7b5b44ab6704464d688772aedac8bdb2773d5765d4d56 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d68bae8812f83ebc955947a67de5d3df |
| SHA1 | 6311f27db2c0a8d2ed1ebbc194392be557355b34 |
| SHA256 | 6495513d87ef4ba9c41193a3cb020895e511e0d3b055aa3bc9eb3a3ac47ec6ba |
| SHA512 | 79abbe50ae2cd03c8dd4d3c85835750eed3db0df531eb08f98530185b39239aadf9485b42f5f0a78e184fc469f9d26d3ab52c496cfecc873ad02dff2a85ada21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d4cf7ad20fc31e099f8993f366d0f937 |
| SHA1 | 8663f3509757ecacac531dcca9f02f152b631f08 |
| SHA256 | 284b84479be6b3b13c756c88b2f2027bd5eca8f5eae61065b236541be3aae2c2 |
| SHA512 | 59d9f199453bc1692f6f7d9c25d0200b4b10754745e8349514d9805b2e813d6bfa17a08a910e4dd208fae2a6336ccc78c361d7d5986a406ca45ff6eb73dd5647 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b5a4e0a2df36d39ec061263d20d2532c |
| SHA1 | 97c95ca22ec572e7822aa316f9fd81771745fc79 |
| SHA256 | 8f25b1b49e0636dbaf115d2b4f1b0caf00e16fa72fcb5bffc638e765b0887cbc |
| SHA512 | 7d9b93a2d1742dd9c75ff52f2b7c4abf6167aac28ff8e678d9c5cc6232c295b9f2208e74e5290b2ff20aff73922d794e0b8ac3cc40f57d80a8c4921f42db5b31 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59f1b9.TMP
| MD5 | c73f1911427594f1d4df2adea455ceed |
| SHA1 | 805c6f8ae97e02befb677ceb6654ac1335b0fc01 |
| SHA256 | 9bbaf2d2a6451dfa3841e80aa4a1b5e45d8e469b487a0f78dbc78ff230b45ece |
| SHA512 | 2a4e7859c38c9436e174072b58b4ef5c1c9a86df4d9ef0429b61de23b833e486fe51ee001f7c03a8e67214fe31b9f123c3e08cd735494cf525c6a4b6c7f8d511 |
C:\Windows\system32\perfh009.dat
| MD5 | 0e06730950deaeb094dc76f0e012b827 |
| SHA1 | 2b4fb47055a364f34c0b4f3cb9cc95376346910f |
| SHA256 | f8dba82e1659fcf93bba70fdac36be459cd60a6cc9217af125f5bd0b3dc7d6da |
| SHA512 | 2ee6d6cce846ccee1bcad666466a829160a9abaedbcb997ab4daa3ec9af18246d29195eeee4126b9efb399e169d15f92383ac82b5949e56e17ef78c08d63326f |
memory/3976-1850-0x0000026B67600000-0x0000026B67601000-memory.dmp
memory/3976-1852-0x0000026B67600000-0x0000026B67601000-memory.dmp
memory/3976-1851-0x0000026B67600000-0x0000026B67601000-memory.dmp
memory/3976-1862-0x0000026B67600000-0x0000026B67601000-memory.dmp
memory/3976-1861-0x0000026B67600000-0x0000026B67601000-memory.dmp
memory/3976-1860-0x0000026B67600000-0x0000026B67601000-memory.dmp
memory/3976-1859-0x0000026B67600000-0x0000026B67601000-memory.dmp
memory/3976-1858-0x0000026B67600000-0x0000026B67601000-memory.dmp
memory/3976-1856-0x0000026B67600000-0x0000026B67601000-memory.dmp
memory/3976-1857-0x0000026B67600000-0x0000026B67601000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk
| MD5 | ccd8a5d78d724ba0a345822107e6f142 |
| SHA1 | 8ebbe360da12b6c8ecfa04541ca33a699bab09cd |
| SHA256 | 86f4a2168dd52ed15cf589f9f9337f07fbaa111d592b454e7dd563e5f761d0d3 |
| SHA512 | 6594cf0360e6d7cc161074df2d3949d5ffe7dbbf5a5b976bbddab2f50aca85b27323ac2058e10acae2aeccd04ae224dc69ba689f13cde8b59fb678ae232fe360 |