Malware Analysis Report

2024-11-16 13:37

Sample ID 240529-ycsreafd4v
Target https://github.com/Crysiz2631/XWorm-3.1/releases/tag/XWorm
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/Crysiz2631/XWorm-3.1/releases/tag/XWorm was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 19:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 19:38

Reported

2024-05-29 19:58

Platform

win10v2004-20240508-en

Max time kernel

1199s

Max time network

1198s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Crysiz2631/XWorm-3.1/releases/tag/XWorm

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\host.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk C:\Users\Admin\AppData\Roaming\host.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk C:\Users\Admin\AppData\Roaming\host.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\host = "C:\\Users\\Admin\\AppData\\Roaming\\host.exe" C:\Users\Admin\AppData\Roaming\host.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\lodctr.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\host.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\host.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 1076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 1484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4904 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Crysiz2631/XWorm-3.1/releases/tag/XWorm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff810c446f8,0x7ff810c44708,0x7ff810c44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8

C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\XWorm V3.1.exe

"C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\XWorm V3.1.exe"

C:\Users\Admin\AppData\Roaming\host.exe

"C:\Users\Admin\AppData\Roaming\host.exe"

C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe

"C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\host.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'host.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\host.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "host" /tr "C:\Users\Admin\AppData\Roaming\host.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x388 0x2fc

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\Readme.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\Fixer.bat" "

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\fixing.txt

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\Fixer.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12240170983264347544,14374544668607144162,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2372 /prefetch:2

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\XWorm V3.1.exe

"C:\Users\Admin\Downloads\XWorm-3.1-XWorm\XWorm-3.1-XWorm\XWorm V3.1.exe"

C:\Users\Admin\AppData\Roaming\host.exe

"C:\Users\Admin\AppData\Roaming\host.exe"

C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe

"C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

C:\Users\Admin\AppData\Roaming\host.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 next-screening.at.ply.gg udp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
US 8.8.8.8:53 next-screening.at.ply.gg udp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
US 8.8.8.8:53 next-screening.at.ply.gg udp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
US 8.8.8.8:53 next-screening.at.ply.gg udp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp
DE 209.25.141.223:48590 next-screening.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2b2380f93db858b3a8f2736680744567
SHA1 4dc58c92db6f53394b4fb3220517edb89184ab53
SHA256 3568f92ef9f5e9596be032cd5f55f646e767c63d170de94bad43a29f921cb4e3
SHA512 8ab1dbbc75a64f4024db5c32351b1056bbd993d9a705b9c25597c72de13811e642cf087047f2d9f0c23fcab47618a9c01e2fd5b9e150c1087efc9c510f60c8ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 abe14ddf2eee4f0091a26ef67152749a
SHA1 6862dfc99fb89735d4e559a41c35f6e1ed171fd2
SHA256 7dfc10212f57a2ad0a5114a408fe5693ae107d84fe8aeffc556c7e0f865eb127
SHA512 398a27c2b2c6e2f1c6b5b3a650217b70860f4a9b0e5296e920615971efe8014454bed2933efb1f37eb931c3e26fb8a269816787da6d640883e29db06807c76a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 548ec065e6a6dcb97555eab5675a4f26
SHA1 49752098b488fe6bdc3321bed68829ffe5d9fa3f
SHA256 c32b7e7ece02120947064021cc7199cc90085a4f0e247762ebb9fa3fc621593a
SHA512 d3d4cfe6679656d5ed26cc7867c70fa1481175fe12944a886c8a13b9b4b6b3b9d4531596b02204a30df456a2aa88853035cc1c72fdda6222317e905696376e6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 763fd6532854e971d9d533d0ed36a847
SHA1 6a351fd84a15f5c3bf40d3cecf3b4c1e9568e889
SHA256 6bd63fdc401cae4fa5dfbdb885688f852e62841b9c4d0d76d603c4c880871525
SHA512 9f33da678bdb9906df93cd550b075062085143631d7d394238da3da747856fe6f9de23ff67546332e614ab52c1327ccf9e75aa6b306fb2f82e29c00d10468ffe

memory/5592-167-0x0000000000BF0000-0x00000000012FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\host.exe

MD5 7ade421a4759874f3edbd351490d2405
SHA1 b9f73f15595f042ca86314dc52f655c99d2fab71
SHA256 9906c3009cd5590b15abc938d24d64e4d54b2518cf05b46ec5987d3d14697695
SHA512 7242d26f0ba665575004606b302b192f82433603aaef42e6254d714ed4c66866db5f78abad7ac59f0b064fa7c4f1fb48e3e8f5eecf7ae2b26d9383ddfd90b446

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2025f4acc4defd0a308b854640c09156
SHA1 ceda62ae44f1e94a2c8f0f43eacdb6de2226bad0
SHA256 aaa882182ecd62b34739554754494de902ad4f70b151c679dda62de958dc9a7d
SHA512 4e7266519a2feac2f24604189915439c87095ff9346d232d375d92324f3ec18dea3614f4c55633dbcbcff8ff6fd7191f1b075a75698295fa891862d7ce1ec749

memory/5728-184-0x0000000000D90000-0x0000000000DAA000-memory.dmp

C:\Users\Admin\AppData\Roaming\XWorm V3.1.exe

MD5 37a9fdc56e605d2342da88a6e6182b4b
SHA1 20bc3df33bbbb676d2a3c572cff4c1d58c79055d
SHA256 422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58
SHA512 f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V3.1.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/5812-195-0x00000000008F0000-0x0000000000FE6000-memory.dmp

memory/5812-198-0x000000001D590000-0x000000001E0FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpihlspz.obp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5300-210-0x00000201E7750000-0x00000201E7772000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3161f4edbc9b963debe22e29658050b
SHA1 45dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA256 1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512 006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 37baf21f6884d62dd3fae3bcac0e3f54
SHA1 86387f81e0e639f4b89ac148a2611dbe17c692e5
SHA256 fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be
SHA512 13d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461

C:\Windows\System32\perfh007.dat

MD5 312d855b1d95ae830e067657cffdd28c
SHA1 8133c02adeae24916fa9c53e52b3bfe66ac3d5a3
SHA256 ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf
SHA512 f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14

C:\Windows\System32\perfc007.dat

MD5 bc3d1639f16cb93350a76b95cd59108b
SHA1 47f1067b694967d71af236d5e33d31cb99741f4c
SHA256 004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9
SHA512 fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249

C:\Windows\System32\perfc011.dat

MD5 50681b748a019d0096b5df4ebe1eab74
SHA1 0fa741b445f16f05a1984813c7b07cc66097e180
SHA256 33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a
SHA512 568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

C:\Windows\System32\perfc00A.dat

MD5 70c7ba068b82106810720fdec5406762
SHA1 744c05ee14ea69e9706a07967b4ca1597298729d
SHA256 f3fccee564956fd81a1bba3477a18b04197bccf5efa057713c92a77b266c7b33
SHA512 14bb6e89946abcc10f640e2d553623b319c829e31ff872be0976c3d0419bc8ac656e4774333d4040df9507f064e9f92347677f4b20c66317fffaabed5bb1c4b4

C:\Windows\System32\perfh011.dat

MD5 394e68a48cbedf2aa4290ad4be6c1254
SHA1 e9b5a4204bedd201adfee94cd4bd475f92d508a0
SHA256 48dbdc9f160e51c14f7cf0f4f31856fc5c51bb5a157eefc9159612227def9d88
SHA512 5b3ebefb252a4ea2b5504fdb79fba35f256ee544df6385eeb47a05be4eddd41063fe9a025d5e8393d34cc34abd431810b5c5cc21c777316200c9cfa769fcfd6c

C:\Windows\System32\perfh009.dat

MD5 367662b55faba4e0728f3c296daa92a7
SHA1 1775899bd0f1bb5cf945910db18aa3a9d4d15b7a
SHA256 c2ea1af1c970468f522e354c8e47b121b66a0d0428a8400f4a5cb03216368ce1
SHA512 283e9cf2bf6fe904b530bd188347641c1d30b27c95d89552e18aa33be1c7e2840f10a09868a2862ee53bb805cef2cdbb31b8db391ca140b5dda27058dcad11ce

C:\Windows\System32\perfh010.dat

MD5 4e277d7a9304103e3b68291044c7db6b
SHA1 b23864c76259c674ac2bc0210dab181bfc04dedf
SHA256 5dc2192236274fda886a0c0f396646f9292000ba33bd0e2061a65bc06639be16
SHA512 094477571cb17d7b19f6e81ef237c579f03c944745499b2e537d77972da89f8f4baa0825c3f79993d96116aa071bbc776a96f55cf8ab3f60698c2c4e03e36957

C:\Windows\System32\perfc010.dat

MD5 9c127d90b405f6e4e98e60bb83285a93
SHA1 358b36827fb8dbfd9f268d7278961ae3309baaa1
SHA256 878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578
SHA512 bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73

C:\Windows\System32\perfh00C.dat

MD5 5eab28207b64327afaf81a30af478813
SHA1 b52ae3c1d6f0969864a20b1166947724ede26976
SHA256 cc2c02565e337c38a5b57f5e1339652f2189fb31961501f0b0b54be19583e264
SHA512 a84dfa7e0a5d1689cd9dbfe7814b9965359796d8484d991e1d3a91096074fa866152d49515a6866a761ea97e5d0d696bcaf0ef18f6a1b3cf8ba20462a4f9ea96

C:\Windows\System32\perfc00C.dat

MD5 391168ff06e8d68c7a6f90c1ccb088be
SHA1 c3f8c12481c9d3559e8df93ade8f5bfefd271627
SHA256 7f2847cbf10a70dec0bfb78ca1bf2e548caa8de43deb290cc21d4d1a47bd7525
SHA512 71fe34a07a2107c03fc4735ca78814adc1c55ee3362ce01d6b9983b0ac52315485135b58edecbcd67252c1e27a451138a765bdf3f746e1241834cf35106520c6

C:\Windows\System32\perfh00A.dat

MD5 893d78f82b3994cf86b3c8c80cd7ad6a
SHA1 a68cfd50ebc35eee62c84f0fd74d20d1e0bb1476
SHA256 411b7581b0af88caa8c75409dc83ac8b521ba4d987d9347402438be16d31097c
SHA512 7f7cc32aca4f023f34e4ab7a51fbd0ca0b0ea51fde6d79b9a4322bee9b4d55800a981b2d97007ceadfa609767b7d84e9eebd8b3e92f9cb68855625a25767f42b

C:\Windows\system32\perfc009.dat

MD5 243bb32f23a8a2fa8113e879d73bfdf7
SHA1 2f9d0154d65d0b8979a1aeb95b6cf43384114f70
SHA256 69012c5b50e669fca5ad692dc405017da474a5a4ec876de70d9748a4f30c046c
SHA512 34f7663ef59412a12ce950eb5ab947b2fb6bb811d5cfd92d05b6a884bcb2fc31fdc880b8e152a383055ca0efee707eb23bbfe181ace8c1ca112262f2a75bf0a8

C:\Users\Admin\AppData\Roaming\Intro.wav

MD5 dc28d546b643c5a33c292ae32d7cf43b
SHA1 b1f891265914eea6926df765bce0f73f8d9d6741
SHA256 20dcc4f50eb47cafda7926735df9ef8241598b83e233066ea495d4b8aa818851
SHA512 9d8c1bb61b6f564044aad931e685387df9bc00a92ab5efe7191b94a3d45c7d98a6f71d8ae5668252d6a7b5b44ab6704464d688772aedac8bdb2773d5765d4d56

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d68bae8812f83ebc955947a67de5d3df
SHA1 6311f27db2c0a8d2ed1ebbc194392be557355b34
SHA256 6495513d87ef4ba9c41193a3cb020895e511e0d3b055aa3bc9eb3a3ac47ec6ba
SHA512 79abbe50ae2cd03c8dd4d3c85835750eed3db0df531eb08f98530185b39239aadf9485b42f5f0a78e184fc469f9d26d3ab52c496cfecc873ad02dff2a85ada21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d4cf7ad20fc31e099f8993f366d0f937
SHA1 8663f3509757ecacac531dcca9f02f152b631f08
SHA256 284b84479be6b3b13c756c88b2f2027bd5eca8f5eae61065b236541be3aae2c2
SHA512 59d9f199453bc1692f6f7d9c25d0200b4b10754745e8349514d9805b2e813d6bfa17a08a910e4dd208fae2a6336ccc78c361d7d5986a406ca45ff6eb73dd5647

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 b5a4e0a2df36d39ec061263d20d2532c
SHA1 97c95ca22ec572e7822aa316f9fd81771745fc79
SHA256 8f25b1b49e0636dbaf115d2b4f1b0caf00e16fa72fcb5bffc638e765b0887cbc
SHA512 7d9b93a2d1742dd9c75ff52f2b7c4abf6167aac28ff8e678d9c5cc6232c295b9f2208e74e5290b2ff20aff73922d794e0b8ac3cc40f57d80a8c4921f42db5b31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59f1b9.TMP

MD5 c73f1911427594f1d4df2adea455ceed
SHA1 805c6f8ae97e02befb677ceb6654ac1335b0fc01
SHA256 9bbaf2d2a6451dfa3841e80aa4a1b5e45d8e469b487a0f78dbc78ff230b45ece
SHA512 2a4e7859c38c9436e174072b58b4ef5c1c9a86df4d9ef0429b61de23b833e486fe51ee001f7c03a8e67214fe31b9f123c3e08cd735494cf525c6a4b6c7f8d511

C:\Windows\system32\perfh009.dat

MD5 0e06730950deaeb094dc76f0e012b827
SHA1 2b4fb47055a364f34c0b4f3cb9cc95376346910f
SHA256 f8dba82e1659fcf93bba70fdac36be459cd60a6cc9217af125f5bd0b3dc7d6da
SHA512 2ee6d6cce846ccee1bcad666466a829160a9abaedbcb997ab4daa3ec9af18246d29195eeee4126b9efb399e169d15f92383ac82b5949e56e17ef78c08d63326f

memory/3976-1850-0x0000026B67600000-0x0000026B67601000-memory.dmp

memory/3976-1852-0x0000026B67600000-0x0000026B67601000-memory.dmp

memory/3976-1851-0x0000026B67600000-0x0000026B67601000-memory.dmp

memory/3976-1862-0x0000026B67600000-0x0000026B67601000-memory.dmp

memory/3976-1861-0x0000026B67600000-0x0000026B67601000-memory.dmp

memory/3976-1860-0x0000026B67600000-0x0000026B67601000-memory.dmp

memory/3976-1859-0x0000026B67600000-0x0000026B67601000-memory.dmp

memory/3976-1858-0x0000026B67600000-0x0000026B67601000-memory.dmp

memory/3976-1856-0x0000026B67600000-0x0000026B67601000-memory.dmp

memory/3976-1857-0x0000026B67600000-0x0000026B67601000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk

MD5 ccd8a5d78d724ba0a345822107e6f142
SHA1 8ebbe360da12b6c8ecfa04541ca33a699bab09cd
SHA256 86f4a2168dd52ed15cf589f9f9337f07fbaa111d592b454e7dd563e5f761d0d3
SHA512 6594cf0360e6d7cc161074df2d3949d5ffe7dbbf5a5b976bbddab2f50aca85b27323ac2058e10acae2aeccd04ae224dc69ba689f13cde8b59fb678ae232fe360