Analysis

  • max time kernel
    99s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 00:03

General

  • Target

    https://disk.yandex.ru/d/myj542RouD_tfQ

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/raw/qrQPCaGK:1

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/qrQPCaGK

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/myj542RouD_tfQ
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc002046f8,0x7ffc00204708,0x7ffc00204718
      2⤵
        PID:5092
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        2⤵
          PID:2680
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1760
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
          2⤵
            PID:1328
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
            2⤵
              PID:5048
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
              2⤵
                PID:3572
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
                2⤵
                  PID:1656
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
                  2⤵
                    PID:5060
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4376
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5736 /prefetch:8
                    2⤵
                      PID:1720
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
                      2⤵
                        PID:2560
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4300
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                        2⤵
                          PID:5804
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
                          2⤵
                            PID:6112
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
                            2⤵
                              PID:4432
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1780 /prefetch:1
                              2⤵
                                PID:2624
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1460
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1520
                                • C:\Windows\system32\OpenWith.exe
                                  C:\Windows\system32\OpenWith.exe -Embedding
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5648
                                • C:\Program Files\7-Zip\7zFM.exe
                                  "C:\Program Files\7-Zip\7zFM.exe"
                                  1⤵
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:3216
                                  • C:\Program Files\7-Zip\7zG.exe
                                    "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap27715:92:7zEvent24720 -ad -saa -- "C:\Program Files\7-Zip\Neverlose Crack"
                                    2⤵
                                    • Drops file in Program Files directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    PID:1648
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:2460
                                  • C:\Users\Admin\Desktop\Neverlose Crack.exe
                                    "C:\Users\Admin\Desktop\Neverlose Crack.exe"
                                    1⤵
                                    • Checks computer location settings
                                    • Drops startup file
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    PID:532
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Neverlose Crack.exe'
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:624
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Neverlose Crack.exe'
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5632
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\update'
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2120
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'update'
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5472
                                    • C:\Windows\System32\schtasks.exe
                                      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "update" /tr "C:\Users\Admin\AppData\Local\Temp\update"
                                      2⤵
                                      • Creates scheduled task(s)
                                      PID:5888
                                  • C:\Users\Admin\Desktop\Neverlose Crack.exe
                                    "C:\Users\Admin\Desktop\Neverlose Crack.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:680
                                  • C:\Users\Admin\AppData\Local\Temp\update
                                    C:\Users\Admin\AppData\Local\Temp\update
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5184

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Neverlose Crack.7z

                                    Filesize

                                    36KB

                                    MD5

                                    555b93d18cbfadcc1578924288093094

                                    SHA1

                                    eae812f57ceadd0f2efaafa88f4658c8418c34ac

                                    SHA256

                                    bffba1cb15a35f11e1a7521efd5b2e2bd12fca1955c9373e2c0c7c50d5f80b1d

                                    SHA512

                                    886c48721e1ce6ff887b65877df181446665be2695e9591a5c4f2249156e119039fa533ea36f5fa485ef180e30fa7a20cadc044b63f660f1d780b4141014411e

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                    Filesize

                                    2KB

                                    MD5

                                    9c172d22fbbdafe12dfc5c909edea107

                                    SHA1

                                    9961cfc5a51f1d375186fc64bf98214bdc0cf2df

                                    SHA256

                                    315439a1131019ecb316a0344395624965a961baff563be19221620e6e3dc18d

                                    SHA512

                                    d459ca5a3abd05b5bff39056065e786eec0260cb83b03c774ab0b98f07dfc8ef7dd5db5f37c569ac0d531ebd640c6dc0aaefc407d357280e07b011e982b91e2d

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    a8e767fd33edd97d306efb6905f93252

                                    SHA1

                                    a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                                    SHA256

                                    c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                                    SHA512

                                    07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    439b5e04ca18c7fb02cf406e6eb24167

                                    SHA1

                                    e0c5bb6216903934726e3570b7d63295b9d28987

                                    SHA256

                                    247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                                    SHA512

                                    d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

                                    Filesize

                                    56KB

                                    MD5

                                    6a398c523b4af71cc52ccac6368818a4

                                    SHA1

                                    62227e5498db7cd86e0b6e68dd2530dec33905e0

                                    SHA256

                                    0375bff344824419266a6621456ddbec01cd642035d6389f03c6d6ec299d81db

                                    SHA512

                                    882621913e323b9c89fb68561bf78f104e629e1741245fbe2d0a8b8a9404d5ed961106f9e717f040cbd145ef901b1e8b0b787786a79eb2b15d4e3c597e3c2580

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                    Filesize

                                    576B

                                    MD5

                                    ef1646ef288346eef6baafbfd4bac4d0

                                    SHA1

                                    f9b89dcc921e040dd8bd9db6dc51f3a17c28a939

                                    SHA256

                                    5653004278cb4a4258c8d315e7a93eaab77d13bee889492f59372c3105517b84

                                    SHA512

                                    8c5360e257c45bf1f45b59b5b64aafeee4a83761bb3bc15e36faca03c0deec527a62da0ac5508e3de5863d7b116c653a2321ba6bd51b194a49c69e080ab4d90a

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                    Filesize

                                    785B

                                    MD5

                                    e5cce09f90559669977cd4dae060c626

                                    SHA1

                                    576f8bd39dcfa6dda96bc82dfbc17ffd48d31389

                                    SHA256

                                    4a383e615acf3dc761f08c2d03031b7ad4a4fe7316c99b0bbeb3474989fb4fb6

                                    SHA512

                                    2d38220fe7ea73698bd05112565114b2abf375aaa2e11eb8182f8f93c25ea27b20948d1b3b9cdf1cca1d99bad86a7710a3a2e948c8afdefd043de18dc68aba93

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    0c30f5382fb8a2f813442feb47aa4bb0

                                    SHA1

                                    dcf423d4f8760324f7e6c0d587e0434c3842e4d5

                                    SHA256

                                    caec804b944b4bda17a0a3572f6675fedae215d0ee3e4973878c66c9eba53d4b

                                    SHA512

                                    7336525096a5bd24b86261b6d1f9f476ecf718230aa8cb145feb80a1273173fa5c74b681db1e2a915d5d8e17dc9ebfe38b82c7795be3ecf553aa66445c5d9005

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    6a523d0c337e52c488a9711c818a082c

                                    SHA1

                                    14f4b5be6adf2646852190e3912bc8d5ed944200

                                    SHA256

                                    8e90c6769953fc187292c7f8861a9f975178ba50f5b01d495b59ce0437edb85b

                                    SHA512

                                    a1f54b18c471934d0742e2acaf5ff4016acff2935769cfca3849a4dd5055fca72454188a95e0374c03c3885f78fd75841e9306158467497f755300bdb00d6c6d

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    ed30a2114c2357bc3c99b75f6145c61a

                                    SHA1

                                    b8f109999c39fe674da258da5f0fcb25c4a3dca3

                                    SHA256

                                    4d284ec2be609f7ea02ec27613e91d03b65692777f5684d7dc37ae01af778784

                                    SHA512

                                    360f5ed9dd906b7a5f3bf909c6c45437a8a89acfd41fa5361f6647645c26729420c2ed89e86e1460166d5057e007d351306213010510abc10db74d2b3e80b672

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                    Filesize

                                    1KB

                                    MD5

                                    c347baef1e04bedcbcc6f4c03bfc9476

                                    SHA1

                                    7e88e1b8478adad3842b102e94574a1d019a64f2

                                    SHA256

                                    4207ca6fbfbc1d4fe208e5238e4c23fe6ce95884627ad0db37007878604c7363

                                    SHA512

                                    c664e46afeb2b3abeb3c74a4ae7b9f95c80bbf0b709a5d03f17b1c8ac44daae82380a18ac8f3186a623322173e84eef557b052afa2b11ed72f11420af790d29c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b5b3.TMP

                                    Filesize

                                    1KB

                                    MD5

                                    92bfff556e94d3375271ba75cca122c4

                                    SHA1

                                    b4769a4e1aaeac4daa1af72a202184d5d196e5a5

                                    SHA256

                                    2b29dfd7136b76ca81a4b810d109f7de8868aa58986e519e118f99d6a94fe32e

                                    SHA512

                                    38c9b74de948fed9d17038f0771775e24ad54074bf06678de2028ed1d58e9b450cb4d1c5cbafd6d6c744108dc58562a36e4d15a13b92b4732f011f2787cd53d6

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

                                    Filesize

                                    41B

                                    MD5

                                    5af87dfd673ba2115e2fcf5cfdb727ab

                                    SHA1

                                    d5b5bbf396dc291274584ef71f444f420b6056f1

                                    SHA256

                                    f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                    SHA512

                                    de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    a7b06a63580a0809632a5c6235437299

                                    SHA1

                                    dc3c7f6754e3ffe74a9d063dfa2f3013879a0b24

                                    SHA256

                                    17e8b31e3758e59d8ac31ec980e74f7783304360628658c9d6e403cfa9e5f13b

                                    SHA512

                                    99842936fe6d57ee16313108def4273b64a3c4ef015d90a9539624409c175055427d58a180547a18c720b3e62282ad81a8c77a6df28326b96dc1055270a58d42

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    ad87100199834c8369efcd7724010438

                                    SHA1

                                    e1815153968b4032328939019e05d2eeb0a78ec8

                                    SHA256

                                    0b1403e051ce0f69bde056d7aa528140667bf66b4c864f7bcf625e6bd31cb6ca

                                    SHA512

                                    1f956cc97d65c02842614a304cb0c292ec68808236d2d633a542730962a34624dd4db781b48e1fbc5d28d67a9526628d6eb9323ceb472f4151f56e1a36d389cf

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    2891919a6629c50355b04f982b5f7616

                                    SHA1

                                    8df6615fc3fbee4d62395d6ddedb509d58bd7ab5

                                    SHA256

                                    5ae079892cc290411d989f08d67a773723aea160908181c387e01b7d1436baae

                                    SHA512

                                    c6d9de036cb9a3fa8b6206bce2a6e150ae17e6b6e6450bf0972bdd86dca2f9c8517c1b09769271f30d6fe032d7fec8786f24fa85882b154290da3e7daa670a11

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    6a422ceaef22287db5a6673e418abd82

                                    SHA1

                                    f806b7ac8aa45631b0a557f5a40a396a5ddee23c

                                    SHA256

                                    7c95718aee8255f063bfb64896eaccac1ffe549066c549d80ace8aaf23ff22b1

                                    SHA512

                                    b6dbc918af666418ac260b5f6502fe66d77141f78c277bda8e548f5975a3e0ba4f12f5c3124508f2228b0041daf3546a94a41a0a183be24fc22feeb98750003d

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    da5c82b0e070047f7377042d08093ff4

                                    SHA1

                                    89d05987cd60828cca516c5c40c18935c35e8bd3

                                    SHA256

                                    77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

                                    SHA512

                                    7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    dd1d0b083fedf44b482a028fb70b96e8

                                    SHA1

                                    dc9c027937c9f6d52268a1504cbae42a39c8d36a

                                    SHA256

                                    cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

                                    SHA512

                                    96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3fzqdzj.lkh.ps1

                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  • C:\Users\Admin\Desktop\Neverlose Crack.exe

                                    Filesize

                                    66KB

                                    MD5

                                    2b9f27cfc35e8d403fae01859dcde5aa

                                    SHA1

                                    165793d418bd35f989ebc1b5b1ab6bfc14d49abc

                                    SHA256

                                    2eabcae0963af836dfec8875af7a6005e98022380732107f7b777e4997106667

                                    SHA512

                                    90895da83ee18d0c8a7bb96f2e4b4c04b40377f4f901e51fa9aeff156db2c278a702c8afc79104461c4df7870804e4d7b7b3dc26abbe5ede3b829b7460d20382

                                  • C:\Users\Admin\Downloads\Neverlose Crack.rar

                                    Filesize

                                    36KB

                                    MD5

                                    cd5fcedad76ad30087eae3ff0fdda276

                                    SHA1

                                    a3af37505d9aa7d5f8003baac762740c142d2d3d

                                    SHA256

                                    78e93124b75ab446c7d71c271caefae214ed6c04d6da459ed5616cddb3c46297

                                    SHA512

                                    b7c258eed1a21a6d3989077f1e2eac2a02f222f893247daf5e4c0d85b6496c038a2caeda89a22d44d72eceecd2bf1cb8f73bcbbcaf105c8b0f77f8ae90e3398a

                                  • \??\pipe\LOCAL\crashpad_2376_MQQYYPHVWCZIBLDV

                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  • memory/532-267-0x0000000000ED0000-0x0000000000EE6000-memory.dmp

                                    Filesize

                                    88KB

                                  • memory/624-277-0x00000166F0400000-0x00000166F0422000-memory.dmp

                                    Filesize

                                    136KB

                                  • memory/5472-338-0x0000019BEF200000-0x0000019BEF21E000-memory.dmp

                                    Filesize

                                    120KB

                                  • memory/5472-337-0x0000019BEF1E0000-0x0000019BEF1F9000-memory.dmp

                                    Filesize

                                    100KB

                                  • memory/5472-339-0x0000019BEF610000-0x0000019BEF658000-memory.dmp

                                    Filesize

                                    288KB