xenarmor | be15293b42ddc2b13e6cb4316abb5a405c40f9eeb277ff0aedd284124e980298

Analysis

max time kernel
445s
max time network
502s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

33KB
MD5

b1464f91ed72f58762070a2156a0e051
SHA1

24a5bda03c3a18918a3343a88f3231fdb5c5dea4
SHA256

be15293b42ddc2b13e6cb4316abb5a405c40f9eeb277ff0aedd284124e980298
SHA512

e60ace933853b192548b324ab9b2dd89a40396c6fba246ca1d251f6bdcef6a37d9484c03bed1abdab46220a99c34793445b732e807f671ddc0ebab00e6aa7046
SSDEEP

384:kl+PkjD9+E5MFs7iui8L7zKM42pfL3iB7OxVqWFiRApkFXBLTsOZwpGN2v99IkuV:Q+CD93W03v42JiB70SVF49jBOjhmbw

Score

10^/10

xenarmor xworm collection evasion password ransomware rat recovery spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

noiphabibi.ddns.net:1177

Mutex

uPpCa0dXygiTwFxX

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/3792-352-0x000000001D9C0000-0x000000001D9CE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3792-0-0x0000000000ED0000-0x0000000000EDE000-memory.dmp	family_xworm

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

XClient.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	XClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	XClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	XClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	XClient.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

XClient.exe

description	pid	Process	procid_target
PID 3792 created 1236	3792	XClient.exe	123

XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral2/files/0x0003000000000737-187.dat	acprotect
behavioral2/files/0x0003000000000735-183.dat	acprotect
behavioral2/files/0x000300000000072d-178.dat	acprotect
behavioral2/files/0x000400000000072b-173.dat	acprotect
behavioral2/files/0x0003000000000717-168.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XClient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	XClient.exe

Executes dropped EXE 1 IoCs

Processes:

All-In-One.exe

pid	Process
536	All-In-One.exe

Loads dropped DLL 1 IoCs

Processes:

All-In-One.exe

pid	Process
536	All-In-One.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0003000000000737-187.dat	upx
behavioral2/files/0x0003000000000735-183.dat	upx
behavioral2/files/0x000300000000072d-178.dat	upx
behavioral2/files/0x000400000000072b-173.dat	upx
behavioral2/files/0x0003000000000717-168.dat	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

All-In-One.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	All-In-One.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XClient.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid	Process
3296	sc.exe
4284	sc.exe
1588	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exeAll-In-One.exepowershell.exeXClient.exepowershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exe

pid	Process
1192	msedge.exe
1192	msedge.exe
4988	msedge.exe
4988	msedge.exe
796	identity_helper.exe
796	identity_helper.exe
536	All-In-One.exe
536	All-In-One.exe
2184	powershell.exe
2184	powershell.exe
3792	XClient.exe
3792	XClient.exe
3644	powershell.exe
3644	powershell.exe
3644	powershell.exe
2384	msedge.exe
2384	msedge.exe
3160	msedge.exe
3160	msedge.exe
4372	identity_helper.exe
4372	identity_helper.exe
1916	msedge.exe
1916	msedge.exe
2116	msedge.exe
2116	msedge.exe
2260	identity_helper.exe
2260	identity_helper.exe
736	msedge.exe
736	msedge.exe
2092	msedge.exe
2092	msedge.exe
1540	identity_helper.exe
1540	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

pid	Process
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2092	msedge.exe
2092	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

XClient.exeAll-In-One.exepowershell.exewhoami.exepowershell.exewhoami.exe

description	pid	Process
Token: SeDebugPrivilege	3792	XClient.exe
Token: SeDebugPrivilege	536	All-In-One.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe
Token: SeDebugPrivilege	1996	whoami.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeXClient.exe

pid	Process
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe
3792	XClient.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid	Process
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

All-In-One.exe

pid	Process
536	All-In-One.exe
536	All-In-One.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 4988 wrote to memory of 2648	4988	msedge.exe	95
PID 4988 wrote to memory of 2648	4988	msedge.exe	95
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 792	4988	msedge.exe	97
PID 4988 wrote to memory of 1192	4988	msedge.exe	96
PID 4988 wrote to memory of 1192	4988	msedge.exe	96
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98
PID 4988 wrote to memory of 4024	4988	msedge.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json
  2⤵
  PID:796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" qc windefend
  2⤵
  - Launches sc.exe
  PID:4284
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
  2⤵
  PID:3600
- C:\Windows\system32\whoami.exe
  "C:\Windows\system32\whoami.exe" /groups
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start TrustedInstaller
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:3160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff85da046f8,0x7ff85da04708,0x7ff85da04718
    3⤵
    PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:2804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3028 /prefetch:8
    3⤵
    PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:3796
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
    3⤵
    PID:3308
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
    3⤵
    PID:3700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
    3⤵
    PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10827794065869756967,9445095320748075906,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
    3⤵
    PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ProtectSet.shtml
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85da046f8,0x7ff85da04708,0x7ff85da04718
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4268 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:796
- - C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
    All-In-One.exe OutPut.json
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook accounts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6754044681057403632,15585679086860658559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:3788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:1588
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:4444
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    PID:2728
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    PID:3296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85da046f8,0x7ff85da04708,0x7ff85da04718
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11759371976066498386,15642612730084611397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11759371976066498386,15642612730084611397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,11759371976066498386,15642612730084611397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11759371976066498386,15642612730084611397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11759371976066498386,15642612730084611397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11759371976066498386,15642612730084611397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11759371976066498386,15642612730084611397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11759371976066498386,15642612730084611397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11759371976066498386,15642612730084611397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85da046f8,0x7ff85da04708,0x7ff85da04718
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5711058876585417535,1765311508429435818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5711058876585417535,1765311508429435818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,5711058876585417535,1765311508429435818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5711058876585417535,1765311508429435818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5711058876585417535,1765311508429435818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5711058876585417535,1765311508429435818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5711058876585417535,1765311508429435818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\269e6a18-3579-4b8a-8b41-141138c6b21e.tmp

Filesize
10KB

MD5
837f471a34a21282b199f2a1221395c0

SHA1
ae1fbb0e2a1c2d7590f513e667837f40fd67b406

SHA256
804c6beb6dcc45e6128839ef1e989253c6ff1e496d3f52bbdff1e6e5823159f5

SHA512
e543992927f5975007f2ebdc3c36ce34368719d9019447a5eb06ea34095dcccf7b9d42d2b470003cc6535dbdfffa0df900fb357da7022c65a86b3407eafbac70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f38c7d78494e68acede466b30538226f

SHA1
a21d95bfc4eaf416d74535f32636148803ab1a9e

SHA256
b04e863465630c8ffd38e8b97bc26ccc9a317096501077e32edf06b642bf387d

SHA512
9e32d656f79ceb36c2ebbd6c6e2355e04437fbb2408aa710f2d4524053bee3536d69c7ca510b20a28fe245e8f82fa4f354db24b9c16eeb2a46142138759fb3fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7521227e153665ad601a4d68c5dbcc12

SHA1
90b8150d6dc9cf541d7fb9d1397e31e1305df736

SHA256
4f1a2e27ffc294eea315574391737e00c35821dd3008c43aedc54464d1b17a0e

SHA512
b2a892845e51a71dc98a0a1ca239a1a949c8d74500e27943ad2155a3d1a7a67c6f774f15cc80f0f4d19dba0f292f43a9e9f27fd85975f22fbfdaa7553724b6e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7207acd874935b464ab6a94714484d83

SHA1
8e8955f29b945381c83c304f4665c2d5e7f9916b

SHA256
7a3c9d2178e449e0ceab4e05af770d04f06f0135ea98d0ca4315e4b52ceda838

SHA512
23154ab7d0da3057a6f2e0d13cae34a282df1ae219af2c3fd9f7fd7abc0aa68e5b23167b6a959188ed847f0b7d7ca174e1976f06cead1bb40505dd2af1d711c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\36d25bd6-7788-408b-ac44-20c7cca76631.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
3e3296cd771dd54c332a248b9abb8ec3

SHA1
01466518d0cdc38d2d5430bda0345c2145fbb014

SHA256
1bf0a41a1a5910f98172a33cc473bf87fbd774750d17d67c2bbf31d0952da816

SHA512
8a3c842eb47784c8857d4665d552ff6c2b9735139ed3b4cdf73451eef8c0b406e3fc5adfce0e7cce3bbd417803ad39bf6d93f60e6ed0e0f556f440d1938e0aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
d1f604157b0745a40453afb93a6caa42

SHA1
3d5d77429b03674ebb0ba34d925ba1b09310df5e

SHA256
468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5

SHA512
0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
b7b7092b74c080d1325cdcb5eb9a7afe

SHA1
3a947f0430c29a4d28766d48955013caf6b001d2

SHA256
4fcf769aa246c461113303837806f1effde85de2580aea1a1ab370850ce83619

SHA512
e9f422421f8fbfb571c3e098a07cd9e7893dfc3f6aa8bcf67708bbc3226dc781d7d037089f1c0b9e0af5a19692e1bdda79ac5fa2db8c771c653a71afbf5c97e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
e7a120bea306c0269fd3dfe3bc87f5ba

SHA1
7ac199be35a5b6ea77658b003ca69586f0115d61

SHA256
51857462998b8a4c7bbf572f4d1db89742923cbfeeafd5c86b8e4d90f844d5ce

SHA512
f1b1affd3be0c778d44b60694d2875f12cec409db52fc8d2c278a02df3a61629d17fdd0b182137328ea52697f435be20dfa3de93808c80558614c9e73760c898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
7aa3a1a93060875181475b3f7f254990

SHA1
f857d9d62e8b3667175fb2f27595d637856b3b4b

SHA256
5d95b869958583a1299a2fab640c5e4b48da3dbf240d631ca33b4a0ea2799f1b

SHA512
d09a5ff174272a107491c27e8b1a76c0a3892fa3655f55854d870fbd828a3860f42d5c875558e183f4aa5869395ea701f2b258740e6e19a9e42c624d5a77e1bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
491B

MD5
2973f73025e48b68cd6c78757e11b387

SHA1
bd5fe989cd90de771a337e6879835a41ab3547b5

SHA256
4f575b9d970a82a1be7142b4ab9ae17deabbc54f461f7ba6375dc04d6a8967e4

SHA512
f56412716a63e20c73c6c4404fc06e42bbc3684eee0d78bd562d726c9cfddb510e15437f8d06fcc48dc463e7862c0aca1c3b718b58e77bc0d3736947830db542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
220af1dbe0b5c2a5e29ab8b9c39454b5

SHA1
faa4baa45faf11a2284fed6c160bc01b99fa41a0

SHA256
4206ca9f57c5b4f907e31789b96b40ea85ed55fde1b6509874333fa58965f10a

SHA512
86bc1dd5e43a47f3c8e4be8bb7db262ae10dd59ccecd55498e5886a39fcfa13c6009367a3e7717fc822227330d8e495371f480ad9b41ef8945aebddf61712791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
f4884f6a481238e7059b61f838cf82c6

SHA1
244548958493843f176d1652234308aee3d5b86d

SHA256
16055e5b62b710e323ac15f47100df4c43eacee8f9572cb74802bbe410eef9f7

SHA512
834f0745b6f480ee6a24c248d5633792aabb9c7fc6f0934305b2fbb1022647366c8530559b26d3e729ba6ae407cc7b0f6d2704761dccaaa11335d19f73b1028e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9f9764b63fb0692cc8b8423d312e904b

SHA1
d715ec0a20d42083feb78522076b3af7b567aadb

SHA256
7526a7809b00f4e8e2e017bdba743cd3aa20dce3601cf0571a8b5509df5c7d29

SHA512
8b2e6e24cdfd755a96c7481f1ba348e202bdf15ca7f313c5679bd0e93481e7042041e6f6f0e9c609b7aa749d2e09444cfc9f29b78732c19dd7cbbd54ec47eaa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3135b7d5eb6aa1bda3de1c413132e5ff

SHA1
d4466877f27050ecf0ac086aaa2a2e80ee428a27

SHA256
efcd433320e296a70a807931a360a1d075009857750b640a93f74d031bb8c93d

SHA512
87cd64a5a459d5ad99c4bf1c321c58ffa59db0d32130e2309e21fab1ea4cc5fca175474297611e3cb6e76301b782788c0c8e9e45d333aa2a05f1a3a548c7c82e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d78a4134551fff178e1ac7f39f203ceb

SHA1
ed5c58b00bb4dcb8f70a3cbcb47d6da51d7533ee

SHA256
8ead52ba1e82f3b8d5a4169c518cf38fb150f661b7307cc57ea03cfeeab66c35

SHA512
3408266eb632f2018e98854d8196c231ff9908a80ca0974b7482b06c003016387cd6d161872ef68943d6f759531367e1780a3ebe28691e4fee53a5942c52dd88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
481e9c9a95d7fea93a91f089d5457201

SHA1
8daf7ad4fc03ce2d68e2dd757d2125011a81174b

SHA256
c9a2edc182dffad747b4a10b0b93d6754dd8bd9dcf53fab3b84afba93eab0c66

SHA512
97fce1c58631f2b909f7ab2267a7e81dde01b3e8c5e43b660f372416150e403553c99beb77487e7c15b6eea02c067627734f02fac329df824cf62f6e16d6a15d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d21af3f2d9c9a6134393221af040ee52

SHA1
7d141e2760b19846ef8f8b43731d22463dd407d7

SHA256
f348039b453f8e61f96e80f39cdccaaaec4564b78ad19465d0acd08b9495b43c

SHA512
b7c2acd4de699115fa0bc41ba2cf95529d9becfe892cfc66ad2b1df1054eecd0e78ea4d549ab027dac07c60de2cbf7c340807a94b92277f74c4f83e486d6ea5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
230162ac022d6ce31f4f43924c0350f2

SHA1
07cd9c8cb6c1a2b9cfd2747366fd3cc3f07dd95b

SHA256
5cc6a150a6a3d8387f66d8823e7baeb4c3540bf1e69dbcbdb286e807621c556d

SHA512
9f881a59406176ee3a349ab9e91f9564bd9081c4a0bf501f60c7b2a0a0d0ed21f43360265c716757315d990982ef85fe730558c46c16a7d79f60dddda8cd86dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ccafcdfb6edeec684f46d1a3bc42ccb

SHA1
ec4e9d3da2fa996a85a3477801acd47ccaa228c8

SHA256
34863ad82f728bd60e645cebf01227ec7fdc4f364433ac5bd852dffd363aeeb5

SHA512
31a72b4d11eed854dd563bf434f65bfc13ac9f10f8a0c96d01d49c7e05e4e2069d26feb3b1f39c7de55ee1f861dd9872264d9d8398253f39c4dbbb4888d84072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c945b1b961d3962e145752fe9a5ae9d

SHA1
b628cecf642132cc4d07a238d262913108bde12a

SHA256
71bcf7ba8ba0071427dce4efeba0d40ef6677c4f4e64f1e7ef9c2fff38671bea

SHA512
41285f2e9f5868257cb84d27e851eb24e72d2c7d7beef854febf0ff8b44cc48587e7a90068fdf4a4ac5331e7398b0bd9eed3a20719a071ab3a643db85b4f3748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea0d3adc7cbb2c4959782d7d22c65100

SHA1
d9577da6f41a8f787ca8477a42fe3a46a6ea5706

SHA256
65ecce2fdb7c8e5293d323638328e1f702406e2aa8f04302a6ab8e34722565ec

SHA512
14734165ae669cbb48ce0a099fd6677f8999ec954bc337351c1b5b7aa51d0b409023c02d755f317c7a64f243896d3aad1f66115200d450e94328b2ccdd1a41db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0804cea3a45185ff0f0399a2647736a1

SHA1
d89cec78274dd3d9c0611580d197c3add6bcd260

SHA256
a5b60a1db38c3c0ccb773edf3adb2b4aa7a51dff0db8d52deaecc9a7299f762a

SHA512
62f5342f1ed872d88f21fa93ec4454ce1db94c1dfe63ede93e2883fe7727d324aefffc8a55210697b72752675636fdcd9bc069edb71165cdb5fc3e572e87a10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
08f9a036a38f887a4cc1b548b5208e0a

SHA1
09057139c9705585763f5ec94cf584e17c5c518f

SHA256
ad65868f5e0df6fe1c78c95ca5aea217afd8640c27db545c3a8492f8d7acda0e

SHA512
665d1a820cefdc858c3644ae5afbdf94ebfd8bee87773a2c47e83437337b5b37c6e4cfc1c32c5f10466ece6962616b40e501e6d0f892fbd9bbaa22f33f6a3573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d52dc2ca09d662937e3e669200ec0cb9

SHA1
d61e36c11bd13511e35c2221ce2d82f509d38e91

SHA256
288af9448609160db5ae774bb18de8d77e367e51f21919a22f85fc1954140fed

SHA512
dc294f662521adec1ae09bf0e53de9de7ea1f17f8cfa5ed42b1310d0127709e2755d586e6329fcbdd65a10654d5157f895809fdd95bfdaf2c72b704d70843eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
118B

MD5
7733303dbe19b64c38f3de4fe224be9a

SHA1
8ca37b38028a2db895a4570e0536859b3cc5c279

SHA256
b10c1ba416a632cd57232c81a5c2e8ee76a716e0737d10eabe1d430bec50739d

SHA512
e8cd965bca0480db9808cb1b461ac5bf5935c3cbf31c10fdf090d406f4bc4f3187d717199dcf94197b8df24c1d6e4ff07241d8cfffd9aee06cce9674f0220e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
5f4658b961c01ea49b7460a1e876f85d

SHA1
7725f09c58ce04630ea37b633538dfd038266c81

SHA256
41d24598a19f96425f8755e6aad617f610ae5b4078e8dcc6f18030dbe3b1620d

SHA512
953cefccf2541a982bb9c833118e307a63d4ba6f5eff947b9f97020ee767c7eca1e086ca8b68ee35448e5ee193a27f4a928c14b92117a7a8e301f4f56f73e8db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13351701951660675

Filesize
1KB

MD5
2f187d8521fe245f526fec4133767596

SHA1
609edc7c01ff62fe08937e47331d24bffa784833

SHA256
614033fc1bfc696361209ea9f69b40b436254c039c87d8b5daf3b64242340f76

SHA512
d59776ea2e8ca7b111b852942bbb6afd340a93210a03ccb75951c2d7f6f9db3618ab91cc0d54b69da11afd9ae5edac7364368d15e5be9dfddfcf795c81f0c1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13351701951895675

Filesize
1KB

MD5
be8ff54c6066cfe02478f5b8fe2cb00c

SHA1
fca5eef3cdc55f2506f8c0552fd1dc8d8237936a

SHA256
bd2b4135b90ff386df1be9b39e751bf4125240719e1e87d9bc543fd681ad6ef6

SHA512
bcb7c85506cf322fe9dedccf2554ce943b7605ce24b3e0a14b8f93341ae1f528cc45a92943f8f245fb4ccd10545aa2e9503f5163d56494a71c34fbefff167dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
dbd0f96394fd6a092fb0b82370d44b68

SHA1
4d0d9c7cee06b0e19deb5e382eb7b5c38f9a0362

SHA256
62cb4a96d893b600d5d391d665b56364f4831755af8ad1400c8a5fb08c31112e

SHA512
ce02c82e0e75e1e23fc1a7f04aaf66e165175061700c541e8c84f7cc2df7c9637a6dd304beb39a6669c9b79442743f94cd59fc21eb5573c11fc0d957c26f80a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
2189ae09de46a864eb95c0e71ce9a776

SHA1
0cb5751ee93e8132052bb0c7196a304f37455e30

SHA256
c4d25cb2340058017de6989cb1c83c850429f9e039e0d864b7f2f40f277fc99f

SHA512
55bd411652fdf7ac2b165eed942d8eed36d361f6a3600589f71578f0c23c21d2789455a89cadfb22537ddb32509b97be4f639b14d693529b9e14a6ee1ebaca20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
79619bc4d80b581dce6495e4c5ba6e4b

SHA1
0054cd5ed9dc72ec151d7ebf9e2fa19d485dfd48

SHA256
0286eb82eb1bca860a9abd987e44639747559788b7b19bfa24499a1b4291b8c8

SHA512
6f740f0372d26a9abbf3b2008b242ce791f40cd999d043a2598604b5427092b00d1d9a5a5f2a981852d81b8094525bdc6d912705d94abb3eaa7ebc400c15e371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
139B

MD5
fb14df89fb90da81bf8aaba369015e29

SHA1
011eca7f62a1c4c678c65a964af5df1a4d663c9d

SHA256
d2ed853a3e0a20c7630c0f7fa639aceefe8f75c06de336ecea3cd9e845a89175

SHA512
3323e751885b52e341ee297edc1a1f6e95b5cb79d92419869f2f4840010019bc3fa6276c00fa80a67283fbbfa321a60c3e77f5bab57a3d79dc0b6fbb5ffa0bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
2df316a7e8710f6d82ecd2500309b888

SHA1
effac932e27197aa99ce8d88e0b0c4f0a020ef6d

SHA256
75b316e6f2d3d39e9d0c88cbf75f2d8ff26482d056daf9310e240f2db7285e88

SHA512
3c221252fc2b5506fdfdd2cbf65b11640f3884ab3686d1d83bd15175bd14836cef532515b8af58120081275043822a49f4e78a61602ba0d605f5551cadc3ea34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
206B

MD5
962a7a68985f8f07310e6db2dbc56956

SHA1
ca3020d5d3c30a3f18ea5e0c9283c9637e9dafc5

SHA256
b890c26a4aacf842e5a7c594330c56c5296ecd63d86f6e8ff684354a624b3579

SHA512
b552ec35dd6e3ab3c778b45a01232b77c859d9fbcdf58cf21471c6e290418b5e26a782a6d68867e7cdcb877e76cdc652057fd2dfe04081ca8366f26eabb3040d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
f5e91aa753cfe076c6a1ad713a81223a

SHA1
bce27a856c00efe60dda6cfd2288e412ee6c6e84

SHA256
1a6d06b3c530984dc0bd5b85943b8732e5e64f9693bcda64fbd75491fbd494c3

SHA512
d8eabca3a4ee36a2d7b22870c8b815f5fe016e4207dcee3d9c39168472bcd297822aa63313b3b8f86bfad3c4727aefe2920ebc28af3df3a8245b31dac2f661ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
c6406300037548f9c98ed157b5e841cf

SHA1
1dbd1f25189440c610b8b3c40ae5066ae4919c45

SHA256
f8776155b47d3d9a98284cd2f4811660c5b2a1209688f41c86f1708c1ca252b7

SHA512
b455bd2eece4c698d079b0bd40be554680a35cdc5599fa192da26ae0e9732cca02b51366df9565abdd57f24594ac679d320862a600b70140b38bbce8f2ba76eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
c7a11352b20b416922632226659e6569

SHA1
7436d37563e7898f96ae7d2cf8ee5cdc87d56d6d

SHA256
8a3710f1c5f5e69aa489b2d2e5468f8fd89328549b4aa0659462a3e09d423473

SHA512
5bb8d0e07de9ae2440b95427f8e361aa56edcbcc4b1d5a8876b077bf3b2fb4ce2bb7c14b727bee755e99fa8a078686cd58e1fd7d5995c6ec70f0628e3bb80f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
409e2cafe2b36a40bcefdf56b3aa550f

SHA1
6875b0064d668bbd729a665ea29bf8dcddcbb0fa

SHA256
649eb474f6b2bcbcb55093a50280123f47216cf7ee9944cd4fd623c66258b659

SHA512
1539d8a25033f3c88b47b0b37fec7cfc45909504eb5436cf3f9612af8bc943703d74afbfe2772a0677be94696bddfe094cdaf7013675f4c16498a2d6306b8e3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
3db71c85d6f1291d71e5fc6c53fcbd06

SHA1
b1a993297826a917780fdf5a431acc30faa9ff4f

SHA256
b5e50cd6a5c146253ba44252c5889ecbf75e117a9fa58cc84cb2f924eb424da5

SHA512
07405e885b402cd62ba914b7b5ce7871020765001384248d53646d8cc3dfc6aa0fb9be4ab0ca515dcba552a443ac5a3fc3780a59ecb05f6d22be39006f802a7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
3c9608a0973d6f4121c5b48536712d42

SHA1
d2fae3da2a3c82592f62c6de34826876a4e720a1

SHA256
d8c85798f4c6896ec0a96eecc8056556c701f70bd42d104fb96fe6e148098da3

SHA512
482e57bc3838c4fa48d75d3ff94588382619e8c0808af4a3af66612d9d05ffee72ea67a6a93563a12a2a9cde7f17cb2ad7c9591770d61af81e60a8df05ffcaf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7990ee5fa292ffb3bde0b0c62aebb9cd

SHA1
4c8d2782c649c2d0a829677edb722d754189387f

SHA256
4e39e54292d6c9dd97b2dcbf251080fcd7dd1e1678b99c67afa92399f8700613

SHA512
bd5892ce2419525751f3bda5e9f1c43efb8bb6ef22ee8bc78e6f64d0615a1638cc3036dfe1de40c9a824d6eabd11bc59c308abf641e053e3f2451b57cd5381b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
161a78e39b2b9b6399e1f8f14cde826b

SHA1
eb31cc04fdb7e3112cf0601615f68e89ad2d7953

SHA256
f0bccd743f3f5528fa2dfefb1bd597d54c6cd654b1487a1b1f0c9c8595b1537b

SHA512
c92bb4a2886bd5117c6d3a86bbf40be002826c33c5880368f7d839713f93999c4bcaae6c087f41056c2c779c277e74374b71bb1e2e084362d4acca05cbcb701d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6b76409781b223066131d2828ddae1cf

SHA1
bce2167a3b0923f796a30dd3504cf45ca2fcfa1a

SHA256
784a557e4585e699093cac1f1481c826e7dfe0b129de24a46922996ed6defced

SHA512
1790ed1b960ca7cd46e56612f94c472eb782025a040322b84ee58cec73e8f8e57eb1da2e35a9b187def17505852252f25d4e6056ad6148f5d7e2db4018ebbbf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
533c5bcfe66fa74f41f9c821449a50c7

SHA1
be08d3825ba0b26f10edacec4284fe180fcce3d9

SHA256
62c5b289b1784847d39152449f9847b893708b19c635229f0340ea4116e03d49

SHA512
414cb16ce612590013f1625ffa46b4e0ed4d9626c6a456f7c10c6b29229f56424ed86f21ef55d282c115c104ee6e5bc89ce91be5195aa952c308d04b5a54c1c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7da7a281dad5c18e927cbb7d47980f6

SHA1
072165e43ca1991df769c89ab0e9f18b875aebdd

SHA256
e61dca80b864af670531d55180a26cb98232470c1219ca201bf71acf8890f146

SHA512
6e565c339cc5d84f8fdd77b531f71a9f70b2a64727a785e1897eee737cb5694f20ea00d04ba95e9150acb5cc8160f23e134aeb464527611483cf5006c4689e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
12ec2590a911126fba587bbda6dd1d0f

SHA1
6d89b25f75d32ef52da2fe2f9ff4109ef99bdac9

SHA256
fc5b8b548d539266d174264d4556886c1bf9d6ba4e6d27eb009e842cd6c34b5e

SHA512
4ca163a4e857c69dce37c06a13448bb334620a783b3c9c1075a4d375c1f0ee11acaad5d2ab206188c6fa22fc540c7c252fcd8693e2d980fb9074ea91f2e14808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
591ca2dd79a25c514627dc58dff5a0c1

SHA1
74c5628086e868d7e1fc85f705ead2bf1503aa4b

SHA256
96c5d2c42d21e15c440a2cd5eb57ea42b170f416d1ce0001fb4523fec08a9847

SHA512
539e63f233d57cc081d4ff6dc831b0bfec06792c9a8609ddf6713e950c50faac17633f61daad8e1336aac6ff904bd3663e9bf3ae3a9c471c10f2be48d0606561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\All-In-One.exe

Filesize
5.1MB

MD5
a48e3197ab0f64c4684f0828f742165c

SHA1
f935c3d6f9601c795f2211e34b3778fad14442b4

SHA256
baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb

SHA512
e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll

Filesize
18KB

MD5
6ea692f862bdeb446e649e4b2893e36f

SHA1
84fceae03d28ff1907048acee7eae7e45baaf2bd

SHA256
9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2

SHA512
9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll

Filesize
21KB

MD5
72e28c902cd947f9a3425b19ac5a64bd

SHA1
9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7

SHA256
3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1

SHA512
58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
ac290dad7cb4ca2d93516580452eda1c

SHA1
fa949453557d0049d723f9615e4f390010520eda

SHA256
c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382

SHA512
b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
19KB

MD5
aec2268601470050e62cb8066dd41a59

SHA1
363ed259905442c4e3b89901bfd8a43b96bf25e4

SHA256
7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2

SHA512
0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll

Filesize
18KB

MD5
93d3da06bf894f4fa21007bee06b5e7d

SHA1
1e47230a7ebcfaf643087a1929a385e0d554ad15

SHA256
f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d

SHA512
72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
a2f2258c32e3ba9abf9e9e38ef7da8c9

SHA1
116846ca871114b7c54148ab2d968f364da6142f

SHA256
565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33

SHA512
e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
8b0ba750e7b15300482ce6c961a932f0

SHA1
71a2f5d76d23e48cef8f258eaad63e586cfc0e19

SHA256
bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed

SHA512
fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
25KB

MD5
35fc66bd813d0f126883e695664e7b83

SHA1
2fd63c18cc5dc4defc7ea82f421050e668f68548

SHA256
66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735

SHA512
65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
41a348f9bedc8681fb30fa78e45edb24

SHA1
66e76c0574a549f293323dd6f863a8a5b54f3f9b

SHA256
c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b

SHA512
8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
23KB

MD5
fefb98394cb9ef4368da798deab00e21

SHA1
316d86926b558c9f3f6133739c1a8477b9e60740

SHA256
b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7

SHA512
57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll

Filesize
22KB

MD5
404604cd100a1e60dfdaf6ecf5ba14c0

SHA1
58469835ab4b916927b3cabf54aee4f380ff6748

SHA256
73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c

SHA512
da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
849f2c3ebf1fcba33d16153692d5810f

SHA1
1f8eda52d31512ebfdd546be60990b95c8e28bfb

SHA256
69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d

SHA512
44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
b52a0ca52c9c207874639b62b6082242

SHA1
6fb845d6a82102ff74bd35f42a2844d8c450413b

SHA256
a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0

SHA512
18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dll

Filesize
324KB

MD5
04a2ba08eb17206b7426cb941f39250b

SHA1
731ac2b533724d9f540759d84b3e36910278edba

SHA256
8e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4

SHA512
e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dll

Filesize
135KB

MD5
591533ca4655646981f759d95f75ae3d

SHA1
b4a02f18e505a1273f7090a9d246bc953a2cb792

SHA256
4434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47

SHA512
915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dll

Filesize
1.2MB

MD5
fc57d044bfd635997415c5f655b5fffa

SHA1
1b5162443d985648ef64e4aab42089ad4c25f856

SHA256
17f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3

SHA512
f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dll

Filesize
140KB

MD5
1b304dad157edc24e397629c0b688a3e

SHA1
ae151af384675125dfbdc96147094cff7179b7da

SHA256
8f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb

SHA512
2dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll

Filesize
72KB

MD5
72414dfb0b112c664d2c8d1215674e09

SHA1
50a1e61309741e92fe3931d8eb606f8ada582c0a

SHA256
69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

SHA512
41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll

Filesize
172KB

MD5
7ddbd64d87c94fd0b5914688093dd5c2

SHA1
d49d1f79efae8a5f58e6f713e43360117589efeb

SHA256
769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

SHA512
60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll

Filesize
8KB

MD5
c73ec58b42e66443fafc03f3a84dcef9

SHA1
5e91f467fe853da2c437f887162bccc6fd9d9dbe

SHA256
2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

SHA512
6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll

Filesize
6KB

MD5
ee44d5d780521816c906568a8798ed2f

SHA1
2da1b06d5de378cbfc7f2614a0f280f59f2b1224

SHA256
50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

SHA512
634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll

Filesize
155KB

MD5
e846285b19405b11c8f19c1ed0a57292

SHA1
2c20cf37394be48770cd6d396878a3ca70066fd0

SHA256
251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

SHA512
b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor

Filesize
104B

MD5
774a9a7b72f7ed97905076523bdfe603

SHA1
946355308d2224694e0957f4ebf6cdba58327370

SHA256
76e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81

SHA512
c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutPut.json

Filesize
1KB

MD5
f6ce70d5466fe074a3b419543ff95d8b

SHA1
915d6dc9ca2686d63979e77adc43d71c9678e534

SHA256
6a509971a9cc11490946cb7b33864da43cd3af9f25673c130fc3bab5c365ff29

SHA512
93e83de5d0a96cd71dcfb8f9ab3b32ed2afaa388a77ac450dd7fdca11dcf2ff0d59db54107c936859d6df3b6d28630b2e9907e0b546e8b27336b684bcbed84f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenManager.dll

Filesize
2.0MB

MD5
7a5c53a889c4bf3f773f90b85af5449e

SHA1
25b2928c310b3068b629e9dca38c7f10f6adc5b6

SHA256
baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c

SHA512
f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4uzekz2e.fvd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.db

Filesize
20KB

MD5
56b941f65d270f2bf397be196fcf4406

SHA1
244f2e964da92f7ef7f809e5ce0b3191aeab084a

SHA256
00c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c

SHA512
52ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
640B

MD5
e49909499305068762ec25115c46f11d

SHA1
445a64cf41f9da782e7aab1d10049045b708748b

SHA256
8b9189e4766c030efe2c900337a19c532806164d09d1ccd5bfbd90315c8c9ab7

SHA512
20f57bcf1558370293940b3a9de29fb0850fb5f1d513bd6ba2d545df3d2f78d3161d7d12038f862404374bc90d7e4c3d9936d17b8160a2157bc4dfb5068215a6

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
2cdb6a5b0779623b195d3b21700186a6

SHA1
c511d31785a770008a3be01914ad7362c5ec0d72

SHA256
15fc70ab494034c195f072b3a907a5beba5c4defd2c93f2fc63c2488d9a48237

SHA512
320cc11985c6397243feea197960fbbb189108d1aa2ed0afef9528ab60a9e5819642a4ef0219dd5176320c54b12125e0ad2765f3e51705aca944a1572d0336c5

Download Submit
\??\pipe\LOCAL\crashpad_4988_XYREBKPPLSOFWVFX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2184-364-0x000002B281500000-0x000002B281510000-memory.dmp

Filesize
64KB

Download
memory/2184-359-0x00007FF8637B0000-0x00007FF864271000-memory.dmp

Filesize
10.8MB

Download
memory/2184-363-0x000002B281500000-0x000002B281510000-memory.dmp

Filesize
64KB

Download
memory/2184-365-0x000002B2FF9A0000-0x000002B2FF9C2000-memory.dmp

Filesize
136KB

Download
memory/2184-368-0x00007FF8637B0000-0x00007FF864271000-memory.dmp

Filesize
10.8MB

Download
memory/3644-394-0x000001EFBB5C0000-0x000001EFBB5D0000-memory.dmp

Filesize
64KB

Download
memory/3644-396-0x00007FF8637B0000-0x00007FF864271000-memory.dmp

Filesize
10.8MB

Download
memory/3644-392-0x000001EFBB5C0000-0x000001EFBB5D0000-memory.dmp

Filesize
64KB

Download
memory/3644-387-0x000001EFBB5C0000-0x000001EFBB5D0000-memory.dmp

Filesize
64KB

Download
memory/3644-386-0x00007FF8637B0000-0x00007FF864271000-memory.dmp

Filesize
10.8MB

Download
memory/3792-397-0x0000000002E40000-0x0000000002E4C000-memory.dmp

Filesize
48KB

Download
memory/3792-378-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/3792-379-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/3792-162-0x000000001DD70000-0x000000001E244000-memory.dmp

Filesize
4.8MB

Download
memory/3792-0-0x0000000000ED0000-0x0000000000EDE000-memory.dmp

Filesize
56KB

Download
memory/3792-398-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/3792-399-0x000000001C5F0000-0x000000001C5FC000-memory.dmp

Filesize
48KB

Download
memory/3792-352-0x000000001D9C0000-0x000000001D9CE000-memory.dmp

Filesize
56KB

Download
memory/3792-5-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/3792-4-0x00007FF8637B0000-0x00007FF864271000-memory.dmp

Filesize
10.8MB

Download
memory/3792-3-0x0000000003050000-0x000000000305C000-memory.dmp

Filesize
48KB

Download
memory/3792-2-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/3792-1-0x00007FF8637B0000-0x00007FF864271000-memory.dmp

Filesize
10.8MB

Download