Overview

overview

10

Static

static

10

XClient.exe

windows10-2004-x64

Resubmissions

21-05-2024 16:26

240521-txyqyabf56 10

21-05-2024 16:11

240521-tm8s6abe3x 10

21-05-2024 16:06

240521-tkknjsbc68 10

21-05-2024 16:02

240521-tg8k7sbb83 10

21-05-2024 15:59

240521-tfbj3sbb35 10

Analysis

  • max time kernel
    125s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 16:02

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    32KB

  • MD5

    796d46d24a498cbd5c0161979b6b97ae

  • SHA1

    0bad45e27d99ab1900cbb99bd97895c2286f7c53

  • SHA256

    1e3b4846c9c304c0ea408381e99c1f80940cdd7e3d30170afd23ab492bfd5d13

  • SHA512

    0046a95e056a3e7385d46fd383e3bc48b0b6891726d2dbcb2901139af5c9d1a3bb415446fc236b68cbf0a87cc13185f6fb2604447f02228c9c1f92f67a0593d4

  • SSDEEP

    384:5YxRXcrP31VZBELRUnvJff3cdiwOURJpkFTBLToOZwxJd2v99IkuisuVFxOjhlbD:lPjgRevJ3cdIUGF/9jTOjhlbD

Score
10/10
xwormevasionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

ee7Mn1pG1AADdFhL

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/LY8grq3Z

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    PID:1836
    • C:\Users\Admin\AppData\Local\Temp\pvolaj.exe
      "C:\Users\Admin\AppData\Local\Temp\pvolaj.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies WinLogon
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4204
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
        3⤵
          PID:2540
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im explorer.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1796
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im taskmgr.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1044
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic useraccount where name='Admin' set FullName='UR NEXT'
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1124
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic useraccount where name='Admin' rename 'UR NEXT'
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
          • C:\Windows\SysWOW64\shutdown.exe
            shutdown /f /r /t 0
            4⤵
              PID:1908
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        1⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4772
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd821546f8,0x7ffd82154708,0x7ffd82154718
          2⤵
            PID:4508
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
            2⤵
              PID:4552
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3124
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
              2⤵
                PID:884
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
                2⤵
                  PID:3220
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
                  2⤵
                    PID:3836
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
                    2⤵
                      PID:4144
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
                      2⤵
                        PID:556
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
                        2⤵
                          PID:3716
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3924
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
                          2⤵
                            PID:1852
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
                            2⤵
                              PID:4500
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
                              2⤵
                                PID:4404
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
                                2⤵
                                  PID:4588
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5180 /prefetch:8
                                  2⤵
                                    PID:3104
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5156 /prefetch:8
                                    2⤵
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3236
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                                    2⤵
                                      PID:644
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
                                      2⤵
                                        PID:4796
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,5944725411860330640,7089880556638601382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
                                        2⤵
                                          PID:760
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:4892
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4544
                                          • C:\Windows\system32\LogonUI.exe
                                            "LogonUI.exe" /flags:0x4 /state0:0xa39fe055 /state1:0x41c64e6d
                                            1⤵
                                              PID:3264

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              612a6c4247ef652299b376221c984213

                                              SHA1

                                              d306f3b16bde39708aa862aee372345feb559750

                                              SHA256

                                              9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

                                              SHA512

                                              34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              56641592f6e69f5f5fb06f2319384490

                                              SHA1

                                              6a86be42e2c6d26b7830ad9f4e2627995fd91069

                                              SHA256

                                              02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

                                              SHA512

                                              c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
                                              Filesize

                                              64KB

                                              MD5

                                              d6b36c7d4b06f140f860ddc91a4c659c

                                              SHA1

                                              ccf16571637b8d3e4c9423688c5bd06167bfb9e9

                                              SHA256

                                              34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

                                              SHA512

                                              2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
                                              Filesize

                                              69KB

                                              MD5

                                              aac57f6f587f163486628b8860aa3637

                                              SHA1

                                              b1b51e14672caae2361f0e2c54b72d1107cfce54

                                              SHA256

                                              0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

                                              SHA512

                                              0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
                                              Filesize

                                              40KB

                                              MD5

                                              e3194d50cb1d9e1b1ad60c84f49460db

                                              SHA1

                                              a53dbbd0fb9005e83a915aed35699b2de1f7d1bd

                                              SHA256

                                              e885b73c5815f01055b7fd325b670b992ddbf993189f81dbf375992a473a85a1

                                              SHA512

                                              435e60331bd918292b168c9b999b52f777838a6c49bdb0f2f41f9aa75687eb6e580c229880a4f98ae57c5ac940b51638ed99466c141bce253d04af8d739d3754

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
                                              Filesize

                                              19KB

                                              MD5

                                              2e86a72f4e82614cd4842950d2e0a716

                                              SHA1

                                              d7b4ee0c9af735d098bff474632fc2c0113e0b9c

                                              SHA256

                                              c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

                                              SHA512

                                              7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
                                              Filesize

                                              63KB

                                              MD5

                                              710d7637cc7e21b62fd3efe6aba1fd27

                                              SHA1

                                              8645d6b137064c7b38e10c736724e17787db6cf3

                                              SHA256

                                              c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

                                              SHA512

                                              19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
                                              Filesize

                                              88KB

                                              MD5

                                              b38fbbd0b5c8e8b4452b33d6f85df7dc

                                              SHA1

                                              386ba241790252df01a6a028b3238de2f995a559

                                              SHA256

                                              b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

                                              SHA512

                                              546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
                                              Filesize

                                              1.2MB

                                              MD5

                                              153d9573f0f824b040ac13793d95e406

                                              SHA1

                                              f8a73c205962012c4fa5b93ccbc77d7b1be3b5d8

                                              SHA256

                                              c70c12b65715e837682baf0eea8ff99a7531d9036b0b5a9d640def85df92d016

                                              SHA512

                                              5e0f64f8d333be4fff5b869952fe18f3189d6af97bfce10aad8acae96153b790108351083f1b80c40d76cebdca35e5d7e0f3371c588a02c74e6ea0055a3d2b20

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                              Filesize

                                              1KB

                                              MD5

                                              7edc76a189b3784cd48a3f75d7702acd

                                              SHA1

                                              e72b366dcf7ffd6dd5c833d52564de68a600ea46

                                              SHA256

                                              5d0bc7c02024f19b8f9371ceea4438c9bf93862564e399c10de4f46f88d24e44

                                              SHA512

                                              7843417efc5184bd7d60c3d1cadfefa94ac5c5741930885784b8167da1c1aa135c321e577ffd05c62c80d19c1f5dc1fcc15fa066c9f6f9c75f9298e660b86617

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              5KB

                                              MD5

                                              cdf0a8f8032781e1ea893f277ed8d7b3

                                              SHA1

                                              60f2c06e71e7cb7978d937bbcffe178fab546a53

                                              SHA256

                                              20803e8adb3d0357f9f88201dccf5e74ac4f950afac9b24c744669896001a479

                                              SHA512

                                              f8b0d9558496c57e412bd72b922c7c88be48a88170b0bbbf4ccaf81adb6724c3690f15c62ac777e8c55574ea8700b0397e40400ffc7677f1998be1dd490d7b9a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              6KB

                                              MD5

                                              cc0e483af2064b4e71fe8962c3d0fc49

                                              SHA1

                                              9fd776621604304f88e54e9aa2ede1b9fd6ed39e

                                              SHA256

                                              60b0b66de98012a3ea7b59e169adc722ef4910f0acf720f557d0aff2c15406fa

                                              SHA512

                                              11f8dfaa5a4b4b701e73ef1f74f2f5856e7b06df5a007c42aaf05ef72a2e21bb3468f88fc835a4be3bd135e2b408aae43fac6f50665700be8d75049ea9f0ac09

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              6KB

                                              MD5

                                              cf71abd5b7490370aa560285ebeb3db3

                                              SHA1

                                              7557a73fc1834257061c8376f483286c55309fe6

                                              SHA256

                                              66d3035c770da286468031ce5294deda59650a40e75f15b7b16ef89b8b6138b7

                                              SHA512

                                              bd9c67e774747bdee89caa1327d2516e95f87d9a938874867dd0e2f6ae0a922bcd88baa24e80f485be49741c4b91c09ec85a48ecc0c6a3d6ffc6d3188fca11c9

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                              Filesize

                                              538B

                                              MD5

                                              cd490c9439d641d241fe3fb6d6c76c75

                                              SHA1

                                              087e9b1af2694b34267cc1247c29dce1b1c7b97c

                                              SHA256

                                              522aaca3cb03da22da20d7b5465a1e45c5531feb627d0cf1610fda07eab193a8

                                              SHA512

                                              f5224e909b888670af781b438c6c2572cd008237a7cd865eafffa14a06410e7c7ed76447677e91bf3d0080e07392d89947a44f1f7940607f7df2fefa1d46ad4a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592292.TMP
                                              Filesize

                                              538B

                                              MD5

                                              6a869f554cd3ae9930c80d812047018a

                                              SHA1

                                              d79ad5bc25e66e95ad0dec407948fef4d27a44c8

                                              SHA256

                                              fd03e523be76fbabc2d6b28005515d4e760583b45cdec11f2f2b24c1ef15c9a7

                                              SHA512

                                              fac8df2811f604a61d784b389c49fe40842c6f4def121a0b6693353ade0c0cc7a0adf54d8bdd461b2cce8abae5763eb15c606c569ab78b6fb2669a3df6c3607f

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              46295cac801e5d4857d09837238a6394

                                              SHA1

                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                              SHA256

                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                              SHA512

                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              206702161f94c5cd39fadd03f4014d98

                                              SHA1

                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                              SHA256

                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                              SHA512

                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              11KB

                                              MD5

                                              9b1785136bb57dc824f42d5ca407e9d7

                                              SHA1

                                              1d59dce58172caf4103adb7b56e545e5a561e95d

                                              SHA256

                                              21c5074d9aa209183aa632deb1ed2e41511989b69ec8cd2b8ab67855a98d8255

                                              SHA512

                                              cee9e21c0279e957a32307213c6b64b59fc77c5c512c71fac2041b21e93524075de949f4800f8ed7da99f76eb172937c443a97933aca9d1e12b23bc2a77aa541

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                                              Filesize

                                              896KB

                                              MD5

                                              68c9063ce308a372e7c5ba1b2680a9eb

                                              SHA1

                                              cde13d937fe5dc92e52a11e0da4249f7a467bbad

                                              SHA256

                                              5b05ccef1318b96482cb4b15c91417a528700c78673d46458746f38b49d1fe3a

                                              SHA512

                                              d4c34d2cdc154122daae0af22c6aedf081b659e5b5617ae0f39406d09ff7f3574df97f4349312f22f0f89465ab8c284dc2b84ff7d74dbfc0fe9ba1b075dc7c5d

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
                                              Filesize

                                              9KB

                                              MD5

                                              7050d5ae8acfbe560fa11073fef8185d

                                              SHA1

                                              5bc38e77ff06785fe0aec5a345c4ccd15752560e

                                              SHA256

                                              cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                                              SHA512

                                              a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\one.rtf
                                              Filesize

                                              403B

                                              MD5

                                              6fbd6ce25307749d6e0a66ebbc0264e7

                                              SHA1

                                              faee71e2eac4c03b96aabecde91336a6510fff60

                                              SHA256

                                              e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

                                              SHA512

                                              35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\pvolaj.exe
                                              Filesize

                                              6.7MB

                                              MD5

                                              f2b7074e1543720a9a98fda660e02688

                                              SHA1

                                              1029492c1a12789d8af78d54adcb921e24b9e5ca

                                              SHA256

                                              4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

                                              SHA512

                                              73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\rniw.exe
                                              Filesize

                                              76KB

                                              MD5

                                              9232120b6ff11d48a90069b25aa30abc

                                              SHA1

                                              97bb45f4076083fca037eee15d001fd284e53e47

                                              SHA256

                                              70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

                                              SHA512

                                              b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\windl.bat
                                              Filesize

                                              771B

                                              MD5

                                              a9401e260d9856d1134692759d636e92

                                              SHA1

                                              4141d3c60173741e14f36dfe41588bb2716d2867

                                              SHA256

                                              b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

                                              SHA512

                                              5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

                                              Download Submit

                                            • C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
                                              Filesize

                                              396B

                                              MD5

                                              9037ebf0a18a1c17537832bc73739109

                                              SHA1

                                              1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

                                              SHA256

                                              38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

                                              SHA512

                                              4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

                                              Download Submit

                                            • \??\pipe\LOCAL\crashpad_4772_TQATMZWIINGQZBTX
                                              MD5

                                              d41d8cd98f00b204e9800998ecf8427e

                                              SHA1

                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                              SHA256

                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                              SHA512

                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                              Download Submit

                                            • memory/1836-4-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/1836-1-0x0000000000F70000-0x0000000000F7E000-memory.dmp

                                              Filesize

                                              56KB

                                              Download

                                            • memory/1836-1295-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/1836-2-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/1836-3-0x00007FFD85903000-0x00007FFD85905000-memory.dmp

                                              Filesize

                                              8KB

                                              Download

                                            • memory/1836-5-0x0000000003000000-0x000000000300C000-memory.dmp

                                              Filesize

                                              48KB

                                              Download

                                            • memory/1836-0-0x00007FFD85903000-0x00007FFD85905000-memory.dmp

                                              Filesize

                                              8KB

                                              Download

                                            • memory/4204-442-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4204-443-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4204-446-0x000000000C4A0000-0x000000000C4B0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4204-447-0x000000000C4A0000-0x000000000C4B0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4204-448-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4204-449-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4204-444-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4204-450-0x000000000C4A0000-0x000000000C4B0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4204-445-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4204-439-0x000000000C250000-0x000000000C25E000-memory.dmp

                                              Filesize

                                              56KB

                                              Download

                                            • memory/4204-438-0x000000000C280000-0x000000000C2B8000-memory.dmp

                                              Filesize

                                              224KB

                                              Download

                                            • memory/4204-420-0x0000000005FD0000-0x0000000006574000-memory.dmp

                                              Filesize

                                              5.6MB

                                              Download

                                            • memory/4204-419-0x0000000000980000-0x000000000102E000-memory.dmp

                                              Filesize

                                              6.7MB

                                              Download