xworm | f9855926bc7131cc3ce3cb5a4e4943f2048787296fd6dfd4d663457dcf511a9c

Analysis

max time kernel
298s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

34KB
MD5

e1f7cbb395ee3aece6b8749bf6aaa4a7
SHA1

0d081adb293d89155c55dcedf7a0fb2188a27a92
SHA256

f9855926bc7131cc3ce3cb5a4e4943f2048787296fd6dfd4d663457dcf511a9c
SHA512

9e007c0c8668432a89ca4ed20d02ed1f707b0006183657e813a9fc5e26c173696e7e92e221e56f035451725492cfadf5fae6200cdad241c783055d6750b5a765
SSDEEP

384:YIwDnjTJeDs3fL9bnfHIAxNFR2EguTOQRzpkFXBLT0OZwEJN2v99IkuisptlH6x7:S0D69DfHIAxNOsTlwFo9jDOjh/bk

Score

10^/10

xworm ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

tr3.localto.net:44953

Mutex

JAXr5VvuESQ7Hfoo

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot6919369290:AAGnnKr1Yo67mV9jYUriuVi-XAno2tdvbq0

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3496-1-0x0000000000D30000-0x0000000000D3E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops desktop.ini file(s) 17 IoCs

Processes:

test.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	test.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini	test.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	test.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

test.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3988 timeout.exe

pid	process
3988	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4264	msedge.exe
4264	msedge.exe
1660	msedge.exe
1660	msedge.exe
4816	identity_helper.exe
4816	identity_helper.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1660 msedge.exe
1660 msedge.exe
1660 msedge.exe
1660 msedge.exe
1660 msedge.exe
1660 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 3496 test.exe

description	pid	process
Token: SeDebugPrivilege	3496	test.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

868 OpenWith.exe

pid	process
868	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

test.exemsedge.exe

description	pid	process	target process
PID 3496 wrote to memory of 1660	3496	test.exe	msedge.exe
PID 3496 wrote to memory of 1660	3496	test.exe	msedge.exe
PID 1660 wrote to memory of 4236	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4236	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3024	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2060	1660	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa4a8b46f8,0x7ffa4a8b4708,0x7ffa4a8b4718
3⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
3⤵
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
3⤵
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
3⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
3⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
3⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
3⤵
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
3⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
3⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
3⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,12206396229632605106,12946581189643506274,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4880 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFB05.tmp.bat""
2⤵
PID:1496

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
92c8bff21fca02ee56dc2f6cd797f52a

SHA1
8e1ae6986559812bdc3d9e56338159fd539a4c92

SHA256
3cafb7e04b2ca6c9a4f78e9992b302b102ba0934814a3a01b005a64bf28ae119

SHA512
8521d9846a1e248eee63887cbfb26dcf9913e2972aae3009faab7c72f8c50fbcf6eb885bf5b2ce02c23752fefe4423398e9f9eb0462e91c2929fd5ee8f73498a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
48f55e3e533930eccf56b6e0905d7e47

SHA1
640f5fbd43503a4e324550a5946390316a160448

SHA256
cc8c4f0bc5b3e5c95eb27ecb6495e5c359593b5216a7d857c7b9afc64b24bff1

SHA512
8422cf0ba05c8be6cac60bf32d256cdebe4d83331457f845c676b598f890095df4e586d78bfc2592eb6cd33a3a8bf83d5b7508f6881ff9b5308bc0fd8d2f4998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2657cfd29650b2418079aa62b2341181

SHA1
2bc22261d4ee6dda66cd3d29b961da494b7de15f

SHA256
328c237dda8cfd60f2d9a9d4e562fae5eadc978f923a9a75f7cbd3996660afc7

SHA512
e077a5911ae3c10a4ab9b9dfd0f7cd41e8245688aac3f9d837f19802a28ee5116b031a0ffaea85204c94b40b4f34dcee853b8fdaa1ebb8cdbabe09fc374cb85e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e68d5e9d66a37a9e093d2840e9843565

SHA1
56e70ab3c33d0214d332fa7070281c4dc73cab8b

SHA256
9a791fad2b3007b557e4239f53bb2cb1a326c552eaf04772b3bbd3c36b530390

SHA512
b42ad5259b3b327c2cd3ebe74c215b55c9dc36ad8c52ce42a753e49074906ff912521a06bb9f7677786ec75e8e6701d702882b9dc30480709e8f344c638e26cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB05.tmp.bat
Filesize
156B

MD5
d7b67e31da3e985120a1bcc5d554f58f

SHA1
274db85728b1aa0b9354bae516311ecb29bfe31d

SHA256
7d5897f282545f7278032d61caefed73a9872ca7ebf5976404fa2f23adece139

SHA512
620ee1b67fafd1407ce141a5b0fb506108e12202fc3cad4a3a1d4e8f73dde7589710b14504dab09dac4066969f4499e825e218d8d34628d8c4eadcb5896ee809

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html
Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize
16B

MD5
fa958f5ed3fbe2c6542577d95d277108

SHA1
9ec9dc428fa565f63d7b4ae5c30bf1b750971eed

SHA256
36c56edca12b7ea7455d245d74ca2026b19737794a5e2dc6c8bfb50b6406fab5

SHA512
1903499fbd7103a0bfd88f66e6f08fece81ae052070f50a0a47e8bbed9edc4c28cacfc420a0d69d5e6173fc9e3d9c42e9f80553dda087b34ad233e0920119e29

Download Submit
\??\pipe\LOCAL\crashpad_1660_LHDFHEZWILPSCHWY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3496-0-0x00007FFA50443000-0x00007FFA50445000-memory.dmp

Filesize
8KB

Download
memory/3496-7-0x0000000001550000-0x000000000155C000-memory.dmp

Filesize
48KB

Download
memory/3496-6-0x0000000001540000-0x0000000001548000-memory.dmp

Filesize
32KB

Download
memory/3496-5-0x00007FFA50440000-0x00007FFA50F01000-memory.dmp

Filesize
10.8MB

Download
memory/3496-4-0x00007FFA50443000-0x00007FFA50445000-memory.dmp

Filesize
8KB

Download
memory/3496-3-0x0000000002F60000-0x0000000002F6C000-memory.dmp

Filesize
48KB

Download
memory/3496-2-0x00007FFA50440000-0x00007FFA50F01000-memory.dmp

Filesize
10.8MB

Download
memory/3496-1-0x0000000000D30000-0x0000000000D3E000-memory.dmp

Filesize
56KB

Download
memory/3496-900-0x00007FFA50440000-0x00007FFA50F01000-memory.dmp

Filesize
10.8MB

Download