xworm | hxxps://toffeeshare[.]com/c/ux33t6z3R-

Analysis

max time kernel
93s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 16:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://toffeeshare.com/c/ux33t6z3R-

Score

10^/10

xworm discovery execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

22.ip.gl.ply.gg:32632

Attributes

Install_directory
%Temp%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3612-163-0x0000000000C30000-0x0000000000C5E000-memory.dmp	family_xworm
behavioral1/files/0x00080000000234e7-206.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4528	powershell.exe
2896	powershell.exe
3164	powershell.exe
2296	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
760	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XClient.exe"	TopografiaKomputerowaPDF.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	TopografiaKomputerowaPDF.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698548426850842"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
3164	powershell.exe
3164	powershell.exe
3164	powershell.exe
4528	powershell.exe
4528	powershell.exe
4528	powershell.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
5076	msedge.exe
5076	msedge.exe
2064	msedge.exe
2064	msedge.exe
5680	identity_helper.exe
5680	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
2064	msedge.exe
2064	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 4296	1796	chrome.exe	83
PID 1796 wrote to memory of 4296	1796	chrome.exe	83
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 4688	1796	chrome.exe	84
PID 1796 wrote to memory of 3264	1796	chrome.exe	85
PID 1796 wrote to memory of 3264	1796	chrome.exe	85
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86
PID 1796 wrote to memory of 1140	1796	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://toffeeshare.com/c/ux33t6z3R-
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcfff0cc40,0x7ffcfff0cc4c,0x7ffcfff0cc58
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,5358919744344652749,1071459759957917060,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,5358919744344652749,1071459759957917060,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,5358919744344652749,1071459759957917060,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,5358919744344652749,1071459759957917060,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,5358919744344652749,1071459759957917060,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4700,i,5358919744344652749,1071459759957917060,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4964,i,5358919744344652749,1071459759957917060,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4624,i,5358919744344652749,1071459759957917060,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3748 /prefetch:8
  2⤵
  PID:760

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\InjectorV1.bat"
1⤵
PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\TopografiaKomputerowaPDF.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4528
- C:\Users\Admin\AppData\Local\TopografiaKomputerowaPDF.exe
  "C:\Users\Admin\AppData\Local\TopografiaKomputerowaPDF.exe"
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  PID:3612
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce8dd46f8,0x7ffce8dd4708,0x7ffce8dd4718
      4⤵
      PID:1968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2829641695869374886,10456459498570232909,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:2248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2829641695869374886,10456459498570232909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2829641695869374886,10456459498570232909,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
      4⤵
      PID:4436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2829641695869374886,10456459498570232909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2829641695869374886,10456459498570232909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2829641695869374886,10456459498570232909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
      4⤵
      PID:5544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2829641695869374886,10456459498570232909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\TopografiaKomputerowaPDF.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Users\Admin\AppData\Local\TopografiaKomputerowaPDF.exe
  "C:\Users\Admin\AppData\Local\TopografiaKomputerowaPDF.exe"
  2⤵
  PID:3320

C:\Users\Admin\AppData\Local\Temp\XClient.exe
C:\Users\Admin\AppData\Local\Temp\XClient.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
303992872741c918304830484027286d

SHA1
97c8144f204c80c13ee7520c29c2f329c0a2da32

SHA256
6d5d0171292e0882babd756c3bf6cfb523a9910f51c926e15f816b7251781728

SHA512
b7e9a863ee2a7d4e0f43f495a4a0f3122d23abd6d9831dd85b221d49d474611c94f4bf9e2ea3bc6c99cec659f95175fd83bbe5839c5fbe5c16e474285eaa9687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
4f3cfe3b977afb4121f4cc9849549f10

SHA1
832ac499fbea9ea53de50f370d6ca6b130c021a8

SHA256
a6d649f069be618b853d3df574651d834904e0ee41525fb7a619f4b5f2a92f88

SHA512
e096d82ab2792957930faeda2d29b8ed767c28277664dc4fa1fe98158e1369028f8c1362495e6e0eb8eed682eefccbbf66faaafdf243dd44ef69eb33210e3e7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8baf78d5697b6eea2ea81f49277d9130

SHA1
49820b13205df25395feefd5e182b327a40fef4e

SHA256
b15031ba1e455cf8ba9aa5df065f5a5e911ce44af33380a5bee70460b6a22826

SHA512
e5db328668256d0e8cf1c3d3634338a011352463034201a5aa9db40593fd18e9e0fdece09d557cb887b21a4bb2a8c38564c0e1b1693fb1ceebe8667d73b5749f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
320786ebdf17b58dd3aca045ab4d004f

SHA1
f9ef75ba08419422b8cd76954134fa199e55746d

SHA256
64d6ae21721ab531452ce5e17eb1fd507ad0115b73e1c6f9b164790b917d74d3

SHA512
9a89dd79864e2253a52d6b418a19d94ab8a9b3e4dafa13a3affd9fb5e3f1d73449346d05c2588ecf3ca97554de95835e141ae9e96ea56fc0436129429ead7c00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a86596b833752f39552d08d443c62c1

SHA1
cba31f07640c6aee7c4e78ce738816cef416e4cf

SHA256
7d1868f4e002d493bdc94554da5f1903907e51b88976f816ca8dfce34daa784f

SHA512
320167a6fceea521d5bea48d91d0d49ced07824aa0eeed55030491ff01b029e841c3e5fb1b57292a842f53e3e69f316f45ad0db49361230a14b2bd954a1bc655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b2461628ac50ebd4d71667397700c161

SHA1
6af2e35938e05d723c8b5e0295db640387f87108

SHA256
a07b0d2a8a2aa779ff6a81e1f32375948eb778b2b1bf4894bb08705935e915ea

SHA512
c99592a2f24819b599319185535283d0593199ae0fade8ea326683abcf97251eec808e06aa32ca9a62d0af4268c7b03817ca6a7a68d01576bd801503b9b57423

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7621ab2f3c5245ef808c1ac3442693e8

SHA1
6522e5f4ecbf4754b7d00c873d1179a1fb66f18f

SHA256
8bba3258928f3b7f18ead9d1b3866010fd0da69df348e3602e734b85e65ce528

SHA512
1b9cb8d169c507140269eec55891194a3dcdbb14b240b45abd73c5ced57db1cfa7c666f27b4bfb144791edcb51d66df3b7f9e2ace829215cd59108e4280410a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
004c943ede0d3a08b701baf2382c60c5

SHA1
4f5ea86ad4f56422d4961ed55abaf09300187624

SHA256
7f7c758b955e913fc7b7aae21dee60cb0147d2568dd5106bcf891641f32a3319

SHA512
e1205b5c95c36f7bf91b54cf6b38d9da48b4443d6fc1916473555a1acc4969979538b86ecc9df07459e6fd418fb03af84ac013c5f7d0a04db558652675c88cb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
71262569612beb2511282d2f25ed7f41

SHA1
09e89ccc6adf07d3e169529304059d02466f2c4d

SHA256
a6862fb6afd8db9af2be80c2579d2e043266af2e34050d0bb9c6154549ce26a6

SHA512
85ea2a0343eccce276b3f686f8eb3b5f6966046e5d871acb898e619f9930b0f5dd9fa3b96eb361522971b19f1f7571e62d8f060cc4e059d4528f29c41235ae1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
57e956a6a5534e5ce5a47d4dbbe662d9

SHA1
79b97b24e17e5aa5abea09a63aa1675937321ad5

SHA256
a7191ef363e658a907cb9576192b853386fd1a875d9570f6f37aa583d6788628

SHA512
09b1988dde3f1530ad250ad5589987c71d6d1efc824be6da4dfdddcd613a50a601d80935a490b45f61855b3c05625c04f9484c125cdc1f6ae4eec8aeba420560

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
264c2e0fed73f0704c0803cf005a24e5

SHA1
123f64e1e8a371188ecaf1ad2efc9fefea54f7bd

SHA256
983fc50c18c88429eda7ebcf480bd232b9ba5d82e3052b8f714ee8111ab553c6

SHA512
e7f79e59f54a36f9c9596fe864bcd84e7db21f90a850cb68e57abaa755c325349e2048cdc6a8d6383efd4f113de70c43dc6723973f060cddc4c78c8a3be1958a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
dc86dca6662e34ff712b0d41a172d22b

SHA1
60e3bab8d30db7bc7f326d66a507e800baba4220

SHA256
8d3b4e85c6552101a46d2d4a022106ea3b173f4c680274177482a2bb2a46359e

SHA512
2d2bd87d079e1dfbb96ad8069ad7e2affb559ac812504b6965065ba96c81f37c744ad990655e8e5ab2fda2d86b9e0b149e0d877fab536408eb0a96c2bbdb6b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
b16a6c2ee776bdb83814e7fa61205dab

SHA1
bc67a598ab9f39041eaa962b90285e0c303e00ac

SHA256
5811bd31d5ed8e57e8f14e7dc6767833c478f49a9ca25efc3bf9a3e3e61a4be0

SHA512
6579658344c018cb83a946de5cd3e7ee4a597f31d9422fe9295f4253617ccd25cc4f94e785271c030403da8f65af0695cff967226481fd27b42da28585b5c761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\29bc00a8-ba74-4941-bda3-a3923ecf4ccc.tmp

Filesize
5KB

MD5
5d63bcdbce79844cbb9f84cefbb61b66

SHA1
2d2f21ae3c1f130a66ddc33deb135b4ef684eff8

SHA256
1b2aacd284401c4334a5d3786c22bd0eec7c02b8a7f20e018823118796cb97f6

SHA512
70c51d0a1e0f20b9ce9ad9d67a98724f110bba12a4a2eca30383f0f774d0c463121b85fde028fd9bf215a460952e4e6166465296656aed1e0e44231df547a639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e2abca52d99560fa0bd69abc7bc2c86d

SHA1
bd830f679cd3b57a14c9c389d714ce89fd81d7f3

SHA256
a436e7f7772b8c4681fbe710ed8dff95390a35ce08008db87ae2b2b41847bcb9

SHA512
6873913e4334b53b560081baa97aad59a84baf7ce8321f60298caa55866b5b5febe040b9ff1be9a8108c4f10507f5f5dd46e2c32d0c3ce989440487672007a33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eb38425507de3ed38fcba8677b9f76d4

SHA1
4cd16dadf6c1bd97ef6b496bd0f0f318eb65c23b

SHA256
8b264bfd614c3d9638d683e1061999595abe307367f8c970cf98bb822f377f06

SHA512
cef7778e8bb78b7c8ae79272f1cc4e0a66f0805a65af415037f5440e12dc5d69f4b99db7465cd625308218f966db4e97b532db4452664483f7c6de17f1686ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
157KB

MD5
939fa623e53a07f133a10ff6f6852b23

SHA1
5b55632c3322d8f3ff8f9d4056770a6f6854003c

SHA256
51aedc7d0cb52b1b96acdc40bcdb6f62e92aeb85608ced0645776bd45a421629

SHA512
b4b2fae97b72723e0a86e55f322cd17a2d439b7ef286475e18639caeebff96d3c88d524e41b768d95c8e3c037e1a5dd1d4c13c6d81e72a089bab395f37ae7e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_myyrynnh.qb5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\Downloads\test.zip

Filesize
54KB

MD5
3484d61fbec25e3943492200cc824aa0

SHA1
e38c02872f20a3c9f1c705e08067b2fd8509b33f

SHA256
dff16162119f6d660acabf29ffd09f1d8b42d0e9aa64bbcbf0c42382422ea4f7

SHA512
1e80a6a6245470b5e5dd53dc16d93c0b8e1b364deb2840603a1380eedc67a2cf160e3d86432199fe37f3d488f7d4e5bb91dbc449aec50cc344abafe9ad8300c7

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
97907a5270bf09860432690cbbb9b09c

SHA1
1f9ab4b116eef2bb7a8bdee1a5454c0d556ca9f8

SHA256
12c806766265a47a6de3c505817c137f14b2caebe482ed2e3e625a20c8a3149e

SHA512
b41118e9b03b06f503a747905ec8393912bd210b090443c27e8350d307e8ba7a20eda8e1ed03734b5d39bc8ca77eb3f44d9d07b93281ecda1ad44472d3969955

Download Submit
memory/2296-125-0x000001741AC00000-0x000001741AC22000-memory.dmp

Filesize
136KB

Download
memory/2296-139-0x00007FFCEA690000-0x00007FFCEB151000-memory.dmp

Filesize
10.8MB

Download
memory/2296-131-0x00007FFCEA690000-0x00007FFCEB151000-memory.dmp

Filesize
10.8MB

Download
memory/2296-130-0x00007FFCEA690000-0x00007FFCEB151000-memory.dmp

Filesize
10.8MB

Download
memory/2296-119-0x00007FFCEA693000-0x00007FFCEA695000-memory.dmp

Filesize
8KB

Download
memory/3612-208-0x0000000002D10000-0x0000000002D1C000-memory.dmp

Filesize
48KB

Download
memory/3612-195-0x000000001CAA0000-0x000000001CAAC000-memory.dmp

Filesize
48KB

Download
memory/3612-163-0x0000000000C30000-0x0000000000C5E000-memory.dmp

Filesize
184KB

Download