Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    197s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 23:24

General

  • Target

    https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:19998

close-todd.gl.at.ply.gg:19998

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 12 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd3a146f8,0x7ffdd3a14708,0x7ffdd3a14718
      2⤵
        PID:2956
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        2⤵
          PID:4132
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2468
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
          2⤵
            PID:3188
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
            2⤵
              PID:3164
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
              2⤵
                PID:4788
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                2⤵
                  PID:3136
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
                  2⤵
                    PID:4340
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1096
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3988 /prefetch:8
                    2⤵
                      PID:2516
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
                      2⤵
                        PID:1276
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
                        2⤵
                          PID:4292
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
                          2⤵
                            PID:3380
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
                            2⤵
                              PID:5180
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
                              2⤵
                                PID:5188
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5748
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5296 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4616
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
                                2⤵
                                  PID:3628
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
                                  2⤵
                                    PID:4808
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:1408
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:1972
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                      1⤵
                                        PID:5900
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\Fixer.bat" "
                                        1⤵
                                          PID:1456
                                          • C:\Windows\system32\lodctr.exe
                                            lodctr /r
                                            2⤵
                                            • Drops file in System32 directory
                                            PID:5472
                                        • C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\XWormLoader5.1V.exe
                                          "C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\XWormLoader5.1V.exe"
                                          1⤵
                                            PID:6060
                                            • C:\Users\Admin\AppData\Roaming\XClient.exe
                                              "C:\Users\Admin\AppData\Roaming\XClient.exe"
                                              2⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Adds Run key to start application
                                              • Sets desktop wallpaper using registry
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of SetWindowsHookEx
                                              PID:5136
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
                                                3⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5536
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                3⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4564
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SystemSecure'
                                                3⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4764
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSecure'
                                                3⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5648
                                              • C:\Windows\System32\schtasks.exe
                                                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemSecure" /tr "C:\Users\Admin\AppData\Roaming\SystemSecure"
                                                3⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4616
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
                                                3⤵
                                                  PID:1160
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdd3a146f8,0x7ffdd3a14708,0x7ffdd3a14718
                                                    4⤵
                                                      PID:6060
                                                • C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe
                                                  "C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:2084
                                              • C:\Users\Admin\AppData\Roaming\SystemSecure
                                                C:\Users\Admin\AppData\Roaming\SystemSecure
                                                1⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4908
                                              • C:\Users\Admin\AppData\Roaming\SystemSecure
                                                C:\Users\Admin\AppData\Roaming\SystemSecure
                                                1⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1548
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:1072

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SystemSecure.log

                                                Filesize

                                                654B

                                                MD5

                                                2ff39f6c7249774be85fd60a8f9a245e

                                                SHA1

                                                684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                SHA256

                                                e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                SHA512

                                                1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                Filesize

                                                2KB

                                                MD5

                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                SHA1

                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                SHA256

                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                SHA512

                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                d7cb450b1315c63b1d5d89d98ba22da5

                                                SHA1

                                                694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                                SHA256

                                                38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                                SHA512

                                                df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                37f660dd4b6ddf23bc37f5c823d1c33a

                                                SHA1

                                                1c35538aa307a3e09d15519df6ace99674ae428b

                                                SHA256

                                                4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                                SHA512

                                                807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                Filesize

                                                432B

                                                MD5

                                                bf1f1554337ffcda540af1944e7e9b7d

                                                SHA1

                                                4580e870572277c03089745a8a8017bdc97c075e

                                                SHA256

                                                c74355258b6ae53b5860d8d1de6f79762865b46cb459b4cb6deb470efb4ff40a

                                                SHA512

                                                211bf008add17d0f34b34012e42c3c68d84939e1cc20c13fd1189fd26c28787ffde1b6028765b807f2a8865fd5494de9cf2f00e90c169c21ff3f12bf72a45498

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                Filesize

                                                240B

                                                MD5

                                                8a34233c765c53bf9c22a30599051649

                                                SHA1

                                                bce8a4f9e47c8976e03177123aa828ad19c501b8

                                                SHA256

                                                1450aa5df46f759f15dfb616ea03df7f33fe09c71f9b09e579b4e77264260e8f

                                                SHA512

                                                25c02295a3ea80f1c257f7788da1ddf663f923bc6bd541b6ed28f93b27d8c88fe7cb0e1b4186cec64d3928a0f1d850b3ed38b16ef518efdfb3594d0ad25a51d1

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                Filesize

                                                1KB

                                                MD5

                                                f03575c32e0c4c102b08de58942b71fb

                                                SHA1

                                                546cfd39b10736b648ca6b213a8b59ae63867ed4

                                                SHA256

                                                f25fa7b938046dc1a0de793ff2196a111e8ec30a2a41f4cb78dc5021f6631423

                                                SHA512

                                                c2148b7fcf4a795bed744fdbf941323d5a0df83a039e962f789dacf688ef18c8d90198910f31532503f8a77cb3c13bff61cdd28cc09d42919070fa1af56c5355

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                Filesize

                                                2KB

                                                MD5

                                                6a2385113362126518588a4307f6685e

                                                SHA1

                                                46a5ba28dc1073aaeb3ac23f3697f01e089cb8b8

                                                SHA256

                                                30b6352cb6e78acf5edf1a3ed88c0e0461210a0575e9bf9ebb92052a16ff6c58

                                                SHA512

                                                e27166132332c2025a59d3b9052bb3e15874a843f69a9b658d09a96fc78b7eaaf28627deae13c2fa5bf87c0245a36442350d0831832d36a2d667494c5bce7b70

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                5KB

                                                MD5

                                                285b64817818745bc81a58d3ccbc3fae

                                                SHA1

                                                d968ff1a18651d2db8cf3d643cf6e97c22dcb52d

                                                SHA256

                                                cedbb4c3e0bffd1d79b0714fb18277c3ada554bdde4f00134b2234b5fcbe9cd7

                                                SHA512

                                                d6df12c3ae8c00dc44b5628f908d27143214b92a48ee5c35e4e6ff2da9a2796f528318d032d67a194da99f59f5cc3f0bae57cf606142915d76c230c286e395b1

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                7KB

                                                MD5

                                                19bbe8c046e264af75d9e6ba03177c58

                                                SHA1

                                                76df9dff8a0c850fe93989403c76183e493124f4

                                                SHA256

                                                c0ae6b549470986fa0b7772e7947b27beca220268483530dc8affbcd77176f0f

                                                SHA512

                                                581d95169e874f45a8125d27ac02f9b57f5e7b0057ec8729807bba533c0f5f4a7379bbf513cd65c7f8bb759414cf919faf78fda946366abdbbf2df1c7308fbbc

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                7KB

                                                MD5

                                                14745f5e86b27b34472ddeebe8854175

                                                SHA1

                                                91cd28d4ad168328242cc3f4328b7f8b08605be6

                                                SHA256

                                                29ff0d175730e4c34e690f9d95903655d4d128650c891f19e2503b9b701931be

                                                SHA512

                                                73b9b9eee941aaef9c813a2994d4c31c07442b69abb4b35aff78cbec4a3fa033a89d4b3023351c44f7f4f36e1d4a7cc9af3c1b6ae59346a15cf2a6e7a131049b

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                7KB

                                                MD5

                                                1e2038c58b736272cc0616fda2550ef2

                                                SHA1

                                                c4f8b6a2f484bb40216de7be890d8f0eb3082a03

                                                SHA256

                                                b20241a3d05e8ea55208d0abfe341d51cc4ff0b15d24ad905a97a5da8f4dab9b

                                                SHA512

                                                2ad122359ad26d16b41c9d35fee88e72aa47179b473729fcd1e850958d259964a4bb80d36ff4ed0d710b8352bf133f7385d099ca45751a688029bdbe6f127c58

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                7KB

                                                MD5

                                                6db7ca851288ad2a9371f01d11f69e94

                                                SHA1

                                                12bff3b8d1cf0ed01d6a9e011a1fffb9f6bd2fcd

                                                SHA256

                                                37845bd3e06ccbba86dd9724a66439c6da76f52cc482a6032d72670ee54c207e

                                                SHA512

                                                271c329834ec9c8f87dbf0869ae5ede45f2123affe52d136c7056ec219dea315b1847a3599b9bc336161df4d8d4543354a15eeb0b65d7ba59d8347ef633b1884

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                Filesize

                                                1KB

                                                MD5

                                                02d18990e74723c295351a709be7bcd2

                                                SHA1

                                                cf63ad77c0986a0de5f98c1ffac4a268e78bd8d6

                                                SHA256

                                                18a982815228ede7430b2d01ecf2e1300459ea9b59c426675601f355e459483b

                                                SHA512

                                                6c7a357e2572a9a6a964a95e55d0f13053f32200689325be76ebea6088068a97cfe51de957191a51fc51a1b8008537b02d88d8b4de7dab3f0b052c53409a1809

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a53fd.TMP

                                                Filesize

                                                1KB

                                                MD5

                                                321c1f6831fdd50d2f1431f1c1a850a2

                                                SHA1

                                                0d907bb48d86eebecd8d4d0f7e59ed11a17bdb33

                                                SHA256

                                                e67935541e1850db12b38b7790f1d9a9a95ac86244da016b1a099c89e81820e4

                                                SHA512

                                                6ceacb4260a57078ad36316cdcd0f153fd548d78ca6386abd2fe3bbffb53076bcad559869b60cf1cb97b755b7e472b1c838a58602e7e371b6dff7f3fc68ea2f7

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                11KB

                                                MD5

                                                c8224a254813fcdc1cd02840a348a084

                                                SHA1

                                                9bd1c048ebb5e9fea56b5ddbe7204b625d185122

                                                SHA256

                                                9eba47ec80e0c61ae5826af6f5a133d08482b9f78e22ea103231a75b2a3b6aef

                                                SHA512

                                                ca252addfbf98df93d13ea73bde3465cd602bacdbe7e3b0ce2fa95470a262c1d7cc9fd74c28152fe152034c8ed69d390bc22a6489564a9d8e65c6b6b03cf7845

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                12KB

                                                MD5

                                                6c015ebe6a89cfebaf3d5b7963d3adab

                                                SHA1

                                                f2b765c07fdf3ae7937c29d1ea497a3b456e9530

                                                SHA256

                                                6782f0c57c08a6a07e8dfed3d8856957a4e535e6f5df1834e2ad471a2f3350d1

                                                SHA512

                                                8376f82cd8aa1b796d91d7e912d51fece0bd54a870f8ab0a9fcee898b2480b6918fc74dde749c804685585da3d0efcc5ef546315765815f5e59c948133474be8

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                11KB

                                                MD5

                                                73708f29017d36f58d87fcff28713ddc

                                                SHA1

                                                d4476a6536d36ce5ee93d5f897219ef04e09302b

                                                SHA256

                                                381eac06defec7c77d8e8fb0eb1d65f65c6d99cb042f342a3f8a7a6972b3bef0

                                                SHA512

                                                2ee2d141b2bbffc6b20466de67e7a1de6a6205351143412196eae5e0c963069d76c41bf5dadaab29ad9dabbc03cef0c11b28d1d4610101aff4d19602d639498b

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                11KB

                                                MD5

                                                716a35d5ff4fa7082d17413464229bf8

                                                SHA1

                                                de4320cc7cbc1329e17107401db2cf96a8cf552b

                                                SHA256

                                                c919a5ccb5980fc74a3194cf2e62b7a99a9fffe4a8aa42cd86bc5e20c9dc6014

                                                SHA512

                                                7d13997147a83bf4fe38512c646dcf9c29d20473ed865fd2d35bbb019b08be2fbf5af52619d4beda2e5272e55becfa21dba491bd3f85c1adb11f1e9e6767b16e

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                6d42b6da621e8df5674e26b799c8e2aa

                                                SHA1

                                                ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                SHA256

                                                5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                SHA512

                                                53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                eb1ad317bd25b55b2bbdce8a28a74a94

                                                SHA1

                                                98a3978be4d10d62e7411946474579ee5bdc5ea6

                                                SHA256

                                                9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

                                                SHA512

                                                d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                15dde0683cd1ca19785d7262f554ba93

                                                SHA1

                                                d039c577e438546d10ac64837b05da480d06bf69

                                                SHA256

                                                d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                                                SHA512

                                                57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_haepgz45.jk4.ps1

                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              • C:\Users\Admin\AppData\Roaming\XClient.exe

                                                Filesize

                                                70KB

                                                MD5

                                                c408298b5922a6b71305cdcb25f534d5

                                                SHA1

                                                14952e04f5ba70ec6ca9846b00c02c9a399213f5

                                                SHA256

                                                822841455e83194306282409047520bf8513a189db088277aa42bf4221ff34d0

                                                SHA512

                                                518c0e524033625bc7415e632675bb129507e6385f5d97a943b451bd34f54146cc608043ec896538db30905f4e0ba98d65fac92700b280b810e0a3790cdea7e1

                                              • C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe

                                                Filesize

                                                109KB

                                                MD5

                                                4bf2058e2fe4ee6490873acd8d00fc71

                                                SHA1

                                                099f6cd30e1db09c0c51fad208a2c2706c6bd437

                                                SHA256

                                                53d7f79b97f9bb3883a26b4cd84127e4c0c932ba82d9dd437b52373099049bea

                                                SHA512

                                                f4382641663486fadb345537b2d2fc8097e918ccc4697e79e5d1c219a6e66f301a2a4bc65f4a95f740fc92eccaef55ebd99ed49dafdbe2a28f906c15c549d4a5

                                              • C:\Users\Admin\Desktop\How To Decrypt My Files.html

                                                Filesize

                                                2KB

                                                MD5

                                                312c60a72fc22b70ce3c9320c3a15cb4

                                                SHA1

                                                5a67801856c8ea39b9c9148c74b552ad88a98269

                                                SHA256

                                                c9d6340c7035b9073a8df4d2a62c5ead2fa817f85d2f217ffc1a40a5f512f7bc

                                                SHA512

                                                8d03d3d4a1cf2c683ed8faeccd0aa5f74dbce4220668816ff089fec789c33cdc2ec8335c3b64b5fb23471cb91edb12728d0f717a569b7d4e75dcb42782c50ef1

                                              • C:\Users\Admin\Downloads\Unconfirmed 90425.crdownload

                                                Filesize

                                                22.4MB

                                                MD5

                                                c8bf1b2a8963cedb82301e450ba1a534

                                                SHA1

                                                26a89470845f55c5c999228c855340075f808f24

                                                SHA256

                                                d76029efae6c946a84ea3de73a4c07ee9b03314b2700cc77d3716bc88885119c

                                                SHA512

                                                cbb46c38de3892810f2cdb8d4c8419b3eed20f00ee52d788e6b1f364bfd60d3614b80488727d77c8098bd54b93d2080a61788ceb5270233a161557ff2da0cbe1

                                              • C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

                                                Filesize

                                                16B

                                                MD5

                                                f591cdd4d0b46e0cd793ac4c1c992222

                                                SHA1

                                                c5e4fe2eb6810877cbb0f6bce444af5c909abff6

                                                SHA256

                                                33d12c57a2e1c1030604dafcea395593c98524169036ffd64028075bf26bf729

                                                SHA512

                                                67a39fc7d867bbcccdac95d44a80edc29f00e8797c69af46e9a2be73fe8f7d503cefadd6eaf00c2861c57582d98ba7c2ef618aa11aa3138b0b0178bd518ecf19

                                              • C:\Windows\System32\perfc007.dat

                                                Filesize

                                                44KB

                                                MD5

                                                bc3d1639f16cb93350a76b95cd59108b

                                                SHA1

                                                47f1067b694967d71af236d5e33d31cb99741f4c

                                                SHA256

                                                004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9

                                                SHA512

                                                fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249

                                              • C:\Windows\System32\perfc00A.dat

                                                Filesize

                                                47KB

                                                MD5

                                                69c02ba10f3f430568e00bcb54ddf5a9

                                                SHA1

                                                8b95d298633e37c42ea5f96ac08d950973d6ee9d

                                                SHA256

                                                62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e

                                                SHA512

                                                16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

                                              • C:\Windows\System32\perfc00C.dat

                                                Filesize

                                                43KB

                                                MD5

                                                8b4b53cf469919a32481ce37bcce203a

                                                SHA1

                                                58ee96630adf29e79771bfc39a400a486b4efbb0

                                                SHA256

                                                a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42

                                                SHA512

                                                62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575

                                              • C:\Windows\System32\perfc010.dat

                                                Filesize

                                                42KB

                                                MD5

                                                bea0a3b9b4dc8d06303d3d2f65f78b82

                                                SHA1

                                                361df606ee1c66a0b394716ba7253d9785a87024

                                                SHA256

                                                e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927

                                                SHA512

                                                341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88

                                              • C:\Windows\System32\perfc011.dat

                                                Filesize

                                                35KB

                                                MD5

                                                17fc81a0e3f9fc02821e40166f1cb09f

                                                SHA1

                                                2931659b064a216371420db215b1f48de29a1858

                                                SHA256

                                                fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2

                                                SHA512

                                                19a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031

                                              • C:\Windows\System32\perfh007.dat

                                                Filesize

                                                307KB

                                                MD5

                                                312d855b1d95ae830e067657cffdd28c

                                                SHA1

                                                8133c02adeae24916fa9c53e52b3bfe66ac3d5a3

                                                SHA256

                                                ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf

                                                SHA512

                                                f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14

                                              • C:\Windows\System32\perfh009.dat

                                                Filesize

                                                297KB

                                                MD5

                                                50362589add3f92e63c918a06d664416

                                                SHA1

                                                e1f96e10fb0f9d3bec9ea89f07f97811ccc78182

                                                SHA256

                                                9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce

                                                SHA512

                                                e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468

                                              • C:\Windows\System32\perfh00A.dat

                                                Filesize

                                                347KB

                                                MD5

                                                49032045f6bcb9f676c7437df76c7ffa

                                                SHA1

                                                f1bf3ba149cd1e581fe12fb06e93d512fe3a241b

                                                SHA256

                                                089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641

                                                SHA512

                                                55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1

                                              • C:\Windows\System32\perfh00C.dat

                                                Filesize

                                                350KB

                                                MD5

                                                518020fbecea70e8fecaa0afe298a79e

                                                SHA1

                                                c16d691c479a05958958bd19d1cb449769602976

                                                SHA256

                                                9a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125

                                                SHA512

                                                ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e

                                              • C:\Windows\System32\perfh010.dat

                                                Filesize

                                                340KB

                                                MD5

                                                f9fcefdf318c60de1e79166043b85ec4

                                                SHA1

                                                a99d480b322c9789c161ee3a46684f030ec9ad33

                                                SHA256

                                                9c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7

                                                SHA512

                                                881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8

                                              • C:\Windows\System32\perfh011.dat

                                                Filesize

                                                141KB

                                                MD5

                                                ab91dd7fa8878b8d14608522cc38102e

                                                SHA1

                                                c4cf62ad6183a2d341fb3de756cb672516897183

                                                SHA256

                                                7aae74ee957962add631778e45a174693a15a2e9ca48e151f2fb5e31488eecf7

                                                SHA512

                                                f1202cbb56c93182d1aec675d9d069d1156d2cbe11cc6b05358f0e83786e4a04b0a6ba42be378574d01b8d17a3f2e38110d45f7d7a10cd89f8d7d8c83ff35455

                                              • memory/2084-1632-0x0000000000BD0000-0x0000000000BF0000-memory.dmp

                                                Filesize

                                                128KB

                                              • memory/5136-1722-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/5136-1630-0x0000000000410000-0x0000000000428000-memory.dmp

                                                Filesize

                                                96KB

                                              • memory/5536-1642-0x000001DF6C160000-0x000001DF6C182000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/6060-1602-0x0000000000A20000-0x0000000000A62000-memory.dmp

                                                Filesize

                                                264KB