Analysis Overview
Threat Level: Known bad
The file https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Sets desktop wallpaper using registry
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Enumerates system info in registry
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-20 23:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-20 23:24
Reported
2024-10-20 23:27
Platform
win10v2004-20241007-en
Max time kernel
197s
Max time network
197s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SystemSecure | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SystemSecure | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemSecure = "C:\\Users\\Admin\\AppData\\Roaming\\SystemSecure" | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\lodctr.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SystemSecure | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SystemSecure | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd3a146f8,0x7ffdd3a14708,0x7ffdd3a14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3988 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\Fixer.bat" "
C:\Windows\system32\lodctr.exe
lodctr /r
C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\XWormLoader5.1V.exe
"C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\XWormLoader5.1V.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe
"C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SystemSecure'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSecure'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemSecure" /tr "C:\Users\Admin\AppData\Roaming\SystemSecure"
C:\Users\Admin\AppData\Roaming\SystemSecure
C:\Users\Admin\AppData\Roaming\SystemSecure
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5296 /prefetch:2
C:\Users\Admin\AppData\Roaming\SystemSecure
C:\Users\Admin\AppData\Roaming\SystemSecure
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdd3a146f8,0x7ffdd3a14708,0x7ffdd3a14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dosya.co | udp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.111.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 151.101.129.229:443 | cdn.jsdelivr.net | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | qc.tahrsli.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.179.238:443 | apis.google.com | tcp |
| GB | 163.70.151.21:443 | connect.facebook.net | tcp |
| NL | 23.109.170.27:443 | qc.tahrsli.com | tcp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.11.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.129.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | tcp |
| GB | 74.125.206.156:443 | stats.g.doubleclick.net | tcp |
| GB | 172.217.169.67:443 | www.google.co.uk | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 232.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.170.109.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.206.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | server11.dosya.co | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| DE | 195.201.111.49:443 | server11.dosya.co | tcp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | close-todd.gl.at.ply.gg | udp |
| US | 147.185.221.22:19998 | close-todd.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 22.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| N/A | 127.0.0.1:19998 | tcp | |
| N/A | 127.0.0.1:19998 | tcp | |
| N/A | 127.0.0.1:19998 | tcp | |
| US | 147.185.221.22:19998 | close-todd.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | paypal.me | udp |
| US | 151.101.129.21:443 | paypal.me | tcp |
| US | 151.101.129.21:443 | paypal.me | tcp |
| US | 8.8.8.8:53 | www.paypal.me | udp |
| US | 151.101.193.21:443 | www.paypal.me | tcp |
| US | 8.8.8.8:53 | 21.193.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.129.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | 25.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.paypal.com | udp |
| US | 151.101.67.1:443 | t.paypal.com | tcp |
| US | 151.101.67.1:443 | t.paypal.com | tcp |
| US | 151.101.67.1:443 | t.paypal.com | tcp |
| US | 151.101.67.1:443 | t.paypal.com | tcp |
| US | 8.8.8.8:53 | 1.67.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| GB | 172.217.169.67:443 | www.google.co.uk | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 37f660dd4b6ddf23bc37f5c823d1c33a |
| SHA1 | 1c35538aa307a3e09d15519df6ace99674ae428b |
| SHA256 | 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8 |
| SHA512 | 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d |
\??\pipe\LOCAL\crashpad_2268_PAMCKPYDJBPTTGXB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d7cb450b1315c63b1d5d89d98ba22da5 |
| SHA1 | 694005cd9e1a4c54e0b83d0598a8a0c089df1556 |
| SHA256 | 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031 |
| SHA512 | df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 285b64817818745bc81a58d3ccbc3fae |
| SHA1 | d968ff1a18651d2db8cf3d643cf6e97c22dcb52d |
| SHA256 | cedbb4c3e0bffd1d79b0714fb18277c3ada554bdde4f00134b2234b5fcbe9cd7 |
| SHA512 | d6df12c3ae8c00dc44b5628f908d27143214b92a48ee5c35e4e6ff2da9a2796f528318d032d67a194da99f59f5cc3f0bae57cf606142915d76c230c286e395b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c8224a254813fcdc1cd02840a348a084 |
| SHA1 | 9bd1c048ebb5e9fea56b5ddbe7204b625d185122 |
| SHA256 | 9eba47ec80e0c61ae5826af6f5a133d08482b9f78e22ea103231a75b2a3b6aef |
| SHA512 | ca252addfbf98df93d13ea73bde3465cd602bacdbe7e3b0ce2fa95470a262c1d7cc9fd74c28152fe152034c8ed69d390bc22a6489564a9d8e65c6b6b03cf7845 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1e2038c58b736272cc0616fda2550ef2 |
| SHA1 | c4f8b6a2f484bb40216de7be890d8f0eb3082a03 |
| SHA256 | b20241a3d05e8ea55208d0abfe341d51cc4ff0b15d24ad905a97a5da8f4dab9b |
| SHA512 | 2ad122359ad26d16b41c9d35fee88e72aa47179b473729fcd1e850958d259964a4bb80d36ff4ed0d710b8352bf133f7385d099ca45751a688029bdbe6f127c58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 716a35d5ff4fa7082d17413464229bf8 |
| SHA1 | de4320cc7cbc1329e17107401db2cf96a8cf552b |
| SHA256 | c919a5ccb5980fc74a3194cf2e62b7a99a9fffe4a8aa42cd86bc5e20c9dc6014 |
| SHA512 | 7d13997147a83bf4fe38512c646dcf9c29d20473ed865fd2d35bbb019b08be2fbf5af52619d4beda2e5272e55becfa21dba491bd3f85c1adb11f1e9e6767b16e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8a34233c765c53bf9c22a30599051649 |
| SHA1 | bce8a4f9e47c8976e03177123aa828ad19c501b8 |
| SHA256 | 1450aa5df46f759f15dfb616ea03df7f33fe09c71f9b09e579b4e77264260e8f |
| SHA512 | 25c02295a3ea80f1c257f7788da1ddf663f923bc6bd541b6ed28f93b27d8c88fe7cb0e1b4186cec64d3928a0f1d850b3ed38b16ef518efdfb3594d0ad25a51d1 |
C:\Users\Admin\Downloads\Unconfirmed 90425.crdownload
| MD5 | c8bf1b2a8963cedb82301e450ba1a534 |
| SHA1 | 26a89470845f55c5c999228c855340075f808f24 |
| SHA256 | d76029efae6c946a84ea3de73a4c07ee9b03314b2700cc77d3716bc88885119c |
| SHA512 | cbb46c38de3892810f2cdb8d4c8419b3eed20f00ee52d788e6b1f364bfd60d3614b80488727d77c8098bd54b93d2080a61788ceb5270233a161557ff2da0cbe1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 73708f29017d36f58d87fcff28713ddc |
| SHA1 | d4476a6536d36ce5ee93d5f897219ef04e09302b |
| SHA256 | 381eac06defec7c77d8e8fb0eb1d65f65c6d99cb042f342a3f8a7a6972b3bef0 |
| SHA512 | 2ee2d141b2bbffc6b20466de67e7a1de6a6205351143412196eae5e0c963069d76c41bf5dadaab29ad9dabbc03cef0c11b28d1d4610101aff4d19602d639498b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6db7ca851288ad2a9371f01d11f69e94 |
| SHA1 | 12bff3b8d1cf0ed01d6a9e011a1fffb9f6bd2fcd |
| SHA256 | 37845bd3e06ccbba86dd9724a66439c6da76f52cc482a6032d72670ee54c207e |
| SHA512 | 271c329834ec9c8f87dbf0869ae5ede45f2123affe52d136c7056ec219dea315b1847a3599b9bc336161df4d8d4543354a15eeb0b65d7ba59d8347ef633b1884 |
C:\Windows\System32\perfh011.dat
| MD5 | ab91dd7fa8878b8d14608522cc38102e |
| SHA1 | c4cf62ad6183a2d341fb3de756cb672516897183 |
| SHA256 | 7aae74ee957962add631778e45a174693a15a2e9ca48e151f2fb5e31488eecf7 |
| SHA512 | f1202cbb56c93182d1aec675d9d069d1156d2cbe11cc6b05358f0e83786e4a04b0a6ba42be378574d01b8d17a3f2e38110d45f7d7a10cd89f8d7d8c83ff35455 |
C:\Windows\System32\perfc011.dat
| MD5 | 17fc81a0e3f9fc02821e40166f1cb09f |
| SHA1 | 2931659b064a216371420db215b1f48de29a1858 |
| SHA256 | fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2 |
| SHA512 | 19a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031 |
C:\Windows\System32\perfh010.dat
| MD5 | f9fcefdf318c60de1e79166043b85ec4 |
| SHA1 | a99d480b322c9789c161ee3a46684f030ec9ad33 |
| SHA256 | 9c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7 |
| SHA512 | 881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8 |
C:\Windows\System32\perfc010.dat
| MD5 | bea0a3b9b4dc8d06303d3d2f65f78b82 |
| SHA1 | 361df606ee1c66a0b394716ba7253d9785a87024 |
| SHA256 | e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927 |
| SHA512 | 341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88 |
C:\Windows\System32\perfh00C.dat
| MD5 | 518020fbecea70e8fecaa0afe298a79e |
| SHA1 | c16d691c479a05958958bd19d1cb449769602976 |
| SHA256 | 9a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125 |
| SHA512 | ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e |
C:\Windows\System32\perfc00C.dat
| MD5 | 8b4b53cf469919a32481ce37bcce203a |
| SHA1 | 58ee96630adf29e79771bfc39a400a486b4efbb0 |
| SHA256 | a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42 |
| SHA512 | 62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575 |
C:\Windows\System32\perfh00A.dat
| MD5 | 49032045f6bcb9f676c7437df76c7ffa |
| SHA1 | f1bf3ba149cd1e581fe12fb06e93d512fe3a241b |
| SHA256 | 089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641 |
| SHA512 | 55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1 |
C:\Windows\System32\perfc00A.dat
| MD5 | 69c02ba10f3f430568e00bcb54ddf5a9 |
| SHA1 | 8b95d298633e37c42ea5f96ac08d950973d6ee9d |
| SHA256 | 62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e |
| SHA512 | 16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e |
C:\Windows\System32\perfh009.dat
| MD5 | 50362589add3f92e63c918a06d664416 |
| SHA1 | e1f96e10fb0f9d3bec9ea89f07f97811ccc78182 |
| SHA256 | 9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce |
| SHA512 | e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468 |
C:\Windows\System32\perfh007.dat
| MD5 | 312d855b1d95ae830e067657cffdd28c |
| SHA1 | 8133c02adeae24916fa9c53e52b3bfe66ac3d5a3 |
| SHA256 | ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf |
| SHA512 | f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14 |
C:\Windows\System32\perfc007.dat
| MD5 | bc3d1639f16cb93350a76b95cd59108b |
| SHA1 | 47f1067b694967d71af236d5e33d31cb99741f4c |
| SHA256 | 004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9 |
| SHA512 | fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249 |
memory/6060-1602-0x0000000000A20000-0x0000000000A62000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | c408298b5922a6b71305cdcb25f534d5 |
| SHA1 | 14952e04f5ba70ec6ca9846b00c02c9a399213f5 |
| SHA256 | 822841455e83194306282409047520bf8513a189db088277aa42bf4221ff34d0 |
| SHA512 | 518c0e524033625bc7415e632675bb129507e6385f5d97a943b451bd34f54146cc608043ec896538db30905f4e0ba98d65fac92700b280b810e0a3790cdea7e1 |
C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe
| MD5 | 4bf2058e2fe4ee6490873acd8d00fc71 |
| SHA1 | 099f6cd30e1db09c0c51fad208a2c2706c6bd437 |
| SHA256 | 53d7f79b97f9bb3883a26b4cd84127e4c0c932ba82d9dd437b52373099049bea |
| SHA512 | f4382641663486fadb345537b2d2fc8097e918ccc4697e79e5d1c219a6e66f301a2a4bc65f4a95f740fc92eccaef55ebd99ed49dafdbe2a28f906c15c549d4a5 |
memory/5136-1630-0x0000000000410000-0x0000000000428000-memory.dmp
memory/2084-1632-0x0000000000BD0000-0x0000000000BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_haepgz45.jk4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5536-1642-0x000001DF6C160000-0x000001DF6C182000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb1ad317bd25b55b2bbdce8a28a74a94 |
| SHA1 | 98a3978be4d10d62e7411946474579ee5bdc5ea6 |
| SHA256 | 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98 |
| SHA512 | d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15dde0683cd1ca19785d7262f554ba93 |
| SHA1 | d039c577e438546d10ac64837b05da480d06bf69 |
| SHA256 | d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961 |
| SHA512 | 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f03575c32e0c4c102b08de58942b71fb |
| SHA1 | 546cfd39b10736b648ca6b213a8b59ae63867ed4 |
| SHA256 | f25fa7b938046dc1a0de793ff2196a111e8ec30a2a41f4cb78dc5021f6631423 |
| SHA512 | c2148b7fcf4a795bed744fdbf941323d5a0df83a039e962f789dacf688ef18c8d90198910f31532503f8a77cb3c13bff61cdd28cc09d42919070fa1af56c5355 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SystemSecure.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/5136-1722-0x0000000000AD0000-0x0000000000ADC000-memory.dmp
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
| MD5 | f591cdd4d0b46e0cd793ac4c1c992222 |
| SHA1 | c5e4fe2eb6810877cbb0f6bce444af5c909abff6 |
| SHA256 | 33d12c57a2e1c1030604dafcea395593c98524169036ffd64028075bf26bf729 |
| SHA512 | 67a39fc7d867bbcccdac95d44a80edc29f00e8797c69af46e9a2be73fe8f7d503cefadd6eaf00c2861c57582d98ba7c2ef618aa11aa3138b0b0178bd518ecf19 |
C:\Users\Admin\Desktop\How To Decrypt My Files.html
| MD5 | 312c60a72fc22b70ce3c9320c3a15cb4 |
| SHA1 | 5a67801856c8ea39b9c9148c74b552ad88a98269 |
| SHA256 | c9d6340c7035b9073a8df4d2a62c5ead2fa817f85d2f217ffc1a40a5f512f7bc |
| SHA512 | 8d03d3d4a1cf2c683ed8faeccd0aa5f74dbce4220668816ff089fec789c33cdc2ec8335c3b64b5fb23471cb91edb12728d0f717a569b7d4e75dcb42782c50ef1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 19bbe8c046e264af75d9e6ba03177c58 |
| SHA1 | 76df9dff8a0c850fe93989403c76183e493124f4 |
| SHA256 | c0ae6b549470986fa0b7772e7947b27beca220268483530dc8affbcd77176f0f |
| SHA512 | 581d95169e874f45a8125d27ac02f9b57f5e7b0057ec8729807bba533c0f5f4a7379bbf513cd65c7f8bb759414cf919faf78fda946366abdbbf2df1c7308fbbc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 14745f5e86b27b34472ddeebe8854175 |
| SHA1 | 91cd28d4ad168328242cc3f4328b7f8b08605be6 |
| SHA256 | 29ff0d175730e4c34e690f9d95903655d4d128650c891f19e2503b9b701931be |
| SHA512 | 73b9b9eee941aaef9c813a2994d4c31c07442b69abb4b35aff78cbec4a3fa033a89d4b3023351c44f7f4f36e1d4a7cc9af3c1b6ae59346a15cf2a6e7a131049b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bf1f1554337ffcda540af1944e7e9b7d |
| SHA1 | 4580e870572277c03089745a8a8017bdc97c075e |
| SHA256 | c74355258b6ae53b5860d8d1de6f79762865b46cb459b4cb6deb470efb4ff40a |
| SHA512 | 211bf008add17d0f34b34012e42c3c68d84939e1cc20c13fd1189fd26c28787ffde1b6028765b807f2a8865fd5494de9cf2f00e90c169c21ff3f12bf72a45498 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6c015ebe6a89cfebaf3d5b7963d3adab |
| SHA1 | f2b765c07fdf3ae7937c29d1ea497a3b456e9530 |
| SHA256 | 6782f0c57c08a6a07e8dfed3d8856957a4e535e6f5df1834e2ad471a2f3350d1 |
| SHA512 | 8376f82cd8aa1b796d91d7e912d51fece0bd54a870f8ab0a9fcee898b2480b6918fc74dde749c804685585da3d0efcc5ef546315765815f5e59c948133474be8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 02d18990e74723c295351a709be7bcd2 |
| SHA1 | cf63ad77c0986a0de5f98c1ffac4a268e78bd8d6 |
| SHA256 | 18a982815228ede7430b2d01ecf2e1300459ea9b59c426675601f355e459483b |
| SHA512 | 6c7a357e2572a9a6a964a95e55d0f13053f32200689325be76ebea6088068a97cfe51de957191a51fc51a1b8008537b02d88d8b4de7dab3f0b052c53409a1809 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a53fd.TMP
| MD5 | 321c1f6831fdd50d2f1431f1c1a850a2 |
| SHA1 | 0d907bb48d86eebecd8d4d0f7e59ed11a17bdb33 |
| SHA256 | e67935541e1850db12b38b7790f1d9a9a95ac86244da016b1a099c89e81820e4 |
| SHA512 | 6ceacb4260a57078ad36316cdcd0f153fd548d78ca6386abd2fe3bbffb53076bcad559869b60cf1cb97b755b7e472b1c838a58602e7e371b6dff7f3fc68ea2f7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 6a2385113362126518588a4307f6685e |
| SHA1 | 46a5ba28dc1073aaeb3ac23f3697f01e089cb8b8 |
| SHA256 | 30b6352cb6e78acf5edf1a3ed88c0e0461210a0575e9bf9ebb92052a16ff6c58 |
| SHA512 | e27166132332c2025a59d3b9052bb3e15874a843f69a9b658d09a96fc78b7eaaf28627deae13c2fa5bf87c0245a36442350d0831832d36a2d667494c5bce7b70 |