Malware Analysis Report

2025-03-15 08:23

Sample ID 241020-3dn7tswepc
Target https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html
Tags
xworm discovery execution persistence ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html was found to be: Known bad.

Malicious Activity Summary

xworm discovery execution persistence ransomware rat trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Sets desktop wallpaper using registry

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Enumerates system info in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 23:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 23:24

Reported

2024-10-20 23:27

Platform

win10v2004-20241007-en

Max time kernel

197s

Max time network

197s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemSecure = "C:\\Users\\Admin\\AppData\\Roaming\\SystemSecure" C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\lodctr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemSecure N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemSecure N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 2468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 2468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2268 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dosya.co/l99cjqg47env/XWorm_V5.10.zip.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd3a146f8,0x7ffdd3a14708,0x7ffdd3a14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3988 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\Fixer.bat" "

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\XWormLoader5.1V.exe

"C:\Users\Admin\Downloads\XWorm V5.10\XWorm V5.1\XWormLoader5.1V.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe

"C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SystemSecure'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemSecure'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemSecure" /tr "C:\Users\Admin\AppData\Roaming\SystemSecure"

C:\Users\Admin\AppData\Roaming\SystemSecure

C:\Users\Admin\AppData\Roaming\SystemSecure

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5296 /prefetch:2

C:\Users\Admin\AppData\Roaming\SystemSecure

C:\Users\Admin\AppData\Roaming\SystemSecure

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdd3a146f8,0x7ffdd3a14708,0x7ffdd3a14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2263038245231153616,7272976478581452032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 dosya.co udp
DE 195.201.111.49:443 dosya.co tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 49.111.201.195.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
DE 195.201.111.49:443 dosya.co tcp
DE 195.201.111.49:443 dosya.co tcp
DE 195.201.111.49:443 dosya.co tcp
DE 195.201.111.49:443 dosya.co tcp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 qc.tahrsli.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.179.238:443 apis.google.com tcp
GB 163.70.151.21:443 connect.facebook.net tcp
NL 23.109.170.27:443 qc.tahrsli.com tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 207.11.18.104.in-addr.arpa udp
US 8.8.8.8:53 229.129.101.151.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
US 216.239.34.36:443 region1.analytics.google.com tcp
GB 74.125.206.156:443 stats.g.doubleclick.net tcp
GB 172.217.169.67:443 www.google.co.uk tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 232.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 27.170.109.23.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 156.206.125.74.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 server11.dosya.co udp
US 150.171.27.10:443 g.bing.com tcp
DE 195.201.111.49:443 server11.dosya.co tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 close-todd.gl.at.ply.gg udp
US 147.185.221.22:19998 close-todd.gl.at.ply.gg tcp
US 8.8.8.8:53 22.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
N/A 127.0.0.1:19998 tcp
N/A 127.0.0.1:19998 tcp
N/A 127.0.0.1:19998 tcp
US 147.185.221.22:19998 close-todd.gl.at.ply.gg tcp
US 8.8.8.8:53 paypal.me udp
US 151.101.129.21:443 paypal.me tcp
US 151.101.129.21:443 paypal.me tcp
US 8.8.8.8:53 www.paypal.me udp
US 151.101.193.21:443 www.paypal.me tcp
US 8.8.8.8:53 21.193.101.151.in-addr.arpa udp
US 8.8.8.8:53 21.129.101.151.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
SE 192.229.221.25:443 www.paypalobjects.com tcp
SE 192.229.221.25:443 www.paypalobjects.com tcp
SE 192.229.221.25:443 www.paypalobjects.com tcp
SE 192.229.221.25:443 www.paypalobjects.com tcp
SE 192.229.221.25:443 www.paypalobjects.com tcp
SE 192.229.221.25:443 www.paypalobjects.com tcp
SE 192.229.221.25:443 www.paypalobjects.com tcp
SE 192.229.221.25:443 www.paypalobjects.com tcp
SE 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.67.1:443 t.paypal.com tcp
US 151.101.67.1:443 t.paypal.com tcp
US 151.101.67.1:443 t.paypal.com tcp
US 151.101.67.1:443 t.paypal.com tcp
US 8.8.8.8:53 1.67.101.151.in-addr.arpa udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 www.google.co.uk udp
GB 172.217.169.67:443 www.google.co.uk udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 37f660dd4b6ddf23bc37f5c823d1c33a
SHA1 1c35538aa307a3e09d15519df6ace99674ae428b
SHA256 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

\??\pipe\LOCAL\crashpad_2268_PAMCKPYDJBPTTGXB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7cb450b1315c63b1d5d89d98ba22da5
SHA1 694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA256 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512 df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 285b64817818745bc81a58d3ccbc3fae
SHA1 d968ff1a18651d2db8cf3d643cf6e97c22dcb52d
SHA256 cedbb4c3e0bffd1d79b0714fb18277c3ada554bdde4f00134b2234b5fcbe9cd7
SHA512 d6df12c3ae8c00dc44b5628f908d27143214b92a48ee5c35e4e6ff2da9a2796f528318d032d67a194da99f59f5cc3f0bae57cf606142915d76c230c286e395b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c8224a254813fcdc1cd02840a348a084
SHA1 9bd1c048ebb5e9fea56b5ddbe7204b625d185122
SHA256 9eba47ec80e0c61ae5826af6f5a133d08482b9f78e22ea103231a75b2a3b6aef
SHA512 ca252addfbf98df93d13ea73bde3465cd602bacdbe7e3b0ce2fa95470a262c1d7cc9fd74c28152fe152034c8ed69d390bc22a6489564a9d8e65c6b6b03cf7845

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1e2038c58b736272cc0616fda2550ef2
SHA1 c4f8b6a2f484bb40216de7be890d8f0eb3082a03
SHA256 b20241a3d05e8ea55208d0abfe341d51cc4ff0b15d24ad905a97a5da8f4dab9b
SHA512 2ad122359ad26d16b41c9d35fee88e72aa47179b473729fcd1e850958d259964a4bb80d36ff4ed0d710b8352bf133f7385d099ca45751a688029bdbe6f127c58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 716a35d5ff4fa7082d17413464229bf8
SHA1 de4320cc7cbc1329e17107401db2cf96a8cf552b
SHA256 c919a5ccb5980fc74a3194cf2e62b7a99a9fffe4a8aa42cd86bc5e20c9dc6014
SHA512 7d13997147a83bf4fe38512c646dcf9c29d20473ed865fd2d35bbb019b08be2fbf5af52619d4beda2e5272e55becfa21dba491bd3f85c1adb11f1e9e6767b16e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8a34233c765c53bf9c22a30599051649
SHA1 bce8a4f9e47c8976e03177123aa828ad19c501b8
SHA256 1450aa5df46f759f15dfb616ea03df7f33fe09c71f9b09e579b4e77264260e8f
SHA512 25c02295a3ea80f1c257f7788da1ddf663f923bc6bd541b6ed28f93b27d8c88fe7cb0e1b4186cec64d3928a0f1d850b3ed38b16ef518efdfb3594d0ad25a51d1

C:\Users\Admin\Downloads\Unconfirmed 90425.crdownload

MD5 c8bf1b2a8963cedb82301e450ba1a534
SHA1 26a89470845f55c5c999228c855340075f808f24
SHA256 d76029efae6c946a84ea3de73a4c07ee9b03314b2700cc77d3716bc88885119c
SHA512 cbb46c38de3892810f2cdb8d4c8419b3eed20f00ee52d788e6b1f364bfd60d3614b80488727d77c8098bd54b93d2080a61788ceb5270233a161557ff2da0cbe1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 73708f29017d36f58d87fcff28713ddc
SHA1 d4476a6536d36ce5ee93d5f897219ef04e09302b
SHA256 381eac06defec7c77d8e8fb0eb1d65f65c6d99cb042f342a3f8a7a6972b3bef0
SHA512 2ee2d141b2bbffc6b20466de67e7a1de6a6205351143412196eae5e0c963069d76c41bf5dadaab29ad9dabbc03cef0c11b28d1d4610101aff4d19602d639498b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6db7ca851288ad2a9371f01d11f69e94
SHA1 12bff3b8d1cf0ed01d6a9e011a1fffb9f6bd2fcd
SHA256 37845bd3e06ccbba86dd9724a66439c6da76f52cc482a6032d72670ee54c207e
SHA512 271c329834ec9c8f87dbf0869ae5ede45f2123affe52d136c7056ec219dea315b1847a3599b9bc336161df4d8d4543354a15eeb0b65d7ba59d8347ef633b1884

C:\Windows\System32\perfh011.dat

MD5 ab91dd7fa8878b8d14608522cc38102e
SHA1 c4cf62ad6183a2d341fb3de756cb672516897183
SHA256 7aae74ee957962add631778e45a174693a15a2e9ca48e151f2fb5e31488eecf7
SHA512 f1202cbb56c93182d1aec675d9d069d1156d2cbe11cc6b05358f0e83786e4a04b0a6ba42be378574d01b8d17a3f2e38110d45f7d7a10cd89f8d7d8c83ff35455

C:\Windows\System32\perfc011.dat

MD5 17fc81a0e3f9fc02821e40166f1cb09f
SHA1 2931659b064a216371420db215b1f48de29a1858
SHA256 fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2
SHA512 19a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031

C:\Windows\System32\perfh010.dat

MD5 f9fcefdf318c60de1e79166043b85ec4
SHA1 a99d480b322c9789c161ee3a46684f030ec9ad33
SHA256 9c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7
SHA512 881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8

C:\Windows\System32\perfc010.dat

MD5 bea0a3b9b4dc8d06303d3d2f65f78b82
SHA1 361df606ee1c66a0b394716ba7253d9785a87024
SHA256 e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927
SHA512 341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88

C:\Windows\System32\perfh00C.dat

MD5 518020fbecea70e8fecaa0afe298a79e
SHA1 c16d691c479a05958958bd19d1cb449769602976
SHA256 9a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125
SHA512 ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e

C:\Windows\System32\perfc00C.dat

MD5 8b4b53cf469919a32481ce37bcce203a
SHA1 58ee96630adf29e79771bfc39a400a486b4efbb0
SHA256 a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42
SHA512 62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575

C:\Windows\System32\perfh00A.dat

MD5 49032045f6bcb9f676c7437df76c7ffa
SHA1 f1bf3ba149cd1e581fe12fb06e93d512fe3a241b
SHA256 089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641
SHA512 55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1

C:\Windows\System32\perfc00A.dat

MD5 69c02ba10f3f430568e00bcb54ddf5a9
SHA1 8b95d298633e37c42ea5f96ac08d950973d6ee9d
SHA256 62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e
SHA512 16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

C:\Windows\System32\perfh009.dat

MD5 50362589add3f92e63c918a06d664416
SHA1 e1f96e10fb0f9d3bec9ea89f07f97811ccc78182
SHA256 9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce
SHA512 e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468

C:\Windows\System32\perfh007.dat

MD5 312d855b1d95ae830e067657cffdd28c
SHA1 8133c02adeae24916fa9c53e52b3bfe66ac3d5a3
SHA256 ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf
SHA512 f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14

C:\Windows\System32\perfc007.dat

MD5 bc3d1639f16cb93350a76b95cd59108b
SHA1 47f1067b694967d71af236d5e33d31cb99741f4c
SHA256 004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9
SHA512 fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249

memory/6060-1602-0x0000000000A20000-0x0000000000A62000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 c408298b5922a6b71305cdcb25f534d5
SHA1 14952e04f5ba70ec6ca9846b00c02c9a399213f5
SHA256 822841455e83194306282409047520bf8513a189db088277aa42bf4221ff34d0
SHA512 518c0e524033625bc7415e632675bb129507e6385f5d97a943b451bd34f54146cc608043ec896538db30905f4e0ba98d65fac92700b280b810e0a3790cdea7e1

C:\Users\Admin\AppData\Roaming\XWormLoader 5.1 x64.exe

MD5 4bf2058e2fe4ee6490873acd8d00fc71
SHA1 099f6cd30e1db09c0c51fad208a2c2706c6bd437
SHA256 53d7f79b97f9bb3883a26b4cd84127e4c0c932ba82d9dd437b52373099049bea
SHA512 f4382641663486fadb345537b2d2fc8097e918ccc4697e79e5d1c219a6e66f301a2a4bc65f4a95f740fc92eccaef55ebd99ed49dafdbe2a28f906c15c549d4a5

memory/5136-1630-0x0000000000410000-0x0000000000428000-memory.dmp

memory/2084-1632-0x0000000000BD0000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_haepgz45.jk4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5536-1642-0x000001DF6C160000-0x000001DF6C182000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb1ad317bd25b55b2bbdce8a28a74a94
SHA1 98a3978be4d10d62e7411946474579ee5bdc5ea6
SHA256 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512 d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f03575c32e0c4c102b08de58942b71fb
SHA1 546cfd39b10736b648ca6b213a8b59ae63867ed4
SHA256 f25fa7b938046dc1a0de793ff2196a111e8ec30a2a41f4cb78dc5021f6631423
SHA512 c2148b7fcf4a795bed744fdbf941323d5a0df83a039e962f789dacf688ef18c8d90198910f31532503f8a77cb3c13bff61cdd28cc09d42919070fa1af56c5355

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SystemSecure.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/5136-1722-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 f591cdd4d0b46e0cd793ac4c1c992222
SHA1 c5e4fe2eb6810877cbb0f6bce444af5c909abff6
SHA256 33d12c57a2e1c1030604dafcea395593c98524169036ffd64028075bf26bf729
SHA512 67a39fc7d867bbcccdac95d44a80edc29f00e8797c69af46e9a2be73fe8f7d503cefadd6eaf00c2861c57582d98ba7c2ef618aa11aa3138b0b0178bd518ecf19

C:\Users\Admin\Desktop\How To Decrypt My Files.html

MD5 312c60a72fc22b70ce3c9320c3a15cb4
SHA1 5a67801856c8ea39b9c9148c74b552ad88a98269
SHA256 c9d6340c7035b9073a8df4d2a62c5ead2fa817f85d2f217ffc1a40a5f512f7bc
SHA512 8d03d3d4a1cf2c683ed8faeccd0aa5f74dbce4220668816ff089fec789c33cdc2ec8335c3b64b5fb23471cb91edb12728d0f717a569b7d4e75dcb42782c50ef1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 19bbe8c046e264af75d9e6ba03177c58
SHA1 76df9dff8a0c850fe93989403c76183e493124f4
SHA256 c0ae6b549470986fa0b7772e7947b27beca220268483530dc8affbcd77176f0f
SHA512 581d95169e874f45a8125d27ac02f9b57f5e7b0057ec8729807bba533c0f5f4a7379bbf513cd65c7f8bb759414cf919faf78fda946366abdbbf2df1c7308fbbc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 14745f5e86b27b34472ddeebe8854175
SHA1 91cd28d4ad168328242cc3f4328b7f8b08605be6
SHA256 29ff0d175730e4c34e690f9d95903655d4d128650c891f19e2503b9b701931be
SHA512 73b9b9eee941aaef9c813a2994d4c31c07442b69abb4b35aff78cbec4a3fa033a89d4b3023351c44f7f4f36e1d4a7cc9af3c1b6ae59346a15cf2a6e7a131049b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 bf1f1554337ffcda540af1944e7e9b7d
SHA1 4580e870572277c03089745a8a8017bdc97c075e
SHA256 c74355258b6ae53b5860d8d1de6f79762865b46cb459b4cb6deb470efb4ff40a
SHA512 211bf008add17d0f34b34012e42c3c68d84939e1cc20c13fd1189fd26c28787ffde1b6028765b807f2a8865fd5494de9cf2f00e90c169c21ff3f12bf72a45498

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6c015ebe6a89cfebaf3d5b7963d3adab
SHA1 f2b765c07fdf3ae7937c29d1ea497a3b456e9530
SHA256 6782f0c57c08a6a07e8dfed3d8856957a4e535e6f5df1834e2ad471a2f3350d1
SHA512 8376f82cd8aa1b796d91d7e912d51fece0bd54a870f8ab0a9fcee898b2480b6918fc74dde749c804685585da3d0efcc5ef546315765815f5e59c948133474be8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 02d18990e74723c295351a709be7bcd2
SHA1 cf63ad77c0986a0de5f98c1ffac4a268e78bd8d6
SHA256 18a982815228ede7430b2d01ecf2e1300459ea9b59c426675601f355e459483b
SHA512 6c7a357e2572a9a6a964a95e55d0f13053f32200689325be76ebea6088068a97cfe51de957191a51fc51a1b8008537b02d88d8b4de7dab3f0b052c53409a1809

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a53fd.TMP

MD5 321c1f6831fdd50d2f1431f1c1a850a2
SHA1 0d907bb48d86eebecd8d4d0f7e59ed11a17bdb33
SHA256 e67935541e1850db12b38b7790f1d9a9a95ac86244da016b1a099c89e81820e4
SHA512 6ceacb4260a57078ad36316cdcd0f153fd548d78ca6386abd2fe3bbffb53076bcad559869b60cf1cb97b755b7e472b1c838a58602e7e371b6dff7f3fc68ea2f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6a2385113362126518588a4307f6685e
SHA1 46a5ba28dc1073aaeb3ac23f3697f01e089cb8b8
SHA256 30b6352cb6e78acf5edf1a3ed88c0e0461210a0575e9bf9ebb92052a16ff6c58
SHA512 e27166132332c2025a59d3b9052bb3e15874a843f69a9b658d09a96fc78b7eaaf28627deae13c2fa5bf87c0245a36442350d0831832d36a2d667494c5bce7b70