xworm | b7df6d57fa0d03e8b88e410b7e3f9e9b2a3f1ea1ed7da20772b5ac891901b973

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USD Payment Receipt 12112024.exe
Size

948KB
MD5

f42ead56b96d1ba327e85589ef129525
SHA1

57a14d971e918a2f0cdf9c7de2d58f7f0735fa27
SHA256

b7df6d57fa0d03e8b88e410b7e3f9e9b2a3f1ea1ed7da20772b5ac891901b973
SHA512

d3f39ac55320356472ea2f9c94633463c48da6f7691d6362eb35501ef9a6e764ad0e67c7177383e074750e4af426d2b20d8e3f751e6369984bf33ea6872af0f0
SSDEEP

12288:H76xn0ce0nsDy0Q00QEA86GiuzOg7IPD6TbsdWcS/0w1ey2EcP1E4gLO:b6xnLnBmn86uzOg7IrYbyWRjeZxgL

Score

10^/10

xworm discovery execution ransomware rat spyware stealer trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3652-35-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4820	powershell.exe
4580	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	USD Payment Receipt 12112024.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	USD Payment Receipt 12112024.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	USD Payment Receipt 12112024.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	USD Payment Receipt 12112024.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4316 set thread context of 3652	4316	USD Payment Receipt 12112024.exe	99

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USD Payment Receipt 12112024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USD Payment Receipt 12112024.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4820	powershell.exe
4580	powershell.exe
4820	powershell.exe
4580	powershell.exe
4588	msedge.exe
4588	msedge.exe
1440	msedge.exe
1440	msedge.exe
4424	identity_helper.exe
4424	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	3652	USD Payment Receipt 12112024.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4820	4316	USD Payment Receipt 12112024.exe	93
PID 4316 wrote to memory of 4820	4316	USD Payment Receipt 12112024.exe	93
PID 4316 wrote to memory of 4820	4316	USD Payment Receipt 12112024.exe	93
PID 4316 wrote to memory of 4580	4316	USD Payment Receipt 12112024.exe	95
PID 4316 wrote to memory of 4580	4316	USD Payment Receipt 12112024.exe	95
PID 4316 wrote to memory of 4580	4316	USD Payment Receipt 12112024.exe	95
PID 4316 wrote to memory of 2040	4316	USD Payment Receipt 12112024.exe	97
PID 4316 wrote to memory of 2040	4316	USD Payment Receipt 12112024.exe	97
PID 4316 wrote to memory of 2040	4316	USD Payment Receipt 12112024.exe	97
PID 4316 wrote to memory of 3652	4316	USD Payment Receipt 12112024.exe	99
PID 4316 wrote to memory of 3652	4316	USD Payment Receipt 12112024.exe	99
PID 4316 wrote to memory of 3652	4316	USD Payment Receipt 12112024.exe	99
PID 4316 wrote to memory of 3652	4316	USD Payment Receipt 12112024.exe	99
PID 4316 wrote to memory of 3652	4316	USD Payment Receipt 12112024.exe	99
PID 4316 wrote to memory of 3652	4316	USD Payment Receipt 12112024.exe	99
PID 4316 wrote to memory of 3652	4316	USD Payment Receipt 12112024.exe	99
PID 4316 wrote to memory of 3652	4316	USD Payment Receipt 12112024.exe	99
PID 3652 wrote to memory of 1440	3652	USD Payment Receipt 12112024.exe	103
PID 3652 wrote to memory of 1440	3652	USD Payment Receipt 12112024.exe	103
PID 1440 wrote to memory of 1688	1440	msedge.exe	104
PID 1440 wrote to memory of 1688	1440	msedge.exe	104
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 1400	1440	msedge.exe	105
PID 1440 wrote to memory of 4588	1440	msedge.exe	106
PID 1440 wrote to memory of 4588	1440	msedge.exe	106
PID 1440 wrote to memory of 2484	1440	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\USD Payment Receipt 12112024.exe
"C:\Users\Admin\AppData\Local\Temp\USD Payment Receipt 12112024.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\USD Payment Receipt 12112024.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VVfccOQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VVfccOQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF87.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\USD Payment Receipt 12112024.exe
  "C:\Users\Admin\AppData\Local\Temp\USD Payment Receipt 12112024.exe"
  2⤵
  - Drops startup file
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb85aa46f8,0x7ffb85aa4708,0x7ffb85aa4718
      4⤵
      PID:1688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:1400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
      4⤵
      PID:2484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:2344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
      4⤵
      PID:2356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
      4⤵
      PID:4232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
      4⤵
      PID:4428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
      4⤵
      PID:4260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
      4⤵
      PID:804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13587821877443859716,10728792278050531162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:4028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\USD Payment Receipt 12112024.exe.log

Filesize
1KB

MD5
b7b9acb869ccc7f7ecb5304ec0384dee

SHA1
6a90751c95817903ee833d59a0abbef425a613b3

SHA256
8cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4

SHA512
7bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1512c27f039ee714318e50c8612cc374

SHA1
91573ead9728e4a642888188423aa6699436bc5e

SHA256
5d28fec429d00a750c28f4e5a7adb4fa03766c24ef4540fd8ef8917fe385b266

SHA512
efe2cd381f815c002438ed09bae425c29fd0971597adb361a7550800a8de736233e0d7d708f02cd5eb2d8c598eb6f42193709ddc77541aa88222d3e4781f29e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aa90371db156281ca6a049371c656824

SHA1
fdc5f0adf48d84fc1129fd77645f068941ba964d

SHA256
1e7ca7dc32bfcebf3f1c23c90efc107950f567a902f5d48164a49a90335b107c

SHA512
5db3e4b4a9563b237eabf11ffc8e21e6796456af0496045fade86074cf7a9651ea45c3665a9df8c2f2fede0de46489f1f1b39ca1a5e8cff9f1df8de037df4c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
264a641c2672768535f13e3b188895f5

SHA1
36e67405e7ddabe34d85a159dc044d8848a3af47

SHA256
88d9c612c096f8fdf27b7f32f865e6a0dd126f194baf842804594f961ea8e2de

SHA512
fe611736c77bedbd24bb9475b53ae20ae3c7fdd5f7222f203c9c93319ba58cfcf8f8414c134ceb203d035c44dcb4bc5616d43b15a88c12a36dd2c0c680ca9eb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
eca90565cd000d0a6f4b6b68f3cddda1

SHA1
be82fb7a61b335ab5fd9010011add0e2fdf7c6b9

SHA256
b874eed72ca1f61962b2860cf6a943f70a92dcde199e738e68ecec6c93f758cf

SHA512
e5c129125067677d3b6a3cd305ba803b3e705d020580d27b069b69bd417d415d2c4eb2e639813bce332f463c069664dfd5283d2538ab3accc6141bfb26189436

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjhq4rsn.25f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF87.tmp

Filesize
1KB

MD5
5f9caf6759abe39078dda4dd09980903

SHA1
b2a3cdc717df1be5997f4e37b33f88fb0e1006ec

SHA256
1e16494b9f83135a05b164f1f2cbb05125f839824a6695fa37e9b95ebdf8731b

SHA512
3a6132688ca6aa6f5fabffc7ff0f837a5079bfbc593c6970702433d6a5ce8b4c10ab74521971095bbd16fac5afe17a2d96f050ee78a2fa30d5f4832a15aa58ec

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
948KB

MD5
f42ead56b96d1ba327e85589ef129525

SHA1
57a14d971e918a2f0cdf9c7de2d58f7f0735fa27

SHA256
b7df6d57fa0d03e8b88e410b7e3f9e9b2a3f1ea1ed7da20772b5ac891901b973

SHA512
d3f39ac55320356472ea2f9c94633463c48da6f7691d6362eb35501ef9a6e764ad0e67c7177383e074750e4af426d2b20d8e3f751e6369984bf33ea6872af0f0

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
708B

MD5
22cd3a2c9b89dd7414e43b0f0a74388c

SHA1
89d0aed000cac797b830f8a4524dcb12481f605f

SHA256
9ad77a8faa16fba761d50866ce98a24bc8201ab91abd354ecc81ac022dc15f52

SHA512
3067e2e51d467275c239d1d8d529671f45d219bec15672931e91ec5b109e810b0c1778689afae039e741082b092d3a689d2e80aca7b4e51363f9e7af15ac0ced

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
5cf7e4e8b879e040c712d3174699516e

SHA1
2b71b1909f32ece45b1ba55cde5d62d9739fd64c

SHA256
068793f821868d5a010b77eff6ce226528bc3f76379beb83cdd941e9b14271dd

SHA512
abda005ec559cfbc13577aac8253a3e9f4940c636ca4916c3d2ee4be5e4b3f924523e50c0dbfc856f51ae2a91b1cff3cf59c5d4b3bfda5f2ad8545291c1bc08c

Download Submit
memory/3652-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3652-97-0x0000000006640000-0x000000000664C000-memory.dmp

Filesize
48KB

Download
memory/3652-95-0x0000000007070000-0x000000000707E000-memory.dmp

Filesize
56KB

Download
memory/4316-6-0x0000000005BB0000-0x0000000005C4C000-memory.dmp

Filesize
624KB

Download
memory/4316-8-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

Filesize
72KB

Download
memory/4316-7-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4316-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/4316-11-0x00000000067B0000-0x0000000006804000-memory.dmp

Filesize
336KB

Download
memory/4316-5-0x0000000005AC0000-0x0000000005ACA000-memory.dmp

Filesize
40KB

Download
memory/4316-4-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/4316-40-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4316-9-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/4316-10-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4316-3-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/4316-2-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/4316-1-0x0000000000EB0000-0x0000000000FA2000-memory.dmp

Filesize
968KB

Download
memory/4580-53-0x0000000075280000-0x00000000752CC000-memory.dmp

Filesize
304KB

Download
memory/4580-52-0x0000000006CB0000-0x0000000006CE2000-memory.dmp

Filesize
200KB

Download
memory/4580-63-0x0000000006CF0000-0x0000000006D0E000-memory.dmp

Filesize
120KB

Download
memory/4580-74-0x0000000006F20000-0x0000000006FC3000-memory.dmp

Filesize
652KB

Download
memory/4580-20-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-39-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-77-0x00000000070D0000-0x00000000070DA000-memory.dmp

Filesize
40KB

Download
memory/4580-78-0x00000000072E0000-0x0000000007376000-memory.dmp

Filesize
600KB

Download
memory/4580-23-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-80-0x0000000007290000-0x000000000729E000-memory.dmp

Filesize
56KB

Download
memory/4580-89-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-79-0x00000000072D0000-0x00000000072E1000-memory.dmp

Filesize
68KB

Download
memory/4820-24-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/4820-82-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/4820-51-0x0000000006320000-0x000000000636C000-memory.dmp

Filesize
304KB

Download
memory/4820-90-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-81-0x0000000007310000-0x0000000007324000-memory.dmp

Filesize
80KB

Download
memory/4820-50-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/4820-22-0x0000000005610000-0x0000000005632000-memory.dmp

Filesize
136KB

Download
memory/4820-64-0x0000000075280000-0x00000000752CC000-memory.dmp

Filesize
304KB

Download
memory/4820-83-0x00000000073F0000-0x00000000073F8000-memory.dmp

Filesize
32KB

Download
memory/4820-27-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/4820-76-0x00000000070D0000-0x00000000070EA000-memory.dmp

Filesize
104KB

Download
memory/4820-38-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-75-0x0000000007720000-0x0000000007D9A000-memory.dmp

Filesize
6.5MB

Download
memory/4820-19-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-18-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-17-0x0000000004E90000-0x00000000054B8000-memory.dmp

Filesize
6.2MB

Download
memory/4820-16-0x0000000004800000-0x0000000004836000-memory.dmp

Filesize
216KB

Download