xworm | 4f6280e3269da904b7eb6199d15e9c51a144e70f4a2d38ebff7f1275becb6346

Analysis

max time kernel
150s
max time network
152s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-11-2024 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizClient.exe
Size

67KB
MD5

054eca6f0e8e8e442fe375a0f8ae2cbd
SHA1

51777dd9de3f45f86e20f88e886f67d7af724621
SHA256

4f6280e3269da904b7eb6199d15e9c51a144e70f4a2d38ebff7f1275becb6346
SHA512

1a80bc3cb4939133ae950bc03dcf712d974363177f29966286b1c080c977285d213f564700eb32247416843e608f7c7cdbb23d9efa395da361539dd4b294123d
SSDEEP

1536:vDaqXfs7jwSpTkgbHl8zlaL6MOOvr0acWb:vDaqXfMjwKbHEFOvr2m

Score

10^/10

xworm discovery execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

while-stuffed.gl.at.ply.gg:61275

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4452-1-0x0000000000C30000-0x0000000000C48000-memory.dmp	family_xworm
behavioral1/files/0x002a000000045123-52.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4904	powershell.exe
4940	powershell.exe
2512	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	WizClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe

Executes dropped EXE 2 IoCs

pid	Process
1788	WizClient.exe
4664	WizClient.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizClient = "C:\\ProgramData\\WizClient.exe"	WizClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	WizClient.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1aac9785-e69c-436e-88e8-ef1e6454cd35.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241117043609.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	powershell.exe
4904	powershell.exe
4940	powershell.exe
4940	powershell.exe
2512	powershell.exe
2512	powershell.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	WizClient.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeIncreaseQuotaPrivilege	4904	powershell.exe
Token: SeSecurityPrivilege	4904	powershell.exe
Token: SeTakeOwnershipPrivilege	4904	powershell.exe
Token: SeLoadDriverPrivilege	4904	powershell.exe
Token: SeSystemProfilePrivilege	4904	powershell.exe
Token: SeSystemtimePrivilege	4904	powershell.exe
Token: SeProfSingleProcessPrivilege	4904	powershell.exe
Token: SeIncBasePriorityPrivilege	4904	powershell.exe
Token: SeCreatePagefilePrivilege	4904	powershell.exe
Token: SeBackupPrivilege	4904	powershell.exe
Token: SeRestorePrivilege	4904	powershell.exe
Token: SeShutdownPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeSystemEnvironmentPrivilege	4904	powershell.exe
Token: SeRemoteShutdownPrivilege	4904	powershell.exe
Token: SeUndockPrivilege	4904	powershell.exe
Token: SeManageVolumePrivilege	4904	powershell.exe
Token: 33	4904	powershell.exe
Token: 34	4904	powershell.exe
Token: 35	4904	powershell.exe
Token: 36	4904	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeIncreaseQuotaPrivilege	4940	powershell.exe
Token: SeSecurityPrivilege	4940	powershell.exe
Token: SeTakeOwnershipPrivilege	4940	powershell.exe
Token: SeLoadDriverPrivilege	4940	powershell.exe
Token: SeSystemProfilePrivilege	4940	powershell.exe
Token: SeSystemtimePrivilege	4940	powershell.exe
Token: SeProfSingleProcessPrivilege	4940	powershell.exe
Token: SeIncBasePriorityPrivilege	4940	powershell.exe
Token: SeCreatePagefilePrivilege	4940	powershell.exe
Token: SeBackupPrivilege	4940	powershell.exe
Token: SeRestorePrivilege	4940	powershell.exe
Token: SeShutdownPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeSystemEnvironmentPrivilege	4940	powershell.exe
Token: SeRemoteShutdownPrivilege	4940	powershell.exe
Token: SeUndockPrivilege	4940	powershell.exe
Token: SeManageVolumePrivilege	4940	powershell.exe
Token: 33	4940	powershell.exe
Token: 34	4940	powershell.exe
Token: 35	4940	powershell.exe
Token: 36	4940	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeIncreaseQuotaPrivilege	2512	powershell.exe
Token: SeSecurityPrivilege	2512	powershell.exe
Token: SeTakeOwnershipPrivilege	2512	powershell.exe
Token: SeLoadDriverPrivilege	2512	powershell.exe
Token: SeSystemProfilePrivilege	2512	powershell.exe
Token: SeSystemtimePrivilege	2512	powershell.exe
Token: SeProfSingleProcessPrivilege	2512	powershell.exe
Token: SeIncBasePriorityPrivilege	2512	powershell.exe
Token: SeCreatePagefilePrivilege	2512	powershell.exe
Token: SeBackupPrivilege	2512	powershell.exe
Token: SeRestorePrivilege	2512	powershell.exe
Token: SeShutdownPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeSystemEnvironmentPrivilege	2512	powershell.exe
Token: SeRemoteShutdownPrivilege	2512	powershell.exe
Token: SeUndockPrivilege	2512	powershell.exe
Token: SeManageVolumePrivilege	2512	powershell.exe
Token: 33	2512	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe
4452	WizClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4452	WizClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4904	4452	WizClient.exe	85
PID 4452 wrote to memory of 4904	4452	WizClient.exe	85
PID 4452 wrote to memory of 4940	4452	WizClient.exe	90
PID 4452 wrote to memory of 4940	4452	WizClient.exe	90
PID 4452 wrote to memory of 2512	4452	WizClient.exe	92
PID 4452 wrote to memory of 2512	4452	WizClient.exe	92
PID 4452 wrote to memory of 3928	4452	WizClient.exe	96
PID 4452 wrote to memory of 3928	4452	WizClient.exe	96
PID 4452 wrote to memory of 2668	4452	WizClient.exe	101
PID 4452 wrote to memory of 2668	4452	WizClient.exe	101
PID 2668 wrote to memory of 4684	2668	vbc.exe	103
PID 2668 wrote to memory of 4684	2668	vbc.exe	103
PID 4452 wrote to memory of 2040	4452	WizClient.exe	104
PID 4452 wrote to memory of 2040	4452	WizClient.exe	104
PID 2040 wrote to memory of 956	2040	vbc.exe	106
PID 2040 wrote to memory of 956	2040	vbc.exe	106
PID 4452 wrote to memory of 1612	4452	WizClient.exe	109
PID 4452 wrote to memory of 1612	4452	WizClient.exe	109
PID 1612 wrote to memory of 2196	1612	msedge.exe	110
PID 1612 wrote to memory of 2196	1612	msedge.exe	110
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3024	1612	msedge.exe	111
PID 1612 wrote to memory of 3536	1612	msedge.exe	112
PID 1612 wrote to memory of 3536	1612	msedge.exe	112
PID 1612 wrote to memory of 4276	1612	msedge.exe	113
PID 1612 wrote to memory of 4276	1612	msedge.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WizClient.exe
"C:\Users\Admin\AppData\Local\Temp\WizClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\ProgramData\WizClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fignn5j0\fignn5j0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC70B9E47234249EB83A62FA5A9D66079.TMP"
    3⤵
    PID:4684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfw5e3j2\cfw5e3j2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBFBC160780A54A93B714E992D4C5AFB.TMP"
    3⤵
    PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ff8bb9746f8,0x7ff8bb974708,0x7ff8bb974718
    3⤵
    PID:2196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 /prefetch:2
    3⤵
    PID:3024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
    3⤵
    PID:3536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:1544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:4900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
    3⤵
    PID:928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
    3⤵
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
    3⤵
    PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:2488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff61e5a5460,0x7ff61e5a5470,0x7ff61e5a5480
      4⤵
      PID:116
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
    3⤵
    PID:736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
    3⤵
    PID:1788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11071337539385091754,10962054921972881016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
    3⤵
    PID:1336

C:\ProgramData\WizClient.exe
"C:\ProgramData\WizClient.exe"
1⤵
- Executes dropped EXE
PID:1788

C:\ProgramData\WizClient.exe
"C:\ProgramData\WizClient.exe"
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WizClient.exe

Filesize
67KB

MD5
054eca6f0e8e8e442fe375a0f8ae2cbd

SHA1
51777dd9de3f45f86e20f88e886f67d7af724621

SHA256
4f6280e3269da904b7eb6199d15e9c51a144e70f4a2d38ebff7f1275becb6346

SHA512
1a80bc3cb4939133ae950bc03dcf712d974363177f29966286b1c080c977285d213f564700eb32247416843e608f7c7cdbb23d9efa395da361539dd4b294123d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizClient.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cc10dc6ba36bad31b4268762731a6c81

SHA1
9694d2aa8b119d674c27a1cfcaaf14ade8704e63

SHA256
d0d1f405097849f8203095f0d591e113145b1ce99df0545770138d772df4997f

SHA512
0ed193fdcc3f625221293bfd6af3132a5ce7d87138cd7df5e4b89353c89e237c1ff81920a2b17b7e0047f2cc8b2a976f667c7f12b0dcc273ddc3b4c8323b1b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
467bc167b06cdf2998f79460b98fa8f6

SHA1
a66fc2b411b31cb853195013d4677f4a2e5b6d11

SHA256
3b19522cb9ce73332fa1c357c6138b97b928545d38d162733eba68c8c5e604bd

SHA512
0eb63e6cacbec78b434d976fa2fb6fb44b1f9bc31001857c9bcb68c041bb52df30fbc7e1353f81d336b8a716821876fcacf3b32a107b16cec217c3d5d9621286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
2a461072e92556fac7741cd9f434750a

SHA1
e93724202145743c9b834bf2ec1d69713b1aac4c

SHA256
157cf0cef35c8b61b930ef09956e317df1aea1771866fde4e3e8c78c1ff39fd4

SHA512
b6fbc8ae339ed68fb9e00245c359be4481a739eb310477825478f98dd2246bd1e36007107419ed22d1daca9679426595532915267d0679074093258e5fe171f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c7df6b94ba985c11d0dcb7cb9d15ebe8

SHA1
59b15305804c174464de9bd69d578a8a90404295

SHA256
ea0a17c2f3b65c2aa082c832876ef044faf3971d07e0d97113a5b405e1ff4e82

SHA512
a4a4d4a09a0d479ecbc49c135f9c0aecc717e8c1fa3801ff17b53cfed8a24e64083d632f2154bea2ea87e0f56365e8606a58cb68f98daa1d37534bda575d6fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3b964859deef3a6f470b8021df49b34d

SHA1
62023dacf1e4019c9f204297c6be7e760f71a65d

SHA256
087debdcfba4666c03a5ea699e9bb31cf22ef4e0fad7c961cb0b500e5d262fb5

SHA512
c30b7e1b28820a5815b52634b46cb210c241704e33e41304400cb3ed29e82ec547a1068fc819350b368456bcabd27034afade5add3251dc74e4174f51b6c7adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5c2d5c900312f44e72209416d45723cb

SHA1
68fb8909308589149399c3fb74605600833fbbc1

SHA256
56f7a77549e5fc45bd4b1f7c2db3e8b4bd1dd9234545207613a80342cee8e7d8

SHA512
07c2920cff7c1125e3a2fe66bf21d8606a1f2a3d36be2d8e136da0d2a21130242ac8324f18cedfb0040304cf804815861767c969a6923d8db851312bf9b4348b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85f79a00b28e9f9fed2a95d022614a3d

SHA1
b3e454a8298b0dd3643be6f393dd068bf7e64a77

SHA256
16f98d3ec491a6cc295714527642e1e86b29ea6efd760bbbb5006a5d4214522f

SHA512
2a98b27682997b543c5258bc57e1b7aa8036da96133b75498aab9b20711f2e4b1529f83c40ea7c8f7e3c5e039bf6ce59c23ce89e6f54b22e08ca80ed66e132f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
dab6496239dd81b76e734c98be6320aa

SHA1
6a1028bc0b7e90fb9c5a732818de1931bde92cbc

SHA256
fa4f3b5c3fc4b6b6802e47d86d1299ea8a2a3f76b08cb304cbf9247f49e162e6

SHA512
412ff47b44efd2e46fb7d02b8ec348e319ebbb705c0b06828e57e5d1d85bf94b92ecfcea2d544fae36dd831bcc5452b9dba0b71f76b088981b4d198849bf8316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1b89ee80a1f26bb24d8426ea49793386

SHA1
4e437a062a9e42093c1e2974e90ed504caaacb0a

SHA256
e9a2a6d07b926a04924cc5ee3b8d712b98a0bcd2ee053aafb6563ebddfd3630a

SHA512
bacea03a096d4c6cae5ca67bb4043bb330c33d4c3b6880575d599c17ded9b8c517586814212d1881decc89cc71d721e3bceedd2a9cf0b9dc81ff69e07d65174a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DA5.tmp

Filesize
1KB

MD5
af2fb22cd983ba01a64fd426b7208946

SHA1
bd974f84afb3cb8e2459c670a3bc2a52c44b9552

SHA256
e1c32236ae69831b8d80520b510d2d6f078e5d9a40cea651c48e1138f034c74b

SHA512
c44ce9cebb58849a00ebc93c1d443f753c01abc4a980c7b1ee0aa40723df89d9240081b60a96bf85f39a30c9ada225891eeaac61da78f1c97b3a209ee4477b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAEF8.tmp

Filesize
1KB

MD5
eba2d68ec4f0b4788134d5c9939514c9

SHA1
6bfa356810cb4be71863b15e2a5d76e820fb0a1e

SHA256
728773797ea63cedea0debb1ebe4a485b3a4075fedfbeb8cb6ca15f90368bc72

SHA512
a020e4581b66bebc4fd7b3055e5e96ad4d7b0d05981c8eff684ae547ba9489c8cf9b5a7b1e5794563ac3cad80abfa7cdafcc698ad404f01d95c8f2c2240000b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lrqoxs4x.p5r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfw5e3j2\cfw5e3j2.cmdline

Filesize
313B

MD5
e44e5f7961a88604f70057b14565f82e

SHA1
d4f20ac9280f36858511018e9af21c54d2a57913

SHA256
f455eabadda2000387777cd197b47ffa69a58e61e424bc9d4d9697a5d22a4d20

SHA512
f41ae802a0ca3b3a209e6737157eb760c4568ff8d47138d1130054e1a231f1cb02f3cd30060cb59e5ed0ed57531876091d9157bac64e8d58db0694045ee8cc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfw5e3j2\cfw5e3j2.exe

Filesize
7KB

MD5
52f750608579fe211fec864bcc962248

SHA1
31f293671e9b5dd1c46cb260ece566b6a8e893ce

SHA256
56cc3c9025fcb5f164edd4b039832ec1ba17f1edb6fa4580cd54751882e4cd67

SHA512
bb5a7e5a9c1a4b0a52f2bab9080444de510cfa9eb299bbdc6844fd40c64ae53ad1375384ef1d2b9f8eca4f9cecef94be8998b3eb27ee6de666754cb09c8a5ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fignn5j0\fignn5j0.0.vb

Filesize
847B

MD5
1e9bcb20a9fdec5da1d39b0dd3a31e99

SHA1
40689933669560f8484c34cc35f1cf51a6717d05

SHA256
945fd689e232fa04521cf8707c030795bb2f153bde3e6342f440a569a8bd10f9

SHA512
8fd74e5d1cdb937251296fc6c431b3ebe9873077b515960551b8eff5e843908b76e9a4828a81c890c855ff44b3a22668a932708113af7f24efd14383cdc06d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fignn5j0\fignn5j0.cmdline

Filesize
313B

MD5
5407e6717c0678337f3d38070c4d1003

SHA1
bcc51e4364242951e1fe0807f318ea3132e37d25

SHA256
09dbf5c8d337a3331f58fa031662a03727eb315fec1f4fb7731e5215a9390e7e

SHA512
26abe8273bf4e53d37fd057d35718129be082de5ea534300dea90db9784d26e5b903f2ec352b032d626deded8439df2e9678f82aa0de0a96bb100c9fbcf24a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\fignn5j0\fignn5j0.exe

Filesize
7KB

MD5
18a690d715bee690eaa2f7ec180b132a

SHA1
74d0eaead35db48235b0a93d508d60033d5e4d7e

SHA256
024b66c7a201fffa2f8dd4db85a680eaeb172d87227ef8a565fbfde9a7a7f53f

SHA512
39931573dcfc368fd5aa4b4e0982bc4c50f193f12344ba76d177c6d217327ebb05e7de85953a96116e034ccfad2462ad83eeccceef9800bc1ef2b24b358ac895

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBFBC160780A54A93B714E992D4C5AFB.TMP

Filesize
1KB

MD5
5043f0da5a5e44cf1b670824867f6ca5

SHA1
74345326b63c725a87ed543b0e3655e7391460fd

SHA256
9b974a910d5102d6f421307032b76d12f08cc6726d75a9e90632b7d7d5efb7fe

SHA512
08ff97a4c13d7e7bc48dcc940d7a15de8d70b533df9bed5a0848029ac215aef8f104ba537c526ab10bf12a67cda4f621193a9d1c78c9958e5a661415e6d5fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC70B9E47234249EB83A62FA5A9D66079.TMP

Filesize
1KB

MD5
bcee4a4430b5c7ba65e85d1664da570f

SHA1
e65d488c95dbb0b3a6f63811c57a4034afe5c4d4

SHA256
0b5dfae3ea75d68b77ad562745b50b4edaf804c8b60dffe20de240dc73f2c672

SHA512
ea640233f94a188ca1c819d5838e91f36f4ac8724750363e7a2451310dab0fa1a8cf349694b4052e773efe6b9b06bc1183d558c98fa423cab500b8b619100d9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
d19e4831ddb3f40989ade56696b5783d

SHA1
0efaac985d7984d5a725ee8af7e311bcd294d9c2

SHA256
1d91120e9dbf1625a5821f689ac8e2cdc1b41f2589528e364b55aeb819dc08a4

SHA512
93e3c4f8271e8b278720fa79ce823bcb1cf5a87139b014c4e8f78fc265bd2a4f5f21ff01be8ac5278f14df0dfffb57000170ff142e03980185e27d82e97d00ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
33881e188fec32fa394fbf1360650b89

SHA1
d79ad94314baf417a2e9616372deac00357ed0d4

SHA256
25c2b4ba82365bb7525622141601dc6d053a1299fcf25fa41fc0ad134fa5e37f

SHA512
77fc7c01698e8fcc28af308b632a51273f73726eebadd32c7f14237623e094c8d4dfb9516eca9d39d09f37286342e1d728914fdeded852a17961e39215398158

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
723B

MD5
553cf6c7e10d1c701098d7e1d0a01839

SHA1
3cbdf41c6d02de51754a2696a382485be5175771

SHA256
bfbb59fa451071b37088b6286c3e5941f2536c4d9a1b77c1c6e987da9545b6ae

SHA512
591ace58027c743e663598f29857e3fa52e47e5a015dfb5e46570fcc563b623306b6e9de5df0aed2f5242c7ae88178aced6c909ec3b8c075b5d7239922d3183c

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
00d83c555bd13dffcad569faddda46db

SHA1
5b59f7e40be4eae7859296c29d61d28d58f2c496

SHA256
b1074dc5819d064f178e5ab0ee988ffc2175db3911bb10ef2b3dec927364fc7e

SHA512
84b75d70a8b40bd51e299ebc38cdc8c1ea94863ae30ffadc57554070043d21c02ed7474c7b533b33aa1991495108d39e4dccf3d6d458a9a5d83efe59816dafac

Download Submit
memory/4452-95-0x000000001CD00000-0x000000001CD08000-memory.dmp

Filesize
32KB

Download
memory/4452-47-0x00007FF8BEA20000-0x00007FF8BF4E2000-memory.dmp

Filesize
10.8MB

Download
memory/4452-32-0x00007FF8BEA23000-0x00007FF8BEA25000-memory.dmp

Filesize
8KB

Download
memory/4452-112-0x000000001D270000-0x000000001D278000-memory.dmp

Filesize
32KB

Download
memory/4452-0-0x00007FF8BEA23000-0x00007FF8BEA25000-memory.dmp

Filesize
8KB

Download
memory/4452-1-0x0000000000C30000-0x0000000000C48000-memory.dmp

Filesize
96KB

Download
memory/4452-2-0x00007FF8BEA20000-0x00007FF8BF4E2000-memory.dmp

Filesize
10.8MB

Download
memory/4452-54-0x0000000002C80000-0x0000000002C8C000-memory.dmp

Filesize
48KB

Download
memory/4452-80-0x000000001CCF0000-0x000000001CCFA000-memory.dmp

Filesize
40KB

Download
memory/4452-114-0x0000000001260000-0x000000000126C000-memory.dmp

Filesize
48KB

Download
memory/4904-14-0x00007FF8BEA20000-0x00007FF8BF4E2000-memory.dmp

Filesize
10.8MB

Download
memory/4904-15-0x00007FF8BEA20000-0x00007FF8BF4E2000-memory.dmp

Filesize
10.8MB

Download
memory/4904-13-0x00007FF8BEA20000-0x00007FF8BF4E2000-memory.dmp

Filesize
10.8MB

Download
memory/4904-9-0x000002D4F51B0000-0x000002D4F51D2000-memory.dmp

Filesize
136KB

Download
memory/4904-16-0x00007FF8BEA20000-0x00007FF8BF4E2000-memory.dmp

Filesize
10.8MB

Download
memory/4904-17-0x00007FF8BEA20000-0x00007FF8BF4E2000-memory.dmp

Filesize
10.8MB

Download
memory/4904-20-0x00007FF8BEA20000-0x00007FF8BF4E2000-memory.dmp

Filesize
10.8MB

Download