xworm | 7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-5.6-main/Xworm V5.6.exe
Size

14.9MB
MD5

56ccb739926a725e78a7acf9af52c4bb
SHA1

5b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA256

90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA512

2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
SSDEEP

196608:P4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:PuyIhhkRka4i

Score

10^/10

xworm discovery ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

sxjqbKlfK1fh3EQS

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\n0oe0wmk\n0oe0wmk.0.vb	family_xworm
C:\Users\Admin\Downloads\XClient.exe	family_xworm
behavioral2/memory/4448-37-0x0000000000040000-0x000000000004E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Executes dropped EXE 1 IoCs

Processes:

XClient.exe

pid process

4448 XClient.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
4448	XClient.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XClient.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Xworm V5.6.exemsedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 58 IoCs

Processes:

Xworm V5.6.exeOpenWith.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	Xworm V5.6.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

Xworm V5.6.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
2968	Xworm V5.6.exe
116	msedge.exe
116	msedge.exe
3316	msedge.exe
3316	msedge.exe
1232	identity_helper.exe
1232	identity_helper.exe
960	msedge.exe
960	msedge.exe
3220	msedge.exe
3220	msedge.exe
4680	identity_helper.exe
4680	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Xworm V5.6.exe

pid process

2968 Xworm V5.6.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

3316 msedge.exe
3316 msedge.exe
3220 msedge.exe
3220 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AUDIODG.EXEXClient.exe

description pid process

Token: 33 1476 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1476 AUDIODG.EXE
Token: SeDebugPrivilege 4448 XClient.exe

pid	process
3316	msedge.exe
3316	msedge.exe
3220	msedge.exe
3220	msedge.exe

description	pid	process
Token: 33	1476	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1476	AUDIODG.EXE
Token: SeDebugPrivilege	4448	XClient.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

Xworm V5.6.exemsedge.exemsedge.exe

pid	process
2968	Xworm V5.6.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious use of SendNotifyMessage 49 IoCs

Processes:

Xworm V5.6.exemsedge.exemsedge.exe

pid	process
2968	Xworm V5.6.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Xworm V5.6.exeOpenWith.exe

pid process

2968 Xworm V5.6.exe
2880 OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Xworm V5.6.exevbc.exeXClient.exemsedge.exe

description	pid	process	target process
PID 2968 wrote to memory of 4180	2968	Xworm V5.6.exe	vbc.exe
PID 2968 wrote to memory of 4180	2968	Xworm V5.6.exe	vbc.exe
PID 4180 wrote to memory of 4124	4180	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 4124	4180	vbc.exe	cvtres.exe
PID 4448 wrote to memory of 3316	4448	XClient.exe	msedge.exe
PID 4448 wrote to memory of 3316	4448	XClient.exe	msedge.exe
PID 3316 wrote to memory of 4368	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 4368	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 2436	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 116	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 116	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1692	3316	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n0oe0wmk\n0oe0wmk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc850D6611B6B04F41BBED67354F8E261.TMP"
    3⤵
    PID:4124

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:316

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3340

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff0fbd46f8,0x7fff0fbd4708,0x7fff0fbd4718
    3⤵
    PID:4368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,11532320757056285865,15075759164622128996,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:2436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,11532320757056285865,15075759164622128996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,11532320757056285865,15075759164622128996,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11532320757056285865,15075759164622128996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11532320757056285865,15075759164622128996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,11532320757056285865,15075759164622128996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
    3⤵
    PID:3940
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,11532320757056285865,15075759164622128996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff0fbd46f8,0x7fff0fbd4708,0x7fff0fbd4718
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,10212272244682821550,1676684970826364926,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,10212272244682821550,1676684970826364926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,10212272244682821550,1676684970826364926,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10212272244682821550,1676684970826364926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10212272244682821550,1676684970826364926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10212272244682821550,1676684970826364926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10212272244682821550,1676684970826364926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2009555c0bb5f9bf2c55e65e80350eef

SHA1
667993bb8554032c3b3755b7733fd6532b0685c8

SHA256
65dfb785a61414136f5b61c4e8e9dea11d6e714917704c752bc5f67568f9f4e7

SHA512
29819a30731703e1e8ea1141314dc1931a6792c99911c60b065653be36d8f9311b2f95014338dbf5924ffdd453e6c1e6d8fca2782c443e874560beba6d777531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cce9e9f4b9fd8e0f9ef79f48c6dbaec4

SHA1
4fe453b717b00775adec43b84db8955e1108d8c8

SHA256
c4191c0180a10c00ab5e70dbb4c01173954a481f48c2202f59257b277868e637

SHA512
ddd6475da132aff41462af588dc4ec8702e2ca6e029f30f42f2410b061530cd535b559a4a5a3ab219e8cfdff388dbb3a25503a4d8d9fd155d9f7e80065fe5b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
d1f604157b0745a40453afb93a6caa42

SHA1
3d5d77429b03674ebb0ba34d925ba1b09310df5e

SHA256
468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5

SHA512
0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
f218fdecf700adaf798b51830e02b3d7

SHA1
fe13fb1c3606fbb31df83ab8938ff302f509928b

SHA256
e7003398f5b8c432f0193811e4c3dc55472c86edeff4a9628d65c1e3302754a3

SHA512
9018c9efbf0791634008c542b3f506df1e32edca96f897af6bb8ce15475a59f0a0eaccc4adb9e0a464051855b80993fae159292f289f6c8b3056cdb24526fe47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
979a9793e6adc3765dbbf46115a496b6

SHA1
2e236e9d7c4d06ed48dc735409934f64c7729b67

SHA256
42717672c6ef55a4179938596af772656b74557efa3f80803337c8bb04fa6a38

SHA512
7175c029f401b3acd8be8be9375f1dbad1fb6067619e5590c15adbb9cfeca2443bfe910339acc3a6d5a05cddf472ea3184de7591fffd2d49e6bb12d7c77928bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
1c4f813a99769a366ae1a2fb6100997c

SHA1
32077f69816e9cdfe8b5ccb3b1e62caf6e7cb124

SHA256
3336457a4dbd2217224f37631bcd71aa17aa530c7c971fcbb9bd2431820adfaf

SHA512
4dd74d57d5d185d3f379049d34fda844280c9bfa8a3ed85b675cd5bc2bdbbe0595efb1177d27281bf7c3a583fa399cebc6ed00c21483f274bc0ef47788d7ccb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
626B

MD5
dc703f67674beb03bde7713147b4c3ba

SHA1
69538d8aee1b30fe65e754903f753841dd96ecf1

SHA256
00369a0d84ccfa757709e72a7980a50ea9733c3a913860b17c5151a9b721b066

SHA512
f300d08028777185a34ad614d8908cfc678343fedfccb5a1426ac641a556f12d7870969da1772ce9638cc44a8a78b2c3b1ff59832ffd2655ce0045a56f69a306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
20KB

MD5
f0db5f190cb05edef29064961ed2be47

SHA1
cd16db3e94ba22d0904af8e3ec51a238f3ca7da5

SHA256
5c336e88fc124735d88c5e28551fbcd1b3210900ca25084fe6547cd2eb22fc2c

SHA512
bba95ef802deb62407af74a27e7f61f1924dc527e09f2c03364a6a9085e24c5bdb80437afe08405d5047bcf4d0ebbc79c2c6f1d2932434a7d9dede15f2fec276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
1be687e6c2293e7533480c43946152f6

SHA1
d43df2e625dc76857fc6c1e2ccaa2d20ca49aae1

SHA256
f432aacdfbd3306f91ba92114b5be78573931985886cf83daeba6a745b658121

SHA512
5cb3aba6758ed111eb6a1dd770dcebfc3ad994158f04e7699ecef5fd5214776960f30ed05c5733ebfcaf20cfae91a9e548b9e96598dabb4b61352bae397a6e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7c69e3fa208ab4c164600628d55df8b

SHA1
4b1f861a6e7c46d59e5194e7239cd263f0326895

SHA256
c24fbc2a46f5bf27db03513cdd66b773a7ed0405be920f8cdb05c71a7593f31c

SHA512
b862fe277da2f68e4736c9abc0835b47b831380da7c3c091cac3ec407bff0171bf72650c5a782c0f84d1f15cfc7eb02ce313b3ee9bd2ba35314ae1607ccff6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eba7017c21bcb19ad28f29e9eb0b943f

SHA1
d5ec1dd6a186427d74251764bc2b90d7415fd79f

SHA256
99d64346e529b99245beedd1dfc49afb3f543d0b8928f6769d289112d91fff39

SHA512
18a9bbb833a69472f1eeb6cf1cd4247b4542bf92fb20945bc61f0530c1151243abdfc903c6b854af943f732e72dfa3bf647022dacb54ab24fa032de38a97718f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
54c67ec6d445948ec544048235b8dc4b

SHA1
1c37c92fe9ed021a12ab4954903f81ed27fe3527

SHA256
6aafd75f911b2051d72d5b3f372b0f2a44d22637ee61896dd104d1eb400ff7c3

SHA512
a219b7df26cef0620140cc9812dce1126c3bb00fec46c72305f1d144a7d957c464b55ada419629b4071fac4b26cddd4c09dc6cc3fc6c4fdef19b4de49c7e0d61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f935d7f3c7c1538165a025e05e006c55

SHA1
56875e07c61a786e1c7da8d2377f293dd1319a3e

SHA256
1b73fd8ccf785a15ce0822331a05c875b1d44596115dbfb21a1781c1d511fa83

SHA512
3e0fb132d8ade8b1c8229bd2c1b008aeb904d2b1c410bb4375ba678eb7b017729cf88d6e183d11b40da891a5882175a118d6701d7788b46828237783eb950582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
834277f1f1bd837cd71f745889a00d4a

SHA1
a680fa65c05c169a94ec8095212075db60783024

SHA256
d08cb38c460b80fdf11b62abae2665b1f91aa0e2c201c4ef3d35cf827e562b6c

SHA512
2fb6bb70d4d52c2a3cbef9153661ce78f3f2468cb7a2ad54d88d1fb8863c039d500228d5ee5052c09fa8429d1776515455c1b46b70447877ce2e7e1a4d4d2b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13376519989834314

Filesize
1KB

MD5
239cf364a7a16a72d3b2b0be334b7502

SHA1
1839f5d93677f25b2a2b8177fe91c6a0607098db

SHA256
8a7f4df19186ad141b96c42d7a2ee7339340596edbdd06ced4d97ec63352a4a4

SHA512
211fc105d9b21ab35178a122d8643b12ca04d01cea26edceb7b6463de513ddf815b5ba649985affe6acb73c884a587af6c1983682437780b81a0d01472cc04c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13376519990430314

Filesize
1KB

MD5
0e80e0a2ddedd160bd8298bb46c554a4

SHA1
4171c67771c282163fb3a681375531b9c19b8b51

SHA256
5d2e1316a49f42a5c1f80927ec54c0ced4eab2a1ddd3dcfb6fd84482596e450e

SHA512
443c73979fe282068e17776a7751a4541378bb7ccb1f22161e2d1fcb3fb8c7a9b2d894ffe2df9b1d476ffd3002676db6659e0803c6895941ddc8ba35d99e5941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
104e610e5792f0550ac6974a47dd41ff

SHA1
9779d7176871d58aed04d1c9a87c8154077f0b7a

SHA256
3484da604510cb7b8536203b8db41bcbb32efa94148edf85920d138bd99b252f

SHA512
21e1d1817f894b1cf4e2bf64131bdadda62577180e852bf6e8dc356f14f30801eeb3d77cfa6083d63657b3b95691beb16f3e4b73ef010c5f960145b352617eea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
5689ee3c0ac33c3d68a841c9325d58a0

SHA1
82bdc3d2728190bb1b34150ea2bbd956ba256b9b

SHA256
605d305a255b844b4e397e97b4582a91c49d19ee0d88ac5ee95b650987fdce2b

SHA512
3f26ece9885faaaf55f126997526ed2920384dae400e6b6bf3bc78e2f301f4b6c8b9903d1e2d6015ce62d7f71dbbd0e38c4c0f0ded1d3c1b23ce2f71a9cf2a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
39bd8538ff1a647089eb5e38b79c36e6

SHA1
33d974e7049fcf8b85fae6b6302009d1b8161818

SHA256
f04163e66fe6a91057e8b8dbbcb25152d2c3bdcfb46da24ead936b3d05046bde

SHA512
1bb352ba031e447c35f89e5958cfd121b50b5d4a834d6ba2c4abb5a9ba1d6ce48f2d72cb840e2d2fd55c2b3c9434fb044b293144ac0cf12a52f2954f48ba3d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
139B

MD5
4a4fce609ff11c76c02682dfc19f4b35

SHA1
33a85f3655c81f71387f907cfd64c5a19b9f61c3

SHA256
acb8f4ac1c5dfa1d8cb557de7a0ee4f157fbc13a40462e23b11a3e95b937f955

SHA512
69aebbca42a48f4964ec8d8e6ac208a20e30a9a7e7916ca22b63b17ad3fa98b8375b8494bb2d47085b2f30271591b418608118c81ccd1f95bbd30e4202e78444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
b9855fc00a6d03a553a9cced6e6bcd47

SHA1
628ef1648c6191b41a83f067aecc77b50726a267

SHA256
ea3d49c9ae41d4346038c01dddbcec7e9e5450287a336808d9fa512aea97627d

SHA512
87f3b85810bcebf7d044feac11d9c4188e61f806f7879bcee16ec69255bc631b38c83121dc4fe9edd699597b4526ef8660b75ab39fc0336d75dce3cf6bfbf4ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
1c88b66ba1cdfd1e2111aaf0d84dae3e

SHA1
9b35b6e0bec6d8b98f0da00a5ba4fd861461d114

SHA256
4d22b7dd496b7ffc08bec9d21a04c2ab6c3f5d518954e0cc3941228e07843b3d

SHA512
9cad071449bfb07cec5d71749f92873768c82f88aa4a2684f2bbb564c5abd7a35f2fad13ba3270e9ad6a3efe76e8e871a85b7876da40351c5c9350cfd3f629b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
4b469a921f77d9281ac4228d78254285

SHA1
f7ec35d617aa8101e2e4486189f3fb0eedf840d0

SHA256
17a9049b07fddbca0379f573bea50df7bfe7f1ed55342cb22b6dec6c7a3d3528

SHA512
d6d746dbf254e998fa0ceffc57efceb258646abdf1482039886f7d462e13fa2770871a8e2591059b1849c01a08564a1c968e617e0ea9aa6fefffa2ae2aac3b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
cd06545bf9ed773c5aaebf48ee5cbd45

SHA1
cb9a2c09bc9a2b12b2e4c99100e94bef37ff5f13

SHA256
d3c58f31c4a3bbd79be7d9c637d069be8b0a9de6b90101dbccc559de20459584

SHA512
8f3165056992c1aa02d1acb5ce23a400787203bf2719824933a99f82f2818d2caa7467da254e681f58e3114d432edd84052f9ef49853ee4cc4afa4786e88cfb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
784c576188cab52de77c8ee0bbff7bb4

SHA1
87c7f03060c8af35e7e15eef3ec6ce4d3015f48b

SHA256
ad75e46c07e37f36ae4293efddc16700144d6962b27605143876bf0ba976df97

SHA512
53b2a92ea79da4b1328ece93a447e38caeb9dda0c186f9fad17eba5c8a84d4bc9be8e2ec113179e0578a4d347afa1a6202609a8112bcbdf6709876e37aadbb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
85888d717ef26b82ea944f091c3e0d47

SHA1
c7c0e00cb601153d68fffc44bbba7fa1b3314063

SHA256
06d7030bef23918fad47e6ff40b36ad7eae51b301fb8226984067118cfb692ad

SHA512
cac80703b829e4a55ef31b045f04715763f38a2b84c999e689372fcb68097ced71896ce43df1a1b67725e0b8413dfd05fc1c7fef683661450e815879b8f5d48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
906bbb84d4398ad4b350015c7b55460f

SHA1
836827431642753f3629033c1742fa1a681f4163

SHA256
e261a87c543b04c97661e98abfb4b436cbee20a1ea8f3e89a489b7fa9482fc20

SHA512
49ed5ff345e56f524f3411811e0b1f6428244e51d858758c9ca1987d9b9ec36cd6970c7cf9ca5404bbc02be32047035c893c64c15dcef7d23837569216969405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
30e218677ca09523aa4f3e260f757a4c

SHA1
bcaa955b4bf4affae8e7c17d3ffe2e4d734ac5cf

SHA256
7c5613b7a1d70dd9566e7ff2a3aba9985fa02b940b1b5ffff828cc2d46312c74

SHA512
a8ffc647d938d2a1a4ed958de0ab4022bbaae9003a0c5add8890c3dc1dc23c0c9eaf3a0d745d862ab3704a6bf08b493303136fd8d278647316f845137cd8219f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a0b22c4000745b15df4fa4dce8cfd015

SHA1
8b6446853a9a0d7a917375050e944ee0654a562f

SHA256
d4a9192fb0f3f1745741d75623007e9f27a6f7064a282ef48979e2034629ee46

SHA512
1bda3455a9beaf36cf7b770f7e0d34ca5d5b80d64b0a83eff9e1adc6da47c85c79fe57ac447d36a27452d06af7aeb59eb24a0a111644267e4f7e207a304372e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
d8f7f53b7ddbba69c0d661b769a30444

SHA1
b7f43ee5a7b47dc811bd5fa9780243441483a042

SHA256
b30631774c64571cc425556df6d2e8c7a60896cb23b260ca04af305728f94fac

SHA512
f7518d0234251ab2ccdb0cbf1153c6a69e5ff45d8514bad39ad467457cf9d3619feaa5c3b5eacb005004611cd22351bfa0c1ec5dadcd462105d5614ef11cf567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
2e3e4aebeaa5113fb6473fa99e4b1e77

SHA1
79e5aaef868eaf65cffe9ef79ddf4eb92257eccd

SHA256
e618e3607291026722c5f8071c60322730ce3e717e41cbf21a3af70e58c758b2

SHA512
3444a872f4ff9e5304fb173fece1c02c25ef5a0c83471a4872f3857dce0bc232ade9d21b2cc9348b5c8995f22b24630433fb61b8688eeb46e7b57fe53738294f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FF4.tmp

Filesize
1KB

MD5
5d8949f73653ddf3319ccff353ee1b19

SHA1
e921c4724a861753d9e6fe3e59fd5d8bc4e611f3

SHA256
3f75a5abb51e43e2000978470a111075649d9f8847602583038e55d864b9eaae

SHA512
7fe375a723e96f6e4a253c3dbd48721b9aedca4321a5bf06a7c705cd8945d7bd5935286dbddea0511f502b126231300da067fdcea62649cf5d76920f09f5e360

Download Submit
C:\Users\Admin\AppData\Local\Temp\n0oe0wmk\n0oe0wmk.0.vb

Filesize
78KB

MD5
26d7eb5197aa322b9a8ac8c2b871b5f2

SHA1
64c51d7cd3096873c5e42c85fa5c89481daf4728

SHA256
c1323ea29a098b3d34960de6bf5600916c8f2fbbe856b77a8c5ac5f396711c97

SHA512
eb83303ab606b2310a5a85355bfabda90b3f623b3a9c5c49efa35a6df899167464e674c642eb9a6ea9880f6887403c2900021018ffc94c2ad35d2f207a49f8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\n0oe0wmk\n0oe0wmk.cmdline

Filesize
292B

MD5
fd277524ea8b1c6441220ddfdd06300d

SHA1
5509112583bc798fa2c69b415e453f8d925b71ba

SHA256
fb3c32f9d2eead5421db6e7bc75ed2cfb0d18eea5a4c97463be08236497f507a

SHA512
208d524fbf37c67635f441b54bc511e80684e3381a832db42cee23ef088d64520166571beb6941c7a0004e9edbf51da53e3d954f967b325fe00d5e5d323175d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc850D6611B6B04F41BBED67354F8E261.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
641B

MD5
db7d57d2a298fc3feb26086912cfe3f8

SHA1
3850eb26c769be7f228cb53bf2236269fc3f62ad

SHA256
ff17f8040d8884abe46898096f18a5d0e9df62b36bb40bf482cf639d2764739e

SHA512
313c1e2f5b49ccef05418c42f8fc3b6b763a60c934ec58c7c56c660e8be2cbe3a8ffe24ef12003dd681226d404c05f2fd502ad5783ae188adeeed9d83c82fdd9

Download Submit
C:\Users\Admin\Downloads\XClient.exe

Filesize
32KB

MD5
3c0a9fdb02c49b7d99a08c1a24de7cd3

SHA1
c99090c34aff14d95cce8103842a096a862d7304

SHA256
9a318d1c13cf4888c319a33a32e758d633be185ccbefcace3ebe98230e71f782

SHA512
ada4c7c93fcd8d3da6d46bd705a1647b4fcd1e4bab42e7f7643383c558189f392644c1783e7e632ff9b43db3d12fc6e9b1ec93a011dc76db0b8bbc968f631356

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
de3020618d72a952b930f10bd4dc3905

SHA1
0dbf5d2e4db5a420358586cc7ec31ef18ad579c7

SHA256
551e03fdf31664b4ff20712e828c717422fa1372855d9baa61fd615f6a52f993

SHA512
07486557ef8b6706ddbc4bf817d529a833d742e32e3ef9d01ad7d809ff4012872c4fa3f42eb90e80267643ce09df21b8e74ef12bea95a2deb5c79b70c69608be

Download Submit
\??\pipe\LOCAL\crashpad_3316_GDDUAGWRSNQRTJYQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2968-13-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/2968-34-0x00007FFF14FA0000-0x00007FFF15A61000-memory.dmp

Filesize
10.8MB

Download
memory/2968-271-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/2968-39-0x00000238CC820000-0x00000238CC8A2000-memory.dmp

Filesize
520KB

Download
memory/2968-40-0x00000238CC790000-0x00000238CC7BC000-memory.dmp

Filesize
176KB

Download
memory/2968-44-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/2968-18-0x00000238D3890000-0x00000238D39F8000-memory.dmp

Filesize
1.4MB

Download
memory/2968-17-0x00007FFF14FA0000-0x00007FFF15A61000-memory.dmp

Filesize
10.8MB

Download
memory/2968-16-0x00007FFF14FA0000-0x00007FFF15A61000-memory.dmp

Filesize
10.8MB

Download
memory/2968-15-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/2968-14-0x00007FFF14FA0000-0x00007FFF15A61000-memory.dmp

Filesize
10.8MB

Download
memory/2968-41-0x00000238D40E0000-0x00000238D43C2000-memory.dmp

Filesize
2.9MB

Download
memory/2968-0-0x00007FFF14FA3000-0x00007FFF14FA5000-memory.dmp

Filesize
8KB

Download
memory/2968-38-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/2968-12-0x00007FFF14FA0000-0x00007FFF15A61000-memory.dmp

Filesize
10.8MB

Download
memory/2968-33-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/2968-11-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/2968-1-0x00000238AF080000-0x00000238AFF68000-memory.dmp

Filesize
14.9MB

Download
memory/2968-42-0x00000238D3710000-0x00000238D37C2000-memory.dmp

Filesize
712KB

Download
memory/2968-345-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/2968-10-0x00007FFF14FA0000-0x00007FFF15A61000-memory.dmp

Filesize
10.8MB

Download
memory/2968-45-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/2968-7-0x00007FFF14FA0000-0x00007FFF15A61000-memory.dmp

Filesize
10.8MB

Download
memory/2968-6-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/2968-5-0x00007FFF14FA3000-0x00007FFF14FA5000-memory.dmp

Filesize
8KB

Download
memory/2968-4-0x00007FFF14FA0000-0x00007FFF15A61000-memory.dmp

Filesize
10.8MB

Download
memory/2968-3-0x00000238CC590000-0x00000238CC784000-memory.dmp

Filesize
2.0MB

Download
memory/2968-2-0x00007FFF14FA0000-0x00007FFF15A61000-memory.dmp

Filesize
10.8MB

Download
memory/2968-46-0x00000238CA5A0000-0x00000238CA749000-memory.dmp

Filesize
1.7MB

Download
memory/4448-47-0x000000001ABC0000-0x000000001ABCC000-memory.dmp

Filesize
48KB

Download
memory/4448-37-0x0000000000040000-0x000000000004E000-memory.dmp

Filesize
56KB

Download