stormkitty | 4d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-12-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2477.exe
Size

125KB
MD5

02201ab0ffca3905fbf110296fd58298
SHA1

4068eb4c09f6e09637588ee3cf62bf7229a25faa
SHA256

4d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe
SHA512

4f2d86d8dbdb6946bdd982b7c48aea803eccd99c51ddbd6edcb1f7301f9a8f255953210b5b47ecd6e6a8f1bf93269bb519b3a83548f7d3ea63ded3980bef3705
SSDEEP

1536:Rn7TvjnE1RowM/gZbgjx1LAYivy6sDOsyrXdtyVt3A7HPd4n+lbeRZIbSQPYU:RHovoX/0bgAoORHyHQbPRyZ2pPYU

Score

10^/10

stormkitty xworm discovery execution persistence ransomware rat spyware stealer trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/memory/4604-1-0x0000000000F40000-0x0000000000F66000-memory.dmp	family_xworm
behavioral3/files/0x002000000002ab08-98.dat	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral3/memory/4604-59-0x000000001DAC0000-0x000000001DBE0000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3644	powershell.exe
3344	powershell.exe
4084	powershell.exe
2868	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk	2477.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk	2477.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	spoolsv.exe
460	spoolsv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe"	2477.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	2477.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3644	powershell.exe
3644	powershell.exe
3344	powershell.exe
3344	powershell.exe
4084	powershell.exe
4084	powershell.exe
2868	powershell.exe
2868	powershell.exe
4604	2477.exe
1184	msedge.exe
1184	msedge.exe
2496	msedge.exe
2496	msedge.exe
4380	msedge.exe
4380	msedge.exe
3068	identity_helper.exe
3068	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	2477.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	4604	2477.exe
Token: SeDebugPrivilege	2504	spoolsv.exe
Token: SeDebugPrivilege	460	spoolsv.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4604	2477.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 3644	4604	2477.exe	78
PID 4604 wrote to memory of 3644	4604	2477.exe	78
PID 4604 wrote to memory of 3344	4604	2477.exe	80
PID 4604 wrote to memory of 3344	4604	2477.exe	80
PID 4604 wrote to memory of 4084	4604	2477.exe	82
PID 4604 wrote to memory of 4084	4604	2477.exe	82
PID 4604 wrote to memory of 2868	4604	2477.exe	84
PID 4604 wrote to memory of 2868	4604	2477.exe	84
PID 4604 wrote to memory of 5000	4604	2477.exe	86
PID 4604 wrote to memory of 5000	4604	2477.exe	86
PID 4604 wrote to memory of 2496	4604	2477.exe	90
PID 4604 wrote to memory of 2496	4604	2477.exe	90
PID 2496 wrote to memory of 836	2496	msedge.exe	91
PID 2496 wrote to memory of 836	2496	msedge.exe	91
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 2244	2496	msedge.exe	92
PID 2496 wrote to memory of 1184	2496	msedge.exe	93
PID 2496 wrote to memory of 1184	2496	msedge.exe	93
PID 2496 wrote to memory of 4148	2496	msedge.exe	94
PID 2496 wrote to memory of 4148	2496	msedge.exe	94
PID 2496 wrote to memory of 4148	2496	msedge.exe	94
PID 2496 wrote to memory of 4148	2496	msedge.exe	94
PID 2496 wrote to memory of 4148	2496	msedge.exe	94
PID 2496 wrote to memory of 4148	2496	msedge.exe	94
PID 2496 wrote to memory of 4148	2496	msedge.exe	94
PID 2496 wrote to memory of 4148	2496	msedge.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2477.exe
"C:\Users\Admin\AppData\Local\Temp\2477.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2477.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2477.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "spoolsv" /tr "C:\Users\Admin\AppData\Roaming\spoolsv.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe312b3cb8,0x7ffe312b3cc8,0x7ffe312b3cd8
    3⤵
    PID:836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
    3⤵
    PID:2244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
    3⤵
    PID:4148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
    3⤵
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:3772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4380
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
    3⤵
    PID:2012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
    3⤵
    PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
    3⤵
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,17036889174759568270,9720078093364591470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
    3⤵
    PID:856

C:\Users\Admin\AppData\Roaming\spoolsv.exe
C:\Users\Admin\AppData\Roaming\spoolsv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4956

C:\Users\Admin\AppData\Roaming\spoolsv.exe
C:\Users\Admin\AppData\Roaming\spoolsv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2d7ac0f05b6f83f3e01aef0eca0649e1

SHA1
d4f122dacf2b1f914264aa0e813696fe04262fd3

SHA256
c74888becb6b570e55d6b74c125cf98d2770dd7a0df27296fd6ed01d335d2f23

SHA512
0bffd15bf6579f0df57699703b85de0734711d48fde539ec77ffcccc30cf9ca9fb37823599b1542c10d684216cfe59132156c888f92f326893471de7ac131439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9db295abdd7531093b0373d253564b29

SHA1
9eba1cf433c1036d44ebdcb8133ad48a9bda7392

SHA256
838b3af5e5b568da440f97c0413a888fe0e18b6d5b194c4d2af5d13dbc846aff

SHA512
f0150029cd235c425f246ea75c463885683a1b7f2898d078128be0a299b5422e1040c739f877126ab6709eb3c75b34ab775032cf7b8d040e3a453bcbeec3e721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3473aaa4b58d3ec006f78717a00b3398

SHA1
14c722ac29e91250c844f9b91a56371879a9fcc3

SHA256
36217c5745024ee2b956685faf37eb8abfd4642070bf10f13067d8ac76f824f4

SHA512
e8cd90cf5b72b6c98497ca65bee8b3363fddd768f6a456a59213abbc784c576a78e209ad93e3f3986f692678b1be2da748b83f54fe7b0c101c3e9bd950013e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
17007a7656b04fa31dac43e96999618c

SHA1
24ec666778743357ad24ddd769f69288e0109d9b

SHA256
a22ec1cc2a85e57378428e0df4e79d620b44e04e7335edea1083d5d019c5f651

SHA512
c4e7d4bcd3301869293813e9cbb2f6a4e8c5592c27bde90d123a395d96abf53b28d853dd55b375bd3284129f57ce106a9abc057e4c6f2d73cfa244346db8b720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
17adcd2acd83c7e5453d2ea46217eea6

SHA1
1b0fccbb0271df1ea65f94fe73c301dab1b82ada

SHA256
5c2ee2b9fe96c5b5ab537019449f81d949bb065e6ab2cca7fb015a31451cf067

SHA512
7d2e3943fde0ebc3ee126cf343c0518b905b2a29b12342999070a8731fa92c88e3914396755952b6c2f94c16eefc543eda57d2ce66ea326cd78628b8483ded91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
84c60b3b68f5cd4271a30d2e316af184

SHA1
1bc705feabb7243aef7533686b20069f83725803

SHA256
2c886a0e26538f2c24365ee95499b1ef8152bd14271cbe9c3e9c33d7af7b4d7f

SHA512
0974ebe961322f4a04a248788f12393835c99343b4ee8aab4b72bd5157ef12a54022ae80dd0c6dbf50d2da91169c92938c95aa7b2902fb10de88982ed2cd5ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cc2210f652fff7eb769ceac982678f09

SHA1
dc1eebc04c9fc5dbfc05b80340ada3c63e16178e

SHA256
8fd1a8119831b8aec9d809642505b154c6ad3a6920a7bf7c8028e369da5978c5

SHA512
38db3e814c4e67f79938574d4d7b73248c61011dca46d2c77615aa1682fddf0554f41eef2097c4149ad4dee41b53db9c654901d001fc6f674d0a7c3ef5f58303

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w2kgigjn.qnp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
125KB

MD5
02201ab0ffca3905fbf110296fd58298

SHA1
4068eb4c09f6e09637588ee3cf62bf7229a25faa

SHA256
4d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe

SHA512
4f2d86d8dbdb6946bdd982b7c48aea803eccd99c51ddbd6edcb1f7301f9a8f255953210b5b47ecd6e6a8f1bf93269bb519b3a83548f7d3ea63ded3980bef3705

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
bde9a6e5bba4b7a5984a9c01a04b49d7

SHA1
233e3b6f675d04a950fb113e1868a43781ec6b4f

SHA256
793dcf9185b7ec2dc02865a2d270477f56aadeafce2d5ddacfa5af69390cf14f

SHA512
a511bb535f86f6c87145f196ba83a0cdcb990b65686f4322a139540efc649a3d0644cd314af287828ca3a936c275ea7ad057794e1dc62944d2a122af87772fa5

Download Submit
memory/3644-15-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/3644-16-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/3644-3-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/3644-9-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/3644-14-0x000001EB53800000-0x000001EB53822000-memory.dmp

Filesize
136KB

Download
memory/3644-20-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/3644-17-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/4604-56-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/4604-0-0x00007FFE22B93000-0x00007FFE22B95000-memory.dmp

Filesize
8KB

Download
memory/4604-101-0x000000001C9E0000-0x000000001C9EC000-memory.dmp

Filesize
48KB

Download
memory/4604-10-0x00007FFE22B93000-0x00007FFE22B95000-memory.dmp

Filesize
8KB

Download
memory/4604-57-0x00000000031D0000-0x00000000031DC000-memory.dmp

Filesize
48KB

Download
memory/4604-59-0x000000001DAC0000-0x000000001DBE0000-memory.dmp

Filesize
1.1MB

Download
memory/4604-2-0x00007FFE22B90000-0x00007FFE23652000-memory.dmp

Filesize
10.8MB

Download
memory/4604-1-0x0000000000F40000-0x0000000000F66000-memory.dmp

Filesize
152KB

Download