xworm | 0bd0d98f307f71fb3e4d1e529f43ce88b467e7680e913593c2ded88497c76922

Analysis

max time kernel
154s
max time network
294s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20/01/2025, 14:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

hiii.exe
Size

82KB
MD5

471df0297416eb4d460eb23ae23715ca
SHA1

01c40be91002180c4298ecff3368e1006a9a51e8
SHA256

0bd0d98f307f71fb3e4d1e529f43ce88b467e7680e913593c2ded88497c76922
SHA512

86bdb0569a2b6a239ffa2e0f0893fc581f2c9492c81844dc7dabc6e9ee4342ad9c4784a1ede947c882a13fc3d40601fb65e1f6b0c06cc04194e7fd1e8dac56b2
SSDEEP

1536:cIcjOqaGSFhad0wC5FwJH44b9n02hdg6GQ7OeMXth6ddS1EAd8IIZ:waGCnwC5A5b9Fdd7OeM9MXgEA6IIZ

Score

10^/10

xworm discovery execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

form-possess.gl.at.ply.gg:43228

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4748-1-0x00000000005D0000-0x00000000005EA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3108	powershell.exe
2804	powershell.exe
1960	powershell.exe
3828	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	hiii.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	hiii.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	hiii.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	hiii.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3828	powershell.exe
3828	powershell.exe
3108	powershell.exe
3108	powershell.exe
2804	powershell.exe
2804	powershell.exe
1960	powershell.exe
1960	powershell.exe
4748	hiii.exe
1004	msedge.exe
1004	msedge.exe
2244	msedge.exe
2244	msedge.exe
4836	msedge.exe
4836	msedge.exe
2548	identity_helper.exe
2548	identity_helper.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
5040	msedge.exe
5040	msedge.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
4748	hiii.exe
5068	msedge.exe
5068	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	hiii.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	4748	hiii.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4748	hiii.exe
1556	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 3828	4748	hiii.exe	78
PID 4748 wrote to memory of 3828	4748	hiii.exe	78
PID 4748 wrote to memory of 3108	4748	hiii.exe	80
PID 4748 wrote to memory of 3108	4748	hiii.exe	80
PID 4748 wrote to memory of 2804	4748	hiii.exe	82
PID 4748 wrote to memory of 2804	4748	hiii.exe	82
PID 4748 wrote to memory of 1960	4748	hiii.exe	84
PID 4748 wrote to memory of 1960	4748	hiii.exe	84
PID 4748 wrote to memory of 2244	4748	hiii.exe	89
PID 4748 wrote to memory of 2244	4748	hiii.exe	89
PID 2244 wrote to memory of 3956	2244	msedge.exe	90
PID 2244 wrote to memory of 3956	2244	msedge.exe	90
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 4072	2244	msedge.exe	91
PID 2244 wrote to memory of 1004	2244	msedge.exe	92
PID 2244 wrote to memory of 1004	2244	msedge.exe	92
PID 2244 wrote to memory of 2504	2244	msedge.exe	93
PID 2244 wrote to memory of 2504	2244	msedge.exe	93
PID 2244 wrote to memory of 2504	2244	msedge.exe	93
PID 2244 wrote to memory of 2504	2244	msedge.exe	93
PID 2244 wrote to memory of 2504	2244	msedge.exe	93
PID 2244 wrote to memory of 2504	2244	msedge.exe	93
PID 2244 wrote to memory of 2504	2244	msedge.exe	93
PID 2244 wrote to memory of 2504	2244	msedge.exe	93
PID 2244 wrote to memory of 2504	2244	msedge.exe	93
PID 2244 wrote to memory of 2504	2244	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\hiii.exe
"C:\Users\Admin\AppData\Local\Temp\hiii.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hiii.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'hiii.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe8a273cb8,0x7ffe8a273cc8,0x7ffe8a273cd8
    3⤵
    PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
    3⤵
    PID:4072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
    3⤵
    PID:2504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
    3⤵
    PID:1840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:1568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
    3⤵
    PID:4636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
    3⤵
    PID:2360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
    3⤵
    PID:1580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
    3⤵
    PID:1724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,1340381813485628283,4324363860305538993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2548

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe8a273cb8,0x7ffe8a273cc8,0x7ffe8a273cd8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1384 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4489942889888674818,12141544989037504944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:1984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9bf61777e09c1d009e81dfd16a7873a

SHA1
d97beaa86eb7dea94c51b0e31db3fa574b664602

SHA256
0e1a5d6520f10bc879871f849d04d290639109b6c46da0bf6bc679d2e444e726

SHA512
b0c59ce6cfa0a2041c9607b968e7bb0ae94a24ee34a92a4778b268f42454f76c92839ba7cb13d36560b0111962b5eaf19b95732d7011bcb9eb7dd9a28e527086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2bacef941a59fd9cc2cfc0213b422f87

SHA1
ae80e327a07c7639a0855e5e31dc7ae59e252902

SHA256
844c33fe1cc6dbc0d66499c0faf09145079c0dffa1a88e5be6df977a723c71c4

SHA512
7acf8095dc50d630a1afd5c5e0d4f87cbd87f58298b054f2d9b1dd21514c292c6523e73d23b79f77795a8b370afaa7a070a5073365ad8f648720eccf2c3afbf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
b8cb05a5c2aad8807cf0b2ce627fd61a

SHA1
79667972eac2a13d817657d2903fb9286d7bfb31

SHA256
c677e449d49dda7f00aa73294d2276425d05ed491e7f3185abc2c2f42be2098c

SHA512
8c0240f2c66725537c50c9fa50a7f9348adedf1b586d73c902fa42b852747486ae12c4d22f1d84cc89ee70a427f872e78231ff018f917251e21a56ce9108568a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
4330b7bf657f1942139bdec951024718

SHA1
dcfb7a96485edec5ab66a2e6235518c11186c61f

SHA256
b0a0b8664719b80a4185bf3d39cf59cb7f3e9f496e31645b396d66fef99dfe30

SHA512
18136772cb6a1cb573d85e55b48462908e505d98a44d9ea4cb2ce76cda41105eb54a25aee810c7c87da68f95ca9606b503ed05ca7919d1b78718d52edfddd103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7a65f9664e2257f92dbd231010e744a5

SHA1
b677b4fd0e5ba27d49fe8ea632f67ef14f352867

SHA256
7e49704f046ddff1d4add3a73ffba649176a918a49e0ed4409fe2b38cede495f

SHA512
2f0e812b3d1d287e3dceec622a301bf109f417f6ea33a6afd4b480353bf8607baf231f95fefbf5da02d8a4995cc9982235fa4273a91365670cb3fe6496a133fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
bbe8eabd6fbc3c999a9679daa5d47bef

SHA1
df83a61415d61a8f43b3bc8a7679f98accd36dae

SHA256
cedbf0fbec9d37ef3331c41cdf6e1270702e77a2077a6d76d01c657e06f0fbfd

SHA512
74a7c39d1f907cc9432bb9da13ba5ae46aaa06a1a38183fb814c0ab28a747335d356b8d0fca8a728cf2a5b40c21425a8b45a92f8d9ab3c6e64fc433f155d52a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
7331f9cd57ef1f4cd1d5cb34a77c9647

SHA1
0fabd9d7541e9c1d31d31b51be23876d7af2e985

SHA256
c5b788b08f2e8a1834f284c24e4029e00a308d621c7eb0e6606c22563a120282

SHA512
86ff0570cc22590b7443bdce217ab6399a106936d39c30e0726b6d2ea14ab13f2a901870a0b481812acc0d1afdaeb2976731c55f576463723e0ff623cd0dd014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
626B

MD5
a69651b2f8f156464e6bb98a5268db6c

SHA1
aa535be463f89793faa6985010ef00f791aee153

SHA256
9c2a64c8ffd45e265aa2575e72ea8c9d054414583f079d9347c0ec91cb04cf09

SHA512
8387d987aaa8193e244d0aca8a24ab75944cac33ff95fc0997e1062a8946af2ed630d8df77b86a6446dc0376c64b2e7494c7ff1113614f55598716f1341b5ade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
20KB

MD5
90e3da6c1645aa5dc5f68832161e3c2b

SHA1
6f4e84ee724bc58e8cb00cc6e8e0bd4bcdabf109

SHA256
7cbf4aa9774f3652adc3cd48e0de40d5486f9d382952f0d5a9139b9088584ff8

SHA512
8111b8533eab1636a31bd8696b471e63785ca75959e7d83da4d880b70bcd3c3c972279e7da908cc5c137dc7de1b267f818b530ff3a992f0fa8887567cdf34a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
8195ae0dcb2392b9c07861c54cefb8a9

SHA1
9e1373f19484570cc90cfc5a3b9ce216c7fc6d02

SHA256
07315008b907b3a4c855a74b8e61d255226acca53e44a114913772798d7a9741

SHA512
366035a5618a276bf3732cf730a52a4107b9616c0edfa78a205c20f1e50e3bd657e7eb8faf6a63c3e357f4eab14a13521a5d7c2d187fa3cfd9cde10933cd5cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
471B

MD5
f92724d1d57621f2775adfc5ffc1351c

SHA1
6526139e9adf6a2d6c19ce1368da7419cd280301

SHA256
cb3bef47d4b1a3491f3713825d4ffb6107b83c9bd06c6e0b0d459f6fe35c329f

SHA512
048e1c58e17449a28cd17216aaf4f24941bf3258b26de4a86baf182c997065b738df604ff8a7fddcc97285b38e685bb4672a46601ee0d42716c803990eb5d8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d4b8eb078c45a9efd4c2cc1c79d3baee

SHA1
572ce0249ad36cad92f09c279fe4e7aaa59b338c

SHA256
4db5deba100300263a368ba7d087f51835445fe69d16c2b38c2e72a269908c13

SHA512
9be5bc902711dd6aaacb296cd1d36e286048001d711e04dfb6cc3886c428011319b02749074011750071b5ef0b4ef59804a6a831eadc2f0988283399b8cf2678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e702e09f204c3befc93bdadc116fe2df

SHA1
e1b95ecf4238424b94e48e68c9ea6cac8443ade5

SHA256
541d5af43552190bf5849c7723d47b8bfb5c53d200f0edf5fe0b14bd6729da84

SHA512
bb9430af5a47e60ebe637c87030a01823f67a89a9363816a0182ce775ab824ee69ded11d912f57c0a06b8617746e4295e4281ad27a6a8116199677f4c2cb163f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a162cc7a6d19f8b7d00e392602a7b12

SHA1
09e007dccf8ca7afef6197078745ed6e798203e1

SHA256
aaf46c7e50e353bc1a499967d03137dbe322b27f2c498b4e5850711a90990014

SHA512
aff4910a73b4c200bebc0f96d549c3df7b2b72cb417a679d1ddea1ea0d283e0a92f3e10f664f9b89da2447f8a6cf3347e397f24a63aecb2107ce3e3e69a99b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
90c2752c9aca4c9132112890092c6218

SHA1
59ce5fd9ae676deed531840812a14ca822643cdd

SHA256
5e03b520387fdb31e9484c369abdbd0137e14fa065236cf1b1475a551ef53092

SHA512
86fb289a7ac49373018e491f0bf160bd69255d43930aea52ee93bc3218c63430be0694ec7b51df93176b27b9d224c015e060d379c36248b7e74b8ab5447c7a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9530c3dfbb925fadd24a9e9c7e1598a8

SHA1
6a3809855fbc8d6aa4cec35a9512f0b7f35b12fe

SHA256
9905fb9ef8d43934fecf099e21c1bf970f9280c57281d7d8b1cb4a4610529ab4

SHA512
9dda1f5a91e4eecb2feaf8c3a2a7786bd7062ee4eb376ef772056e4f463efe156e086958514935b7710ff6ffe21aaedef37ca60d6a1ab5b773d9d6c4bb20b870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
c94a84ec74c79ba7b7faa15f71f700e3

SHA1
dbdae30299c9964d89bd138f21bc84af601fd234

SHA256
e202ea98c76188f65c324fcd817a487e1a213afdae49510e74acabbfa62fb18b

SHA512
066b6cbd574b51b610a3e64ff50c80a3d7d8922bb4f085698a1359cf30822b1de86abf4a47aa468a380c712fe30621f4157307d6f61a3f42bf21698986eff3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13381857836039754

Filesize
1KB

MD5
6fbb6b004c91d5de80dd5bc7099c5708

SHA1
000acfd41200aa0a43c33f0b845058f0279e353e

SHA256
97d047890fec22dfc5e244d83468d08a88b2cd32c20a201a38d9d5e025a7a5de

SHA512
f390222046cc7c0373f860e10989a86c3dda6606879e9d094205f3b69cc9d8959832fd487c594fe26c2079972a3705e35642d0f5f4c8c19c27c3d9c6d4ed57b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13381857836272754

Filesize
1KB

MD5
b23b51a5a47f4a94e4bdc56cfd506d0c

SHA1
4f6445b84b4256d5c799f69ce1aab914ab5a41f0

SHA256
a7fce249be91d32a25c8e33a43d27af912edeb61d4aa4455fe25ab4f9395e76d

SHA512
a0bd0025658ee5cfdc7ea004c83f34b169f4329e7e9838f10f100f62e915d4ed0dcba0fe2534aaff605c2fa2abbbd615951e10c193ec6911f0d8815b0b1d84ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
5afa26a19035d90ef28cb0b81dd821a4

SHA1
2db22821d644a7b9002aee0f8b3af53911fa425b

SHA256
2bdde5e9cb456e3f3782f675ef40a535cab6003bfb4779424356f6817c55ea39

SHA512
34b997a663009f5ec5eb3011fb1965bdbf72eca5a17855c501fe0d9174e0c3133adb320470df9ebd0b5c381b630642326a009181003dbb381f66c7bbb85e55fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
6b50210bfc01058e12abdec73ee26069

SHA1
8e8807640d113fcab2d73800a6bf9977a6c08eab

SHA256
050a7b038c9cf9095043801bc3200b7d5245cf84a6a52390f8a1669686ae3928

SHA512
427636a475459228ca2da9a7ef6c942d10726ffbec9176f2233002056008945f6564b50adee2c338917c91b033ba3fb737080eb6d474eb0637ee2cc08c9ac0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
bc360a2f2a3f318131e5f573421dcbb4

SHA1
43467287bf6ae5df739c1b45e9033f1cc81612c5

SHA256
d7bdb01c5193eff9c611ed26b91d139f8be1f84c5bfb2bb037d5c5d7c95d8c75

SHA512
abd6fbb60a328efa14d804473192d445039f1538a504615b6f1fd01915089ce61c9e6bf461c641f46396662dd27517c3d9f1450640e7d3477c5a345596ce069e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
54919e3785ed191894500e4cc4f0de61

SHA1
20106731c209e81ce872d45646a3449197a07b4f

SHA256
70c361fcc575763db2401462e0d9c3b0ea565400242505d1e6f4c8aaa7297db2

SHA512
bb6707886a62e40e000b50870b6d6822230d5dc3918188165442dbc301fdec44fa9710e658896ebe934c45facf0f4d882620bc50f302a28a13e87eb8f2f0b675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
5d5a4e57d9101714781245563f23f1d3

SHA1
50e65e56070250a206318067b53feba032591a44

SHA256
086ac9cbb3b04b2c7d80c75de5ebafd676c0de048ec6e4384935a3a3630a6c4b

SHA512
9b21206e131542a1fefa816e8e50c874bafa0cf1e7c429cd1a0ca78a3b72b37c8cc0e8a2d4932cce59b0b7a1127af279db7dd1a3cae2a4e14f5cdb15162ab464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
441af3fef2b3fc0846328c52fdb43634

SHA1
df7df809e8da4f611b2fcb780da8f5984ebb7fcf

SHA256
dbeb2c1fb317259c9dff4cd167f69cec6fdd6218cfb96f17a8e5a8fa39e48138

SHA512
f717d3063a760100484b01a5eb1a1189896c55f5717b13a177c25286b4a8b93dd2f1ddb82db3c13bfa86857d1562caf47872835fbef7127e53b9c3303521e45a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
e7f1621fb872607045c83c7de25641ce

SHA1
da4072585a083ad2b20c932e7daa72e55e18e276

SHA256
7feac858cafe84d90eee8322db05f0be8a7d30f0168a80a0141207adea35d6c4

SHA512
18ae56387ace4cdf8f8247aaeb8d75c83826bdc983b2ebd9c0c60a35cfbfe38e23a87fa0c839e32e1c158cfa59d93efcb728151b67570cdbb3cda842c45c319f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
3a352edbf188309fcac446ef8af667f5

SHA1
7368daa8dafff4b4962812d34ff01c79f9c3fd13

SHA256
a90a544f7bce88609886ada57741f9fc83caa2cb0666cf5f765e9daf522b5242

SHA512
7229e988c877ff5830b8ec1b0ec87c6c20d42127200f981337682648e79276d530526f55fb79ba3b8cdc9ce0ae6bb35a4ecd7baa3a95d18194d325f902b95bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
a7b46c089f9775ee1f55e8e3413edc48

SHA1
9634132ab3a006232b37b1da01ab003fdcdaeb1b

SHA256
2161997d8fb310431d896600bfbd6975867589b4f7f5ed26b3c27253551d6e23

SHA512
215a9b3689e9b234df0588beb1974e7d5881131d4fede5cb8e58823deeb2f479bb22c70df4b21e4b2d693edbe3fafde5376bfd6047ef4a61d2ee5b7bcff65542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
8d21889c4abcdcb95ef127d3c027cf7c

SHA1
a02998336dd57ede359302bf5e4e9b043e422684

SHA256
57328f89396492b0a411447ef45e61cccab4b601f1c2b0550152598c56dabe1e

SHA512
89924c4cff145d38da84462c65152dfb834c5dbf43fbfd413c457d8a29032fe0ca1bfdb8b32eb791496ccaaf67dca2618928e6d1880da5fb441f87951fc0bad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
03ddcfba41253248529a2476fa78ea35

SHA1
1eceaf4ce7d297a20654ae73d4d52c6711f48287

SHA256
261aae846c71d1a954bb8d48d37f99342a314395a748cfa2eae536d046a2cd88

SHA512
a53829bdf1785af6a17620ec50d1ad1cc169b3af7870a9af7c83f25eb14d3ad673bff43a0a96b7aba9d6b736fab4fc5e186340ed4d0a131d798b0b553794da07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c27233e75723ae73156e4a13d118d1e7

SHA1
b86f21eedf70c3ebc203f9ba0b2adf00ad0e5f60

SHA256
b67f7f0a537e2ede2c7e6b963714894adb9c9a6eab3cc188249f1942c328f0db

SHA512
c5922d52319048348f93652449a5f66f77728ea5cc887a259ffe8886f51db43fade67bedfb43f08b16ea72a4dfa4c40ecc0d1587f64c9deca8bbbfeb21d3f72a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ec7a04fd3af148a9637a2d3e10537f61

SHA1
9cd83d91df9500d0449307573f4e554f595cb2fd

SHA256
a3e8f18d95b9fd210b294bf189311b8722c96b65479daadf4433cee48ac50164

SHA512
4e81e232969fdc23e53288c2caec1673e783dafac0296bdafddf8bf5830cb2823438bbbc0e175c0b6eecd389c92d40ec1ad7667ae985a521f7e3dc6f083f9308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
6be9814ed9438938f38180a571920849

SHA1
2db41b51fcde8a7ed13c12ead1acf343d3b0e0da

SHA256
5caa21d3ac7671d86cae7d4369b96244d433c2d9b6bf521c7e7ddb9a63ce73fb

SHA512
e35f0112461977c34a28cc1798927763c86721d728eee39124f18504ef355eecba29f4a3e489a4bd4be346f4bdccd0bced3c05d62fc67bd09ba7bd015cc93763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
069c37bf9e39b121efb7a28ece933aee

SHA1
eaef2e55b66e543a14a6780c23bb83fe60f2f04d

SHA256
485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8

SHA512
f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0pbio3j.k4q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
5454ffbdb251d33d81d991996f7dc830

SHA1
891f97875333d73f1543d1ce0e52c92f958d71a8

SHA256
8252fed5943ab21abd5ee87d7072f2db31c5f84b16afd498e1ee7a6505195243

SHA512
aafc22c4b61194a35c728946f947dfc31c9418ebb2c958d622ab23a3ffad42cae7284bafbfa8047285f529f65df6e47353b41f1011d20c57f91a8f6f85f15d0d

Download Submit
memory/3828-16-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/3828-15-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/3828-19-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/3828-3-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/3828-14-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/3828-13-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/3828-12-0x000001DA78570000-0x000001DA78592000-memory.dmp

Filesize
136KB

Download
memory/4748-63-0x0000000002850000-0x000000000285C000-memory.dmp

Filesize
48KB

Download
memory/4748-0-0x00007FFE85A73000-0x00007FFE85A75000-memory.dmp

Filesize
8KB

Download
memory/4748-55-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/4748-2-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/4748-1-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/4748-62-0x000000001CBD0000-0x000000001CBDC000-memory.dmp

Filesize
48KB

Download