xworm | e3aa28ea62f9c5bd93e5b0375617d3403500093759edef26ef0630457fa0cf6c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.exe
Size

85KB
MD5

3d87d953dfaeba0d03b7e121f7dc61c0
SHA1

022b9c554d1b4eaa4bfa2a37f83b8d6bf1e50138
SHA256

e3aa28ea62f9c5bd93e5b0375617d3403500093759edef26ef0630457fa0cf6c
SHA512

866114ca2324d1caf746c7068ace685e775519f6df417a35b8ed7ca776f2162bde609bac256dae46e4cc72e9ac200cf5c0df502d19ffd28929ca90b1d6d95a88
SSDEEP

1536:Rv+mKGsH/BSvsSWU8bzZcAsxfs3CrYAAWhOu5KNWXxUMMjdeGtrfpk19Jz8AQehy:5vkzuAsxJY6hX5PyMabNpk19JY4q7

Score

10^/10

xworm discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

perfect-ringtones.gl.at.ply.gg:15597

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b9d-6.dat	family_xworm
behavioral2/memory/1440-14-0x0000000000A00000-0x0000000000A18000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Output.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
1440	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender"	XClient.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XClient.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3444	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1440	XClient.exe
4260	msedge.exe
4260	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
3648	identity_helper.exe
3648	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	XClient.exe
Token: SeDebugPrivilege	1440	XClient.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1440	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 1440	4700	Output.exe	83
PID 4700 wrote to memory of 1440	4700	Output.exe	83
PID 1440 wrote to memory of 540	1440	XClient.exe	84
PID 1440 wrote to memory of 540	1440	XClient.exe	84
PID 1440 wrote to memory of 632	1440	XClient.exe	94
PID 1440 wrote to memory of 632	1440	XClient.exe	94
PID 632 wrote to memory of 2040	632	msedge.exe	95
PID 632 wrote to memory of 2040	632	msedge.exe	95
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 2952	632	msedge.exe	97
PID 632 wrote to memory of 4260	632	msedge.exe	98
PID 632 wrote to memory of 4260	632	msedge.exe	98
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99
PID 632 wrote to memory of 2828	632	msedge.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf49046f8,0x7ffdf4904708,0x7ffdf4904718
      4⤵
      PID:2040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:2952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
      4⤵
      PID:2828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:3468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      PID:3616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
      4⤵
      PID:2656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
      4⤵
      PID:3372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
      4⤵
      PID:1524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
      4⤵
      PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
      4⤵
      PID:4764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
      4⤵
      PID:1164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9331503359181762159,13914461200386137139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
      4⤵
      PID:4772
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows Defender"
    3⤵
    PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF453.tmp.bat""
    3⤵
    PID:3864
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\67a6096e-ba51-4346-bce0-532bfb04f474.tmp

Filesize
10KB

MD5
36afc0ba95fa7c61d5767d926c0bd6b7

SHA1
3ba3f6b0dd63e203118168c8a25c9c274bafea65

SHA256
48739977bb5b11132918f64867b10c314245b328a0622e8133603714988797d5

SHA512
2c5105bc66209ecf927eb3a7720925878fe1943e5d70fb9b1e724f2e989a68eb374aa4f1e36bc4f233d4005832c79597e9dcd9fd5bc5114916e9c459e053da46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c1b314a16011f032d1ba3cd3f0b164a1

SHA1
dcda74363ecf7f48b075d1531fc879850e6fbcb1

SHA256
d3cfe5cc57084a5ca3dff4b8ab6276af453c0866842c962cfdff53a8a1f9900c

SHA512
302aba1f6dc02ac2336ea8e7aaa6fed2788e84f41a0855f79eb11fc6ba833d91a853687f5b1bbad964f1094a48800817982e8804547e74c6eaa6ace2a95cf81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a268482aeb8fd775b15bb2e606a6b6e

SHA1
e011dc7da9055f4acfe1ba12a002593d0d36752b

SHA256
16490b27e720e98eb77f145a7b6caa79078e1881c60f65c1da568f714bdcbc21

SHA512
aff9b14dcbed21e6eddeb071146300d562ecb2b0915ac63044fa9c206a6ed4e134c75ec66696a21c74e29466cae28ae4e4e932acb4df776eb363b8882f0dae3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ddf267a10217705fcc7fcd94ce17646

SHA1
c987c61f675469d7483716095394ece75225437d

SHA256
86274b774737f133c5fa7f0bd1273fedf5f247f5dc9dd17424baefe8484dbd02

SHA512
18d22e9f4f611a66e0167de6ec4ab5d8616d5464b7216b90b57d42a62de5e26b27eb981f3caf37d9f5dc9703c3f1e57053f3970785b5c0f221227fe56120508e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7a150e0b4b72e9976bcef7f299779420

SHA1
9430dfc4fc9fcecf91a49d41ae6910bc7bc5fff0

SHA256
72767cdd7229adcc9037c6f45674f7b53250b55c1d8e329b12c13bf2574a1fdd

SHA512
1d0b952ca4fbf0ace75a225097fa78dbf451ddc8d0567c65bc2577f813a7c010f9af9bff00ee8ae5f309bc87238540e52d60fde486ce3d4801bc2146710b746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF453.tmp.bat

Filesize
156B

MD5
fcf1260ea9dc2c37b59a4457643d4fb7

SHA1
ecd4b96f5884750124bcfbb0900426ab2193742c

SHA256
475a517d96a1f1bf54b804ed11552226d8e923937b4a61b31d5baefb5df283fb

SHA512
673d88b8e179dc10f7262324b0cffa9e9cd5a20403889e2b526b84d5400693798f5e4dd077a5630481019edbfc60f574282841e5645973384c40350dc54a578a

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
70KB

MD5
05eebe47480a9a5c13c7b35229d4fe2d

SHA1
8c9e51bfb40382864cd1d5db738c9743c923c745

SHA256
f59fdbba08dad0ba86211e9e74086059721f8706a24c57c10867a33d9d421a6c

SHA512
87e2f3586b15175e6e375a6e0f7438fab2492f96a386b1780951a6741db69aacf0a18a493c91ccf3fe4c0a7439c68475935aba1db8b5248e53318700dc2fde6d

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
db11d0f1cfa068b6e9e446ad575e19a5

SHA1
2a231b1b0e2d96e3df3a48d5f1578f0af6444c21

SHA256
46ca0aaa44cee88be393eb445e970f9849ded8fb99b4f8cf707e12358ff2eaa8

SHA512
e59c233fc47a44c9303c90a427cdf645348eb74c62e64284dad01665289c01f90cd7677c9b101f0855329cd7d29547a0443d253a6effdb1393fcb24f1549e14b

Download Submit
memory/1440-19-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1440-231-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1440-22-0x000000001C2D0000-0x000000001C2DC000-memory.dmp

Filesize
48KB

Download
memory/1440-21-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1440-20-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1440-15-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1440-14-0x0000000000A00000-0x0000000000A18000-memory.dmp

Filesize
96KB

Download
memory/4700-0-0x00007FFDFA733000-0x00007FFDFA735000-memory.dmp

Filesize
8KB

Download
memory/4700-1-0x0000000000F70000-0x0000000000F8C000-memory.dmp

Filesize
112KB

Download