stormkitty | aee4ca6b2f3b07e85920f81b32acc5350d198439b181e997cd6a8e3ecbe9c939

Analysis

max time kernel
974s
max time network
510s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update (2).exe
Size

79KB
MD5

810d912112f579781879ada392b70a53
SHA1

247bc212d2d44184bae484049765240ac9fa5c32
SHA256

aee4ca6b2f3b07e85920f81b32acc5350d198439b181e997cd6a8e3ecbe9c939
SHA512

30fb6d77563a3a0d6b94a9ea9fc2f67c6dda3dc3ac2afd4e968ec998f2eabd1797d751fdac491a979e68301efc633c47fb2668a8abd0c5f0dcff6d12ed8ead0e
SSDEEP

1536:N/SpZjwaZD0YqEnwqaDrMk+bXxNEPZSBVGGmMRZOf4miljMt8xwR2:CEYqEwjrv+bB8DMRZOf4m8M+a2

Score

10^/10

stormkitty xworm discovery persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

daily-sexually.gl.at.ply.gg:25670

Attributes

Install_directory
%AppData%
install_file
Update.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1260-9-0x0000000002210000-0x000000000221E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1260-1-0x0000000000010000-0x000000000002A000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/1260-326-0x000000001CC30000-0x000000001CD50000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	Update (2).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	Update (2).exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	Update (2).exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	Update (2).exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1260	Update (2).exe
3224	msedge.exe
3224	msedge.exe
4704	msedge.exe
4704	msedge.exe
3244	identity_helper.exe
3244	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	Update (2).exe
Token: SeDebugPrivilege	1260	Update (2).exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1260	Update (2).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 4704	1260	Update (2).exe	92
PID 1260 wrote to memory of 4704	1260	Update (2).exe	92
PID 4704 wrote to memory of 1264	4704	msedge.exe	93
PID 4704 wrote to memory of 1264	4704	msedge.exe	93
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3240	4704	msedge.exe	94
PID 4704 wrote to memory of 3224	4704	msedge.exe	95
PID 4704 wrote to memory of 3224	4704	msedge.exe	95
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96
PID 4704 wrote to memory of 4296	4704	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\Update (2).exe
"C:\Users\Admin\AppData\Local\Temp\Update (2).exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf46b46f8,0x7ffdf46b4708,0x7ffdf46b4718
    3⤵
    PID:1264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:3240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
    3⤵
    PID:4296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:3448
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
    3⤵
    PID:2432
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
    3⤵
    PID:1312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
    3⤵
    PID:4160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8144538981326139894,1409223546103856933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
    3⤵
    PID:2076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
47432589e1384e6554429c4f13c05f37

SHA1
91baf1144474e412582eba917b756823adae4b2c

SHA256
22fd0382c5687f75aac2421cd31ca00090c77f9584b27e6f47a3adcd1f82c0b7

SHA512
9ca64f2ea07a40031b46abe662ce1ccefdcaff110ac6490651869fd0c10261a07846836fd037825584bb45daa22336ed1e4630a5ff540932abebb8c0bcbb23f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
655b9ed75bbeaf27e703483a63231817

SHA1
9e5f054cc6e04779d828087b72667394ac571870

SHA256
4055b496fb743899a5808f01bba9c379067240e0f42bec6d963721e41ad1c83e

SHA512
7e6adbefb8ca53d294693a8507ad7e9d7d91dba382ceddfc0ffacd22d943dfc72da4d512316bbe8eb276218b7ddb4e350396c030e0db1edbdd00a4156415b934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb85f55a28eadedae09866a95a29324d

SHA1
f69c254d92685c1c4d022d9363523ba04a2bb482

SHA256
bca2d3c74d99c8c93d2d805cf9d8fe2937a829ec406d7a3fd5630e9f6c369a18

SHA512
b7dbf60efac8091c3f5f4f3ff86a6570a09df2164bfab3bbdd944e2169a51d6d38e75b2b9cd8ae331b225c4a1341bf660fd441def4e75ccf401b5104c000b74a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1dbc599cbf4adb6043c0c43d46cab862

SHA1
e1297a61f0445e8e9bf3f73331ad6cc2c2513e53

SHA256
884d64b31bbfba2caa964dd043af3c7f9f5cef6232b2591a6ec90c4b0e5695f9

SHA512
d541706e30c1cf8e7a7d18a12951e65d93468aa2a9d078b6c8d8fba388ec9de3e9af579919f16b800dc624e4f5a7eeade4c0d4ccc4cfdd3e938fb67d2e97af2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7bb36b3299826c92c9bd8a524e796915

SHA1
b9aa977cc29b24dbe16b158696dd59c4dc2967cc

SHA256
b448865230cf5052f93de4d5f22e0a4d4162528f81fd47a2e537b25ab583f094

SHA512
c5d74d514cf905f74ff5ed306156b763d9e1e0a3aba2539de8c5edcdca119699c41023c6bdb6897a7c871a672505043ca66196c90f537aff23487013cd1170e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
73df4f4febe9ab190c27d3bae40fa7da

SHA1
d3f086a41836e5e63dce5307861be0742c5385ba

SHA256
b343e1461e4c48850ef7fad742280a43106c373117ad2df5a65df1a30b39104b

SHA512
e5181e2b985061fa4cde8709e8dcd24f670240f32d799254ee4804f4dda973d2b60d5488aa2cb00ff6a87331aa50068ac16a98e8b340f5e65edf11d7816ae5e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
db11d0f1cfa068b6e9e446ad575e19a5

SHA1
2a231b1b0e2d96e3df3a48d5f1578f0af6444c21

SHA256
46ca0aaa44cee88be393eb445e970f9849ded8fb99b4f8cf707e12358ff2eaa8

SHA512
e59c233fc47a44c9303c90a427cdf645348eb74c62e64284dad01665289c01f90cd7677c9b101f0855329cd7d29547a0443d253a6effdb1393fcb24f1549e14b

Download Submit
memory/1260-7-0x0000000002250000-0x000000000225C000-memory.dmp

Filesize
48KB

Download
memory/1260-8-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1260-6-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1260-9-0x0000000002210000-0x000000000221E000-memory.dmp

Filesize
56KB

Download
memory/1260-11-0x000000001C330000-0x000000001C33C000-memory.dmp

Filesize
48KB

Download
memory/1260-0-0x00007FFDFA733000-0x00007FFDFA735000-memory.dmp

Filesize
8KB

Download
memory/1260-326-0x000000001CC30000-0x000000001CD50000-memory.dmp

Filesize
1.1MB

Download
memory/1260-1-0x0000000000010000-0x000000000002A000-memory.dmp

Filesize
104KB

Download
memory/1260-366-0x000000001C7F0000-0x000000001C812000-memory.dmp

Filesize
136KB

Download
memory/1260-369-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

Filesize
10.8MB

Download