xworm | 47976794f020cd6a26baeabaec503610fdf89f6cc9a2f843ee2aa078db6e63a9

Resubmissions

10-02-2025 21:27

250210-1a4r1ayjd1 10

10-02-2025 21:24

250210-z85lhsxnhr 10

Analysis

max time kernel
762s
max time network
887s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-02-2025 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

63KB
MD5

b4e148797a99791b7d0aeead19b680ea
SHA1

03066b079fd8915c7876c8a64f51c9c80fe4bbc4
SHA256

47976794f020cd6a26baeabaec503610fdf89f6cc9a2f843ee2aa078db6e63a9
SHA512

d0b270d8adbaeb715ed747aa1c1a8b89deb892b45fd147c95752a91ef9c6bda175662d011fc6d77e6c611d55e94a36ccef16aca255aafa8aab80897c26e3b1ec
SSDEEP

1536:cxl6n1aLNbE3gRBd9XhS2kL++bTIDx3ZLL6WnFO5tgo:cr84Rg3edfS2kL++bTyLJFO5yo

Score

10^/10

xworm discovery execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

data-save.gl.at.ply.gg:61841

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4544-1-0x00000000005E0000-0x00000000005F6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4552	powershell.exe
4668	powershell.exe
5012	powershell.exe
2772	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
30	1944	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XClient.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
272	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4480	timeout.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\ENC_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\s	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\ENC_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\ENC_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\.ENC	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\䆟縀䆁\ = "ENC_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\ENC_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\Local Settings	helppane.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\.ENC\ = "ENC_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\s\ = "ENC_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\ENC_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\䆟縀䆁	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\ENC_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\ENC_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1132163375-3267464992-3122396738-1000_Classes\ENC_auto_file\shell\open	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5732	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2200	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4552	powershell.exe
4552	powershell.exe
4668	powershell.exe
4668	powershell.exe
5012	powershell.exe
5012	powershell.exe
2772	powershell.exe
2772	powershell.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
1776	msedge.exe
1776	msedge.exe
1068	msedge.exe
1068	msedge.exe
5196	identity_helper.exe
5196	identity_helper.exe
5860	msedge.exe
5860	msedge.exe
5484	msedge.exe
5484	msedge.exe
1484	msedge.exe
1484	msedge.exe
4024	msedge.exe
4024	msedge.exe
5780	identity_helper.exe
5780	identity_helper.exe
3736	chrome.exe
3736	chrome.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe
4544	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3124	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
5484	msedge.exe
5484	msedge.exe
4024	msedge.exe
4024	msedge.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	XClient.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeIncreaseQuotaPrivilege	4552	powershell.exe
Token: SeSecurityPrivilege	4552	powershell.exe
Token: SeTakeOwnershipPrivilege	4552	powershell.exe
Token: SeLoadDriverPrivilege	4552	powershell.exe
Token: SeSystemProfilePrivilege	4552	powershell.exe
Token: SeSystemtimePrivilege	4552	powershell.exe
Token: SeProfSingleProcessPrivilege	4552	powershell.exe
Token: SeIncBasePriorityPrivilege	4552	powershell.exe
Token: SeCreatePagefilePrivilege	4552	powershell.exe
Token: SeBackupPrivilege	4552	powershell.exe
Token: SeRestorePrivilege	4552	powershell.exe
Token: SeShutdownPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeSystemEnvironmentPrivilege	4552	powershell.exe
Token: SeRemoteShutdownPrivilege	4552	powershell.exe
Token: SeUndockPrivilege	4552	powershell.exe
Token: SeManageVolumePrivilege	4552	powershell.exe
Token: 33	4552	powershell.exe
Token: 34	4552	powershell.exe
Token: 35	4552	powershell.exe
Token: 36	4552	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	4668	powershell.exe
Token: SeSecurityPrivilege	4668	powershell.exe
Token: SeTakeOwnershipPrivilege	4668	powershell.exe
Token: SeLoadDriverPrivilege	4668	powershell.exe
Token: SeSystemProfilePrivilege	4668	powershell.exe
Token: SeSystemtimePrivilege	4668	powershell.exe
Token: SeProfSingleProcessPrivilege	4668	powershell.exe
Token: SeIncBasePriorityPrivilege	4668	powershell.exe
Token: SeCreatePagefilePrivilege	4668	powershell.exe
Token: SeBackupPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	4668	powershell.exe
Token: SeShutdownPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeSystemEnvironmentPrivilege	4668	powershell.exe
Token: SeRemoteShutdownPrivilege	4668	powershell.exe
Token: SeUndockPrivilege	4668	powershell.exe
Token: SeManageVolumePrivilege	4668	powershell.exe
Token: 33	4668	powershell.exe
Token: 34	4668	powershell.exe
Token: 35	4668	powershell.exe
Token: 36	4668	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeIncreaseQuotaPrivilege	5012	powershell.exe
Token: SeSecurityPrivilege	5012	powershell.exe
Token: SeTakeOwnershipPrivilege	5012	powershell.exe
Token: SeLoadDriverPrivilege	5012	powershell.exe
Token: SeSystemProfilePrivilege	5012	powershell.exe
Token: SeSystemtimePrivilege	5012	powershell.exe
Token: SeProfSingleProcessPrivilege	5012	powershell.exe
Token: SeIncBasePriorityPrivilege	5012	powershell.exe
Token: SeCreatePagefilePrivilege	5012	powershell.exe
Token: SeBackupPrivilege	5012	powershell.exe
Token: SeRestorePrivilege	5012	powershell.exe
Token: SeShutdownPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeSystemEnvironmentPrivilege	5012	powershell.exe
Token: SeRemoteShutdownPrivilege	5012	powershell.exe
Token: SeUndockPrivilege	5012	powershell.exe
Token: SeManageVolumePrivilege	5012	powershell.exe
Token: 33	5012	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
5484	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
4544	XClient.exe
2516	SecHealthUI.exe
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
5436	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
3124	OpenWith.exe
4320	helppane.exe
4320	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4552	4544	XClient.exe	84
PID 4544 wrote to memory of 4552	4544	XClient.exe	84
PID 4544 wrote to memory of 4668	4544	XClient.exe	87
PID 4544 wrote to memory of 4668	4544	XClient.exe	87
PID 4544 wrote to memory of 5012	4544	XClient.exe	89
PID 4544 wrote to memory of 5012	4544	XClient.exe	89
PID 4544 wrote to memory of 2772	4544	XClient.exe	91
PID 4544 wrote to memory of 2772	4544	XClient.exe	91
PID 4544 wrote to memory of 1068	4544	XClient.exe	116
PID 4544 wrote to memory of 1068	4544	XClient.exe	116
PID 1068 wrote to memory of 3984	1068	msedge.exe	117
PID 1068 wrote to memory of 3984	1068	msedge.exe	117
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 4684	1068	msedge.exe	119
PID 1068 wrote to memory of 1776	1068	msedge.exe	120
PID 1068 wrote to memory of 1776	1068	msedge.exe	120
PID 1068 wrote to memory of 576	1068	msedge.exe	121
PID 1068 wrote to memory of 576	1068	msedge.exe	121
PID 1068 wrote to memory of 576	1068	msedge.exe	121
PID 1068 wrote to memory of 576	1068	msedge.exe	121
PID 1068 wrote to memory of 576	1068	msedge.exe	121
PID 1068 wrote to memory of 576	1068	msedge.exe	121
PID 1068 wrote to memory of 576	1068	msedge.exe	121
PID 1068 wrote to memory of 576	1068	msedge.exe	121
PID 1068 wrote to memory of 576	1068	msedge.exe	121
PID 1068 wrote to memory of 576	1068	msedge.exe	121

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9901e46f8,0x7ff9901e4708,0x7ff9901e4718
    3⤵
    PID:3984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:4684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3088 /prefetch:8
    3⤵
    PID:576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:4440
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
    3⤵
    PID:1720
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
    3⤵
    PID:5504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
    3⤵
    PID:5512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
    3⤵
    PID:5676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15995598555021377798,8734802404815814136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
    3⤵
    PID:5684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5894.tmp.bat""
  2⤵
  PID:5428
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4480

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDkwOERGMUQtQzJGOS00MDZDLTk2REQtMDVDRTc0OEI2N0JBfSIgdXNlcmlkPSJ7OEY2RUJCOUMtNjJCQi00QjVELTg2QTQtOEZBNDgwQTc5NTFFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0YwMTY5MkYtRkY1RS00MTEyLUJEODMtNDU2QTZDRjY1MUQwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NTU1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5OTgxMDYwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTAyOTIzMTM4OCIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:272

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:2592

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:2884

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4260

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:2744

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\SyncProtect.xltx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x148,0x14c,0x12c,0x150,0x7ff9901e46f8,0x7ff9901e4708,0x7ff9901e4718
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2745179509922161747,881010072877895492,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,2745179509922161747,881010072877895492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,2745179509922161747,881010072877895492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2745179509922161747,881010072877895492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2745179509922161747,881010072877895492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:6016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9901e46f8,0x7ff9901e4708,0x7ff9901e4718
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7739532541184421161,4884821089343382573,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7739532541184421161,4884821089343382573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,7739532541184421161,4884821089343382573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3044 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7739532541184421161,4884821089343382573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7739532541184421161,4884821089343382573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7739532541184421161,4884821089343382573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7739532541184421161,4884821089343382573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3124
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EnableFormat.TS.ENC
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9aeb1cc40,0x7ff9aeb1cc4c,0x7ff9aeb1cc58
  2⤵
  PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2040,i,4985787352325904137,2437339705140047665,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,4985787352325904137,2437339705140047665,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2508 /prefetch:3
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,4985787352325904137,2437339705140047665,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:5432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,4985787352325904137,2437339705140047665,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,4985787352325904137,2437339705140047665,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4620,i,4985787352325904137,2437339705140047665,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4460,i,4985787352325904137,2437339705140047665,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4444 /prefetch:8
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,4985787352325904137,2437339705140047665,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4440 /prefetch:8
  2⤵
  PID:5272

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4552

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4276f8b674afa130b17d1ffb8aa984e1

SHA1
707861b5cc3f86cd8baeaaacca446a812f3c25d7

SHA256
5ba0020c511ffc5ad6179e26ee1e5759af6d5b6ae23c0e563f41e53f25c26d4c

SHA512
b2065fa1275c0b698e39cf5690467b454367f3fd104bfb97cd29594ce1c7f8ef68e28098be8d8c27255e1deed1a3fefe9634928998485629840be9bc7f06bf31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
460528175290b6b9edad745230b7a599

SHA1
a7b439334a9a3bcb828428c48b99d1fd3f3bce99

SHA256
ab21a41ae7d86c49a6b02a83edbebe29725f213cabd4e2d2f7be67f54bce4881

SHA512
ed2f77358f6292b6137a0d094493332fd019258a85e3f618d95a87c663d0ac6f26e8201217f7da0bfb4ee5e8c4b1663cb6717b272414ee8ab25b782388a881ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
65a212178ab9ae78c0a154132c19e6ef

SHA1
6d9b4ccd735d855d3f138b9da2d93919eeaf0f5a

SHA256
5b39090557a592d84daf96fb05126168fdedc01a29859bd3d4a623ad3bc8361e

SHA512
d7a58859ab1f55f60c7b11953e81d2dba11ccdf8e7b64591149c29cc23cb7c1a55cfdbafb7aa55b632266ab493497bf097f6854e7813af43c2fec8f1ca849c92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
1f10896ae39ed4220425fd8d98e389aa

SHA1
cd40fa0fed0a1f696b10c9648cdc00ec1d373307

SHA256
355e0f6587babed0621a90978ef969e2922fe4b5bda297801fb6a5492b18479c

SHA512
07b77be37fd9976cda1d5cff1afd1a59320d2e91f205d56736944579eeb0067be3a2b6594a423ca6840d8e4fee66b03e57dec9c2256ed928b49ba24ab1f9b913

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
bdf707420da4f9b16d50a66a150b61b4

SHA1
ad56b07d31d05db8228fab12938863143a5a7314

SHA256
692d171650ef9e8e10f61118cfe0b2a94b8ef4181b570d0818c50bbc9905a605

SHA512
10fd69c1d7276fca1f8e7997c39e789024a6c0ed095145cfe481f486962784a6a0a30126208922ffc8da6e417f274c516729a059c093f71849f99d45cce6e532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2701ebe5-0e74-4ae0-bab2-c6911900cd7a.tmp

Filesize
10KB

MD5
94c62eec41270adca3bce0843864fa34

SHA1
d9563689007d96ed736c282adbe40f066c3d1cc0

SHA256
fe30bdf085a2c3af4d4f61eca5042fb738d6bf9776c576e443fb48e95e10c5d2

SHA512
9af6b90eddfbc307695861d9ab6f4fc1bc204ac25fcec4210d589c4489a7a67805b7c31c8078a67ae810c734de8f85e3ff95b7dd66fe51f1277ad77ccce78f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
93c24509a4655fc4e247810f1237b016

SHA1
af42f0737a2e7d324303b18ce7da8c86a3753782

SHA256
d9eee0267974d42fd17c21fc5e594454dc7e671314cda3dfa50469ccfa4cfab8

SHA512
c3d878b87cfe8756432325425ec98cf65c4898ed32e2baf674b66ecff18eaaa6bb43ff964420aba559f5fca25f9fd7c4c983b0b6cc2fb47db2f350a33b42b8c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2251d7de55736b3bb911609ae8f330cc

SHA1
fdc91e7fff0a409c444a58fabc0704a3c628052e

SHA256
d13e84717ab6d64ba3b3c0427fe226aa827a6522575fb58d77b63f0816f26927

SHA512
559789f5d62ebaea1af5db20edd6bb6661f89fa325aa5ca769581f53224c123f8a13148d474ab4f4d6e47ee2d5c8849671ecfd97f23bdc72eb1400ac035c10de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3104a3081d10ab6b23d9a65ef40ab3f8

SHA1
6015b99e4c720e4245a42a57a0363bc3d2b52b80

SHA256
abf88417b3c971f5c7ef35358933192374e4f409c35a800be0fcf6c8d0ad283a

SHA512
0fec2abb8189149855f8faa46fe1402186b8d820abcb1c3b124b3bbd9d2b36c5a330db6a395bbc89e001e138281e5fa698d2ef6c575c9baaa2c15307459330aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdce59dc5a9aeab38d4b3666c29951fa

SHA1
75ff1b374b24e7ddcddab7f0fe7d7d71a6b1d530

SHA256
eb4b76eb41e2b579dba9c6a63bb3eadb44cf3dd31feea5431bdc27c03872d063

SHA512
5f7e65f2911c877084813fe96616dc74c486d1a1846c662e7fa8ba3087126f6e0e4163ee319e9cb75a80d107f9103c120946dc1a64bb2d426ab82d4bc4abe414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
123935094928b81fd63888a01cfd9f0e

SHA1
8caa76b2da748c71d829169b9d3f7165705fbdb0

SHA256
b945d1d9271cd8abc039505bb0130bfa18c6f2f5e47ffc183f72f9e0c2556c4f

SHA512
3f8d9256622e7b5767f71f4536344a93fb41b886045492db2d4eb7737544b5c92ac7a82541a3392a7d9c6b8a64d5c9bd2b326f65f127af49a9f5a694f9d4c1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
97cdc316b5bbb1e0c4302700f5aa05a4

SHA1
7270460d3700a260b75af0d54f284cae8ad3e2c1

SHA256
6699f9997065b3bfef3aa21f50d54e1884e90f474fc1208dfe9a064b79013529

SHA512
08d736cbc11a116f9aca5a1ede8055bbf6aa32cc8fa4da0d6b9fb814c29434d0d65f1f776fc1dffbb941f65ad04347071540b2dc5d74b4e187eaae6fc53209a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
a30e512a58d3429c7f7462d58c54d4d2

SHA1
28d2b42a1927b837bab65da3092105572a73ef42

SHA256
b9e5acc3f00ddf2608ea5144c4064a99a8db433ca3bcc859a0cd15074d75fbc5

SHA512
f7f74598bb6f2d3999c1b387bb4f06045ddae94752ebf5b66640cf80ff647a63c801be3e3e5d6deb5c30483840da795d9fb102969d8918a7c90d16d22b0b497c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
626B

MD5
1bfae80a174b84f881f735bbb6af9b02

SHA1
4682395eba09bcee86e07f1d303bbe54dcae3231

SHA256
f4f2b3f6377da9c4d2272e5949634e94ce0ab2a12701313de10b1f8d84cc3fcf

SHA512
6c8cea9a961dfe716e5a25b1b4b0d647172d0ae10887625fef415dc7ad9dec485d7b10121a6592e31eaf32448b90a9c98b21c2502d68b98206b0fec401ca5997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
20KB

MD5
5bac15b6791b0e7b4fe1bbf88e313155

SHA1
8b1bda759dcb4dccbd1a174fc8c27e5089ec47c2

SHA256
c7a61c756ac47e985b96a879920af4fba0be48e9c9f092ecad360b6c1a11f9a5

SHA512
ffabd9950bb02c7a189c59586959b71614268520be95b2e37fb060fc30e87138b52c609cf9b0b623067ad29446fcdd25b5d112592e9be397c7223f078d3e787e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
80942f15bda94b4008823f2520634369

SHA1
7a8b8497cfdbcbbf2a6486e3b9f88b68d42dbecb

SHA256
8c1a8d1e2d2951a3e6ed815f702c62dba0aa7215508bf67c91027b3e6a3e7e78

SHA512
05c4d0d0d5a673c96c81af50f440516c60a77cbceae74df9f71aed42474d407ccbac32745fb52c0a89a8c9ee0ea48acf33f35728dfad9f3bd5b03e9c6722dc50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed0fd561698944618c62dc802d586bf5

SHA1
cbd0e8f050e0cc8217b8c70be89d5cbca8688b4a

SHA256
982464ae83ee9448ac8b7a98899ad5a887a82494f2acfe4a1b8ce6b1fdf78638

SHA512
167468979ec1c136be6297086f45001b3d0409ad4826a2600d14a59111edb37e5e071de164068d6dfabe615cbadd96d8fae2db1ba132c86843d2f17baa85b357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
542d7207109f4b2d342261b2ccb39a26

SHA1
ee5cf7168078c15501be64fc8432bcb92af52e74

SHA256
a6417a7e8e560333239eb35fe2c36d30b897d58cb61343825597c9b030db4616

SHA512
d480146dd2ddcf7902a302e0b90390814dd1e7189e85ac9595850b58a68f0722b914f7d3366ae8130261d4536e9bbb97f99979a937b2fa3095bede544c5454ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c47958445781e749d8a9434129e0a11d

SHA1
a974c51291ad524bce192bc43d9924df39bd33e8

SHA256
748c36ca3b0489b161799ace1135252995c6deafc96a5a95ab2ae4b19ecca111

SHA512
52cbcce16928562c3d5ce6c8ff78d9f3b8bc083f1816a7de9f0cbd861948ca97e8fe92c42def421a927ce767f18efeb4605d4c1fc6dfe56d924bfe6282afd20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
63e4905cd224035a4aed9b51505eaddb

SHA1
5bafe2b0753a77d095dd38f3e5d313cea63179ce

SHA256
b1d7e4ef36eac213fb7f95d7f5d6b3e42020e808982e2ab8d6ead989c56129eb

SHA512
d17f16653ae60c0d29c0f20c9ec6ef73b3086abbb718239cae87ef4b32f4580d0360785438a630322249d26470e716f2c8bae832b92647a3209f7e5475b10cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df1ac41a99b53475068066cb17321763

SHA1
3113cf8db6da2cfe2df0c049c22e00e03e88ccf3

SHA256
afb9e88efa7999f427a26453b33701c2402ff2131c31c75b818ec09ae089bf4c

SHA512
c8a8f9fec693c2268d76403d179a7c09c8d2e39c61519756b0dddcaabf7e1e5ab41a1302e92523eb49d19a82874e4a0d72bc2e9a7c714a41e07dca3972464bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c4edf47fcf458c3cf4e93c5d48c74fdb

SHA1
4776a4659a4e07d00d72a2b9db69f80675eac362

SHA256
c441ad8dfcab1b6bd931ff3cdbafc90755d3b327023bfdf870de67b11816d698

SHA512
a341e8f8f34157a29f435cf7db93b9c0bf065fc4cc46367acad12d37197ad1c4fb80cb059ea01ae13b45fe5369f56d49b9ad1aaa788757f24ab74f10236fc1b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3c729b3d201cb086676aed5fe29819e

SHA1
4b8b73517bdae79b6137dba85a5221bd07d36cf6

SHA256
3c8ea9d35dfccb30554e609246731a1f752ef4dbf9fcff30375c9e819343b468

SHA512
1e4f871b9259e3ad2f213746003ee9ce34a9c4edebbcbd97867fbb86351038ac660b73a30f43db3aecce71fd4242fee43536b637d5ea455a7848e881d101f139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
109945e81fad8d09f17d64473c2a924b

SHA1
d92b7a7477e514c77a666652eb4cfb8b62d7a2e2

SHA256
8cfe37827addd715c88ef660eb57917bb82f62f39f86182a41db96b05a67f7ae

SHA512
8c8a29dadec2dbe99ed2ade0ef389d7cadf6b0b1d4148474d08da5f2556fb8a823e78ea8c55a4dcdc417f39588c7e3b0aa7ae414303593fbc79b4dbf8ab43053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c8cfe285a3dc3d43d128347e6f530c56

SHA1
92a193c5fdd0b0c6b2aadb7fd7dfcfd786628dbd

SHA256
82c43f0062b74b17fe3a351dc06f5b78d6df47d6a280038a913c488cd56dac65

SHA512
02377411bafa5c29b8163c6105a9a58540957fa3cda4b709a78f32919b79515d8ac8ee75ca9d363063fe344c7fa78e2cb4978a332050d4569cc4c387d330b6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
118B

MD5
7733303dbe19b64c38f3de4fe224be9a

SHA1
8ca37b38028a2db895a4570e0536859b3cc5c279

SHA256
b10c1ba416a632cd57232c81a5c2e8ee76a716e0737d10eabe1d430bec50739d

SHA512
e8cd965bca0480db9808cb1b461ac5bf5935c3cbf31c10fdf090d406f4bc4f3187d717199dcf94197b8df24c1d6e4ff07241d8cfffd9aee06cce9674f0220e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
9153f7d79c7e96aedd5a78b31db4c361

SHA1
2ea4b5b1f63e2d0c26fdaef58de3f53163c1176e

SHA256
5192534cda7fddc75b3b6a69d26a82411516b4cd94bdaeb009142e841ab1b7fe

SHA512
eb084b3948feb66302d000845917a7a95eeeefb454a4daa2421a420034c1e43b94a3cd90f7a1f8fe42df80cf847877c1779280fbe6adcfc0405bbfa7ba14753a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13383696575442411

Filesize
1KB

MD5
11d037c8fddd9e4c0c764db3915abbfc

SHA1
4bf4bd2832d8490ca40620528c1a84f02ba5aaba

SHA256
59c5d7d25447a831202d16d0e2140ef94cd902a14ac8a2bf456e1fc92f9c78fa

SHA512
abe8fc2a9ca7430f05c3b180a1d94443fc4dd7f2087f7cff1af18be25d3eade5c7ffd51500e17155d5924ac6c2c5fc89b29823a2ba0936057262287d1433f070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13383696575650411

Filesize
1KB

MD5
8a0bc17b02d9a1c07ab347069f79c7c1

SHA1
6c095c40c0cf859856e284d19b3dd772bd6e7713

SHA256
d65b246edaff50db9f6113ce31e67eaf22fd90759753136496a970eb7c85bf0b

SHA512
f35adf7438c22491e4b98a65e70049ea8a0344bfc49b30055e072463a28bc415c8b0251f44b1354f1b06f4150c3de2275d2194c14c63795bf7b635f75dbdc666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13383696608333764

Filesize
2KB

MD5
0c366bfae5ccf2b101ae02ff6f9311b2

SHA1
58f9470760e8eee725544e627ba4523fdfe71da5

SHA256
869099f8a08b2e9fd7685641be822e3f6ce09b18406b2ea33e2d24e45b60ad07

SHA512
221b2c829f42aa8d992d5545de171317abc75fd92921cc8dc9b37e40adccfeebd23550a0a25900758f66c4d7291b87dbcb47ff86a6976b72b30baa96e849319e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
5bfe86524c8033783b6a708ca17ec57a

SHA1
b15e76b92f9f439abb056a3e1e03b464ddab287f

SHA256
eb33188416f296b41b3ce2fdc6a046ffa00b5c00d170cc8062d66b93ed2be335

SHA512
77db6b46b7e9f0692f7cd3d9af1f77fa8f8dde1e7def62456e8a341ed69b76526ff815e398184bd333dae063c32eb75d7b6b9b796c7ecdc52f508ba01dc30eb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
f7ecf8761f72dccfbc0c2a886e7672a2

SHA1
71a4a96e60f53bfb51777d499d28d6e37bd6710a

SHA256
d3a7ed98a41d4c10919e3aac6606cb4c3b8ffdb1547cc8c19bed6db9d6a8815c

SHA512
3f7673be8ea2ddb2c65e13c2cc1c432e866629bd45fc582e5f8c34572cc3be7aa72d1beac5fb4a3da856b05c9f6f463964292b1b7fce80dbac88b8f1f9e522d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
6831140affde679e8d8675c0cc249715

SHA1
7c5a979bc6397619c1970493853f371087e5de56

SHA256
6eddc96cd61cdaa1eaae01f78ec8b7a4022c982436d08f9a1708e36af68bdc31

SHA512
0bb1854db092558647e2580cbc5cbac19a131f82c68bdc972eb6454cd301ca0ec8461e051f7fcf01418eb7e1ede2d13b3f5bef3623737f2b6428d7c1b175738c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
ac26c22edc7ef99112bc9fd94111af8b

SHA1
d07742454e47d04b451007690d80073ec5c59567

SHA256
17e1aa2b3164f2e9e6d312d63e3ab40e7d84cad8897fbcf3ac01b3e2b96b7544

SHA512
461ea9264ad3f2125b85e025e8ad7a96b28d7ab1248b0ab2c57c9d0e2e1cb189c5f7a9bc28a4005266fbf7720ccbd7fead8b876f84497a7afdf24f88b6517f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
2c4cb2df34c72b1c31fbafab15c2ac6e

SHA1
262c9d1fa2fee09735e49ae03763f617fc9b51fe

SHA256
eb8114a749e96a7c4dcc00c8413edd05887d8483427af7845d4aef989010b313

SHA512
cb003a891010b103bb3911c31a0fe307e87dfcf9f3d9ff75ea9d68229a2feee09b90543b7d49de302eeca2da0709d517fbfdfcac5967c091814ba70de64e5892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
e03fc0ff83fdfa203efc0eb3d2b8ed35

SHA1
c705b1aa42d84b3414fdc5058e0fa0a3dc9e1664

SHA256
08d550d1866b479c6c41ebbda7b453dba198ee8744a52c530ff34458024ee1fe

SHA512
c0840930d7a9cf16e8fbefefd09c564eabfcfb6e9df1f9b906b830e8218a818c3f9721f9ce1fc2a96b2e6ce725baba0dcd5810a9b55d20b3c9d6f4569b9008a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase

Filesize
10KB

MD5
bc0058a7ad14fdd665825512adecdfce

SHA1
1ed97ffb5baca047e5d9a7c63e77d398931334da

SHA256
6a43568723da730080fe3ec22db2df8873b5861a3b28f18b494dee134505b5d6

SHA512
71395193901610ca6a79606d33f920afc81cd5d0bb83cee125735a4896c9d9ed7dc86f3d7000525c4266fe602d3e1aab1f2e68fa315e8e57f9418e73a2f3d4d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a3e1fd20-930a-40d1-8465-49d6df3cda40.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ab757b99-e60b-4572-954f-7254fe8c63ff.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
c9ecb69169444b9ef22382f6fa59ce03

SHA1
492bb96eec85e81616f0455682fd1d40967a746d

SHA256
32904e0d594566fbe8753d41551252a74804d590465262933f7a41031426b079

SHA512
83d27af647500961ddc200616478098a7523b39a5c37d615378178158be974108ee96988fa84716c382246da5a9af8700327f68ddebf7796ebe690dcc2c3990d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
156B

MD5
29aa1ba0898d1eafd25f428028d98a60

SHA1
af45e93226c701ed40b52a4b20de81dcdc526157

SHA256
ccd600025bc3e33e65804d21112af08251107dfacbd2d5a531e515dd4eda6f32

SHA512
fba5c95a80dc31253e22ec3cf2c24db8c26e584db342dc5274a6e3c0cb073d768a12b2ab6ae711104f2cc57af9eebbf0fbc8d70bbf9d4e8750b26fc1a6aaca69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
f9a7721ad03f3a6429e1e53ffae8e3a2

SHA1
94f504c3dcb0d7749742cc5792dc145bdeb21677

SHA256
e70723194c9b9d2c933812c136f429b308237eaeebf36fce7cd08066b888db57

SHA512
4ca7ca0378853e7b0b40eae9572068395228943895746e125cea0ab6e31c38f64dd3123afa4d9cc4aa073c03ff65654b03b48a99349829e6b5d75c15b58e5837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
536B

MD5
d97de6b81e332d86744f327b2930e5e3

SHA1
7ddf0c5102b98897ad7379dd72a590792fe52913

SHA256
3821db981e150ba155ca9eb63795967242559e86477ab25a9e92f2d04c1b463e

SHA512
761d966e02d0f9be66bccbb8289bd0a503982ec9e543c1525e3eff4bed98d49a4394fa15a513272cedeebc0bcdb1c3b72c3547823a6e164a07b3f94c9f93f727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
70a3873c09d682b0cbba7c014ad36f20

SHA1
797a98487241c758dbedb1c0087e5dbb4f0c868d

SHA256
6ca40a8cc41f6eec293d25a9fa14f8173e1a3e457c5df6cd30e8b4f7876ccf52

SHA512
ed24ea4afb4fef8745b37aea111bdbbe2a7fbbd0c345ca88f1794e85f698961ae92127d198487697c8fad25843e7bb7c2b4aeb03ef4063937f5dcdf7d3f64547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
926129aada4dea4eb5366f7255e5c9cb

SHA1
01f0da8d9d4e401159fc3c60dd3318e135456d17

SHA256
71938861d1b7c101774ce0bd3a9aab5296078131af6c228c05ff25a8ad77d221

SHA512
e0d6d867306fe43b08a41944a54b0f2c21c16b863014def907f1aba3ade1cd7dd9f84974903dc302d85762104a1417f33a885161946c5b1689f67625e7b429ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
5fb95cc9f62d9ec57d5193a41870bfd2

SHA1
a2ce62222ad1c97f90b32fde37824d2f9218c2b5

SHA256
b856b5fd8e18fc7041cd9922b8341d7e9e30a7ddd0c5f1d2b015ce83c7e07b3b

SHA512
a2dd0b1947297311d0ff203574ace972043aa30b24735a98ef39863083f3fa4b2e681cf2f4a348bd8c3de94192e3a3d2cee5392f1ecdd34d4cec81cd96c20ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
d3da913b5d729377457a425226120f0f

SHA1
bcbb5e23d4a76ebb92bf001a73788997ce2014dd

SHA256
50b49dfba85c80a41462d087ee84ba38a74822104e7afdbfbd7633859ea74b0a

SHA512
8c9a14020342556abe4e930b61bea295ed1ef57bb9a308a3204d80320d9dce09c6cf41d077eeefa6d2271202689b3586f76ce06e77fd713c2c0b2f9ab426fe81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
56fc60720bf8760543126ce199e94e62

SHA1
9652b7ae049d3b1282cff7f2a376d3f18ef16ed9

SHA256
3da5bfe97c6b8f9dcd315c0aca11fba51ab3cee34b6ab0945616d9d7fde9b0f2

SHA512
c6af1657c95e77f1fa7bc77ee26a8c5fe8ea64c5ff46425d17138c7548a45ba7d9cb720e3e6bea769075ee3331b985d93421e8c48f8d248997a47844b95d4c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5a61fe5b73ed739ee49df9640e0576c6

SHA1
6400e4e0a080d69b0a200fde4086f32deb64d494

SHA256
336aaad7c6f4b38ff29668b54a7c1afde9e2792f7855b8fc048e5c6e6bad0b0a

SHA512
5f24d028c1f289b1333c71d44fd92d52c1403300dc4222556ecd6eebf49f38689d1bb223f3b58b428605082eacc0f66f6f940900994b504c1489daa7090f5c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c58f46457beab556f660f6b9f182e3d3

SHA1
6b7c6ef5c9803b6af5b8e31b4c4498cfd8182827

SHA256
8c056d12d7af3af526b58acb974943966776c47b7960f62eed539b8323c2a7bb

SHA512
57f99e81b6d6d6db27236fe7b1baa3f2dc642afa5756b1369187a82303bb1160a6a9a74e13262b9268a80f97859cdaa1a68ff6d0f4384f641d58f696731aa37f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
69739935c77d95c3fb2d12e500f387c9

SHA1
de031e1d23bc3415940bed990c2129ecba512d5a

SHA256
24ce01dce8296294eb4893c196381dc5e3521b70fc88c41cf38791d22685a05f

SHA512
2e46e8e04845c347b3a4b42d7cd4256f6ffd3c0e7f9dd472f8c8149165572088966894db4be45ee8dd980aa9f0c26fe3bbde52d5b08a603b35598cd84c140fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
f7f2911c9b01cd7570435bcc28ca066f

SHA1
5b424dd32e5bb86429fc0dc0cd80838d255dc863

SHA256
786b90f835b6980fa9bb11bb9234ea465b7aab0e13e207bb4ba7bed209672e5a

SHA512
39905054453d1354c500f056d29c6c8416e093cd4a6c6b338b1052e3c1aa41b0def96cda391f6d8ae539d31b96010d5fcd9b739145fe926281277fa54a96a350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
82d71a229f7164db82ffa4321ebb3563

SHA1
4822e5ad302ca1f98afe936e36bdd49258b04bfe

SHA256
515cfbb61998984733ff7cf8c2fb14f2798139cf532ec7921d75c02a0028ad3d

SHA512
ed716283304aecbc12a6a0e938e305ec23893a6f32c8ee2c6546c5bc904b3ffdedd37241b44514920078f06cba7f159f8aecdcdacd110e6465ccbd931a512976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
403354ba818a5642b2181a6856544e0c

SHA1
d06fad4ef3ec2f960c104bb56ea737d272acd93a

SHA256
4ebc31c9ecc953fb693dba68a9e10a95a4f5635c2c2055931882a2dbc4db2370

SHA512
cfac349771f90455319e641eea55ed33ab973f6d887e1ccfff2a4e19eb46635c4f8672de9f76f1fd7ef92fa01e42dacb4d0d71b07e9dd01291a3387b41fc790d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b04023afa6d9369cb5a1e6516b9d2fb

SHA1
94fda3f466d65f9d39e81f4bcb9979d522770c80

SHA256
6a61f498ed05674d2ba9347c738d22dfef4f962688b314679fc74954af4b786f

SHA512
b1850892cbcf0627bea8d23ca91830c9464f9b1b092cf911190e516bc583d6abc8b0c4c36d3644590021dc39357499ecdac77722c6c6923dd0f71930dd506eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zox2ck41.phh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
734B

MD5
583f715a3ff129c8c3cebb1ab094d570

SHA1
e9b9b0af9ab072400e14df232373125ebb19b5da

SHA256
f1ad0d692d5f35f0dd66e664e211353a3ab2246e77d2e12c15843b097b6ec39a

SHA512
3e62e6a926b92643ffd7ad22b5a77f0d75f9ff7ec523ae36d1f1df7f1d52ef980f153334c742dcb1c0503127b4b5ba1bdd4ee9784a1d4dc8a3e01c75bc10b631

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
8011daf7914fcbb074b3774d236de7ac

SHA1
3e537ea6e12a3b5b7761da988fa18de3c982e46d

SHA256
2efd0ad1bf3f24343d3942e64f08f104c752eb3228b2355e8676a54426417f27

SHA512
18aa83b66cceeb3e8ebc3bc8d2fd7360ae64717e5a935fb0dddabe19f32fe04f3e04dda33191da4093763609e1f6903970b907d2d78998fc4988fabf8c49693a

Download Submit
memory/2200-198-0x00007FF975ED0000-0x00007FF975EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-196-0x00007FF975ED0000-0x00007FF975EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-199-0x00007FF975ED0000-0x00007FF975EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-197-0x00007FF975ED0000-0x00007FF975EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-201-0x00007FF975ED0000-0x00007FF975EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-207-0x00007FF973C40000-0x00007FF973C50000-memory.dmp

Filesize
64KB

Download
memory/2200-213-0x00007FF973C40000-0x00007FF973C50000-memory.dmp

Filesize
64KB

Download
memory/2200-297-0x00007FF975ED0000-0x00007FF975EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-296-0x00007FF975ED0000-0x00007FF975EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-294-0x00007FF975ED0000-0x00007FF975EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-295-0x00007FF975ED0000-0x00007FF975EE0000-memory.dmp

Filesize
64KB

Download
memory/4544-489-0x000000001B6A0000-0x000000001B6AA000-memory.dmp

Filesize
40KB

Download
memory/4544-0-0x00007FF997A53000-0x00007FF997A55000-memory.dmp

Filesize
8KB

Download
memory/4544-42-0x00007FF997A53000-0x00007FF997A55000-memory.dmp

Filesize
8KB

Download
memory/4544-60-0x00007FF997A50000-0x00007FF998512000-memory.dmp

Filesize
10.8MB

Download
memory/4544-67-0x00000000026A0000-0x00000000026AC000-memory.dmp

Filesize
48KB

Download
memory/4544-792-0x00007FF997A50000-0x00007FF998512000-memory.dmp

Filesize
10.8MB

Download
memory/4544-1-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/4544-68-0x0000000002900000-0x000000000290C000-memory.dmp

Filesize
48KB

Download
memory/4544-59-0x00007FF997A50000-0x00007FF998512000-memory.dmp

Filesize
10.8MB

Download
memory/4544-659-0x000000001B6D0000-0x000000001B6E2000-memory.dmp

Filesize
72KB

Download
memory/4552-14-0x00007FF997A50000-0x00007FF998512000-memory.dmp

Filesize
10.8MB

Download
memory/4552-13-0x00007FF997A50000-0x00007FF998512000-memory.dmp

Filesize
10.8MB

Download
memory/4552-12-0x00007FF997A50000-0x00007FF998512000-memory.dmp

Filesize
10.8MB

Download
memory/4552-15-0x00007FF997A50000-0x00007FF998512000-memory.dmp

Filesize
10.8MB

Download
memory/4552-2-0x000001CF33560000-0x000001CF33582000-memory.dmp

Filesize
136KB

Download
memory/4552-16-0x00007FF997A50000-0x00007FF998512000-memory.dmp

Filesize
10.8MB

Download
memory/4552-19-0x00007FF997A50000-0x00007FF998512000-memory.dmp

Filesize
10.8MB

Download