xworm | hxxps://github[.]com/HYDRO-cel/HDRYO/releases/download/executor/BootstrapperNew[.]exe

Analysis

max time kernel
325s
max time network
329s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2025, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/HYDRO-cel/HDRYO/releases/download/executor/BootstrapperNew.exe

Score

10^/10

xworm defense_evasion discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

october-casting.gl.at.ply.gg:46322

Mutex

DjMsEa9sMnX3gxE4

Attributes

Install_directory
%Userprofile%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002af67-31.dat	family_xworm
behavioral1/memory/3616-81-0x0000000000B00000-0x0000000000B10000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
11	3912	msedge.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	BootstrapperNew.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	BootstrapperNew.exe

Executes dropped EXE 4 IoCs

pid	Process
3616	BootstrapperNew.exe
3296	XClient.exe
1752	XClient.exe
3656	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\XClient.exe"	BootstrapperNew.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	BootstrapperNew.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BootstrapperNew.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BootstrapperNew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	BootstrapperNew.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	BootstrapperNew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	BootstrapperNew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	BootstrapperNew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	BootstrapperNew.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BootstrapperNew.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 293182.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3912	msedge.exe
3912	msedge.exe
1196	msedge.exe
1196	msedge.exe
1392	identity_helper.exe
1392	identity_helper.exe
3336	msedge.exe
3336	msedge.exe
2156	msedge.exe
2156	msedge.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe
3616	BootstrapperNew.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	BootstrapperNew.exe
Token: SeDebugPrivilege	3616	BootstrapperNew.exe
Token: SeDebugPrivilege	3296	XClient.exe
Token: SeDebugPrivilege	1752	XClient.exe
Token: SeDebugPrivilege	3656	XClient.exe
Token: 33	4576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4576	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3616	BootstrapperNew.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 3168	1196	msedge.exe	80
PID 1196 wrote to memory of 3168	1196	msedge.exe	80
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 4116	1196	msedge.exe	82
PID 1196 wrote to memory of 3912	1196	msedge.exe	83
PID 1196 wrote to memory of 3912	1196	msedge.exe	83
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84
PID 1196 wrote to memory of 260	1196	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/HYDRO-cel/HDRYO/releases/download/executor/BootstrapperNew.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde7a43cb8,0x7ffde7a43cc8,0x7ffde7a43cd8
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:2912
- C:\Users\Admin\Downloads\BootstrapperNew.exe
  "C:\Users\Admin\Downloads\BootstrapperNew.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3616
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
    3⤵
    PID:1004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffde7a43cb8,0x7ffde7a43cc8,0x7ffde7a43cd8
      4⤵
      PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5552 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13707387993501956889,3790989996986149965,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
  2⤵
  PID:2536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Users\Admin\XClient.exe
C:\Users\Admin\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Users\Admin\XClient.exe
C:\Users\Admin\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Users\Admin\XClient.exe
C:\Users\Admin\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b98903eec4d4ba62d58ef15c040a098c

SHA1
edbfd3947a194ddd1ee2e2edb465eb7a57f27cb3

SHA256
698d9fcc6775ee16a41017cf13ccd9614001c681b8a4da741a1851f1b9f48def

SHA512
ee53739c6c098c48a594768bbbbada27d9728034b85e0e67220be097007348162f257a31f0669bcd17ba142b10b110680c3b5b18f9c40b37e5fa1fe8124d27e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
afe073f7cd46dc621114e4f8757336cc

SHA1
2063f15f773ff434b375a1fe4c593bc91b31f2e0

SHA256
e54fed17731c51a64a17e37dc2511159e55b308f0a67939477494c15166ebffd

SHA512
bfe0b1bb10d93def5ed5104e8aac1d74991de2ad64042ebcb35ad43e3dc3bfdb47d126a3c6632238e68c8e227187ba05f81192b50843162134222446fdb0b25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
245KB

MD5
e720081d3e920e4c3b0e40cfff5f2fae

SHA1
250802a50c2a2e3fa887b2f2fafd424f354100ca

SHA256
02ff85b0a2d10f5628d617e24c2d15117f6c6a1b612bacae094576c92c636028

SHA512
142a70496663222c466b5c114a6ac6d09b3e8c67d0bc7acb7f457287f1c6e8a29ef9d0ae3c657c1b9e6d4294d99c9d805de884b706d853d54b5a515d67ff5c22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
34KB

MD5
abe88f15456620f4b525b46f7c1bdb93

SHA1
9d56c92f2ec9811e0f5058cf3448627e31d5b303

SHA256
fa3033febebc29dac8931145b25b9ee5caa571b9a2f414f9f157a0d1f9021f82

SHA512
1c8b61054b2b15df90103cd2d85e9b147db50c704b8e9122045c82ec5e7f627973cacc302c328bfe95b8808da46e859b75d5f4cb7897f2adda7654d254b2b58a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
34KB

MD5
c7389516ed0087969d1a9ce874e7978f

SHA1
a375ca3fe9dbeb7dd4cabc63108f7951d3529bba

SHA256
ed5e733bd18e480e5f2877f4b8e400df060c2b0340007d55368af36d4ce8b385

SHA512
a3b34cfc9f9b23b0b3c57fdf50a2a309a94f4d76751351c895cce6286beed6d2393c9549661e94a9356652aad9d006c9874d7c966831cdeb82208fa708082979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3f00cc6fa1b60a8b75676bf58288213c

SHA1
259203262c00d42179f24d40a6d140f7e252ea36

SHA256
d2971804c3686a2f1f6a413eda76ae7d81dcea1bbadc20f6781358a6cfa9607b

SHA512
64e09b308f8aac1972731646413670ad3bd64680b9bdb789dbb795155ab481d54c2ebf9e3dcae2d2e7fbbe69d103a53c2f161e93ce06298dd49dd22c185ca4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
037b6360855af7aadd05f885b478eb68

SHA1
0933425fffb5770992ac82a3aea1ce9e25419eca

SHA256
fba7e072ffebb6b51fc356b24470fedb516f4a52f459502bdef6c892d854dcc9

SHA512
09c1279eeec6b01b42f3280c45adfa728a0b6b0f97305b7d80bdc2eb7445da3b4ca77b7c9efbcca764bfe33ef0cbf54870c737f0a3a9331d08e5ef93f1f3751b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
045bd159971fdd3d2dbf993178f09478

SHA1
f520bd479e4c47737f791a5147ded85b2e0fb8c7

SHA256
d5fe50e33242b90303b18c83ceed5aaeec754459b331ff64af847b500cd07193

SHA512
651f9e96605c35f4fd5b19b9199a5b806d0a4f9ed248a6ee751e3a6bd7e8666d12b1e6cdd3cec541f82e97d7726f5ae2741f7a6e47c16e649eab3304c1f44991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dd9a78c89759e3ea54d956afbbf99c37

SHA1
c813cbc4d69cf794710767f8e5231c920c8ddfbf

SHA256
e1fa669a21f750ad5480c4f1612bc67001a9791c2036a7757dceb34be0828215

SHA512
ace5b496bf840d266705a9487ce70c70cef339670d7a59da62f6e40d05d43f7c7d145cd0f757489a1c00a483ecc054c90faab5b7245ecbf7ccb42b64981f8e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
36b59bd4321ebd4f8da872925aa45e9b

SHA1
374868749598e01ddd683170ffc4b6f7ef81b3af

SHA256
f916c0fcb7ab629ccebbfbf3414912c39e8a658ff7a15acb13251974f58ff1db

SHA512
807bc081bceb551d3c87a33d56f6ea19ad7bcd588411869515bbcb2634d318444e93173e1d7a66ee203f6b7de0c64af223d645185f8c706f6553d4c711afadbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e0669a1f000d5446456b36f9b0f023d0

SHA1
2e34fb97caa77405285f4076cf45e27f43ae7122

SHA256
d3789788003e25eca19b563596e5508de4fa1fb81f4603ac6a4631f4e1cdd49a

SHA512
2eb16c9f4604ed56dd0d92c90f80b76e759a78a3603ecef122bb3b235bf2dd548c6b4448a513005bbccc1c942ce60758d4735e7b593f3ca27dc29e7e3fcd7fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c50e79e9a21660ce1f1708ff7f270bb5

SHA1
1d056bcc7e3fb74b166640ecc0841e6bcb16a384

SHA256
4bff3465cb0a3e4ccdcdacf605cc9765d42d5cc76f441820846eb009a2913c6c

SHA512
20a206aab5d9eed00d935ed58b789c60e48ba49f2765d45fb2ba941befe17d9529b4a26bb27bae94d9842968780c52d40547d2c018f763eec0fc76ef377bf960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
54865a6d93cab90f98d287a4f08d102a

SHA1
7d9281394437dd9acf1015264ba443b22fe324a2

SHA256
c32966e1c949ea2e9ff0bfa71314bfaa89bc9d393debe4f2907d7a9fdbd33cf7

SHA512
b43af488e1c5600320218ad200b71b8d506020349b7071214bd129668223024542ae9488e2121c84c9617610770f09e9819c453829e60150e7452e14b2769389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f3a3f7e4393378a668ca7ea877c54fc

SHA1
ca2e37d87538db775b2d3d51df3a3b742bd3b264

SHA256
f387685001155bc2935ec288fd4f3a369a9c551104a762a017a958fddb392044

SHA512
41f38ff68360b1f47dac656135b3624ef7e975652330c478cbd5cdd16f0d850823b4e351cdf3230472c3f6ac6436e4f44786e68ba45bd4c473a98a40887cfe28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\098237e8-8d0f-4db8-9f3a-92998e57e940\index-dir\the-real-index

Filesize
576B

MD5
35c9263c63515e2a0aacc732954d04c7

SHA1
28f3946e690d0286536c442bdc70c0735f63d8fe

SHA256
55ff36f83a4c5eaa320b349a90c7ce5bf40ded978d79104c2f97474a90e98abf

SHA512
97206873df9b4045d076883c627a3b232bab0075d2fddc7c2a23881b54e80167d50cc9779cb37c879cf1d64ea290f76743f6685ecd698b9464988bf780ab21a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\098237e8-8d0f-4db8-9f3a-92998e57e940\index-dir\the-real-index~RFe5c049b.TMP

Filesize
48B

MD5
fff8139f112bf87f5dec2e83a3616e47

SHA1
094791d889ca8cd69d2f370a45d827e92361da2a

SHA256
f3480c60673827846a2d1052474cadbdc1f64242042de514b2a87a35fad6a226

SHA512
2b5ee22bdffa595981e464d1907532798e3b9391f1c5fd7af1b5324da94fd5caffd7bc00a93644359c3e62e7ddd6e98b6c87975cf499c1c8ce4f336456338fe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6de286f3-9d3b-4301-8ab5-4c6ac4a48fb4\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6de286f3-9d3b-4301-8ab5-4c6ac4a48fb4\index-dir\the-real-index

Filesize
2KB

MD5
522b7de847958a29335182c136879a9a

SHA1
52c9c07d97f1c92d7dacbf5252234913003d4d59

SHA256
c85ef90c7c8aa3e9b1f892147f6c2a395bc73998f5744af3b53dbf9b97cfd86e

SHA512
3fceef1dfdd1aea0ce1011e28ce9bd15a313a35cd1d5150b4fba4192966a30586cad60c9c83b44b755d248c0155221acda1d5d0cf2cd59fa31d522383c6765d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6de286f3-9d3b-4301-8ab5-4c6ac4a48fb4\index-dir\the-real-index~RFe5c0101.TMP

Filesize
48B

MD5
91fd0fb1bdfdfe926df09b498bfe5552

SHA1
a9ee7430682d131c3e13294c71c039ace885f966

SHA256
83d2366d912a0b400d3305bda929014cb2879688da03b6e42d833c99c54c0bfd

SHA512
d45f28187d81cfc163c1d55668d238eb75b7db6601e769ac8b6ba53afba732bd8ec33bacfdfebcee716bb23aa0944ec572f862ecdf8a82418f2265dbd5f3e38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a266b0f0-1f6a-42a7-a765-2f5c28a56a11\index-dir\the-real-index

Filesize
2KB

MD5
b6765ff07e20132e211b3993de337b2a

SHA1
9db32562da6e99dc5545b21675f9db3937b75c14

SHA256
1734ec3f7e579e72f83610d87030ba9ee67b296e680fde0ba584b26e60f81044

SHA512
b7ac6e3c260dd12ccb08a5d742d9c331b950d9df2171421e3b5c8547030ead2604562f1f46b797b34aa151e1740fce8a415b1436f5b640e057358edcc80d6d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a266b0f0-1f6a-42a7-a765-2f5c28a56a11\index-dir\the-real-index~RFe5baa65.TMP

Filesize
48B

MD5
2478c17b3a81518c91fbf221f9def8ef

SHA1
468520d112389e8ad3982048f91d8aaeccde47c1

SHA256
6923ba43e71e779589fa8f87f99046c177c32b212de60f1e777252f40acf46ca

SHA512
4ecdb3b58a07e7948ef85d8b0dc815d4384748ccbb948af35f7d7b40776dbb0de02ce319d8d7134a6cbe71b7a066d7affb8f77936144614a7d569b86c88e55c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
60d1f5fae2725a16632321253130e989

SHA1
42f8968db0bc9fbd7bc1a2c784c9bd24704a3c81

SHA256
7e016d947d65b8244dda56dfe2db81b5c2913bb8ca77cd5673f7ea1197f5ae76

SHA512
3df304e531e6118d6d6851dc4805604daa603bb0d0c50f02981cabf9348c830210d2e8c59343abfcb11eb6325809eb9981d47f85f44a105a3574f461531a7a1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a5abcab72d6fb28dbdae92a7defb5efa

SHA1
938db1a877930c7f0189a4d7e32a2b1b185c338d

SHA256
eaf7b9a4fc50c6629355eea9111acac14064b1fd0170e3df138602ec35c814a8

SHA512
e7e22d6a786b0c0693378ca92a43a1e30afd090a43a737a59bcd010995b700c72053efee3009dc3d588e863ccf777bcb5f02c0076aafdf307bb176ad50baa9c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
9a4b6c7c48726ee7a705f62534b8ad15

SHA1
7c197756bdff97858fa87ca44916403f35e5e58f

SHA256
f75264d35266aeaf290e33772aa9c5cb8842866ab23bf6c19622ce8820784060

SHA512
feac30c62080945ef8d8123366ef30308f5b495d38606f1f9fd27ccec7d8aa01e1fda96a4f99736267cdf9de4c4429903f2177c9484494eb704fd9262fc87239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
fe1073af511d55b8aedf23ec07f76dac

SHA1
9bd2a2a21d652f124de38a873d5de2fd195f9e7f

SHA256
dc4097c26d16ded793560ef9432d9cf7f464799161cfa2e59bdb281de1b30090

SHA512
d763ab2295578d7244edf94933e73eddfd10ca2a5b20357bda0d0cba0c7e6a6dcc10104ebfd586c5344205309512d80ce1aaf1f442bad06d509c6b560f39855b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
2d59b3eb765b0ce8a4dc265c54b6debe

SHA1
195a88d3da0a72ffb28088936bf430438bd981b2

SHA256
12e60b26248f95a0a3844d2665c40e1d2ed18737bd391e9ed10808c57d9edd4f

SHA512
9b06fb08cd79181f7adee66482efe0b85146f569fdedf01ae5e7d1ba633dec629cc36a927caa2a89f0c6764c6320bc51687a125203cd023737882c57b886bab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
27154ea7e16b1b1d6b03c36b1bdb0b0f

SHA1
f973abe08bfe7f04b940693bc9a93b3e3322ad4e

SHA256
87d96c6611b1049644bddeadacf1296975ac43f0249d562d929bb200c948a7eb

SHA512
0c1fa5b5b824dc299718c49944c53f059f0d5dd33e664c92cd1dca1d1a17b51da5c3ed9a66e614e537af89f1f7e1b99b0dfc128adbda913d2a16e834ca27ba5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
c0d776f567cc4ae1a4f6b273a67ef00a

SHA1
2e91489fcc1ec57a315e5d99303e72c0cccb5d6f

SHA256
b8520fab13dfa46a52a3258c25e56d426035bc59437e03d6582fd58de95fb23e

SHA512
d7cb577bb59b6fcf9c506700a86c3b3c5ef38e22932b7461e39196e94b29132ec215091d7f9400f4791013d8bee13e7dba6f22336552229b6c58ee8312bb3e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5b9d94.TMP

Filesize
89B

MD5
fea2937e3603ebc4e809811e6a4e79af

SHA1
09a2c6f5aa041e2119ce262c2e547c87352eea14

SHA256
6e44c37a48314d74539ece0f78abd5e9dc04540cf6b12aed49e350048e65dccc

SHA512
09a7325d6e1a7d95a094bd202f48989c51941b624e19c53a39b3603c8275271d76b67320c7025d2ea68c538587a0e2d3b58fc95133e5bbc522876f965ce0b253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f449dda4950446fe78466201d9479772

SHA1
0eb1806f1730fcb96b09f259c5017bd1af93ee04

SHA256
6ab1d869f18308d40c22577c3d74649cae950143cb30524fbe2c727435d3a448

SHA512
81e20275d2546f2ffed935eab65317cc1334b5e30d6fc80a9f95847eaf63e9c2fd68021afc6df15fbdb6e326ae2aaff1aae4edbfad7ceb75418955de11cd8cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5bfe42.TMP

Filesize
48B

MD5
d211bfd1fe382bccd735405e3d34b0a6

SHA1
9b6b5c0e52c0f8fd0f8a7ff4b5843af67675c92d

SHA256
0915393bf7e5d6b8c246ca29f0939cbfaf247f1302e24d5c0d52f972866530d6

SHA512
7d06ddaf8a2a9d5deaf2e579144cb6972b79b3fdc3a8fcd1fbdb77319a7c2069b74251b1abd8f9490f4900a2712d4e0b61b470dabc4bc6ddfe288f36788b88d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ef06d57fce4ff8c2f0c64421299b8eda

SHA1
88cccb6dd13a3cde8a070c3c23757021c863b049

SHA256
12264aaaf84a04ffa2f6ca109d144bc5ea5ffca5c95180e2dd1e8b5a5d0d2bf4

SHA512
188ada7f5286fc0c39c71d8c85317da6e9bd6a454288b9a19de0459901619cb37f12463d33844ba19e3572d5a46717fe9b1b9dadac5bf8c3e140aadcad2fb4b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4fdcb03a13b11a568a8929778f40079b

SHA1
a1399cb5cdce8d7a3e20836e693fcd753ce04980

SHA256
58db9cfe7e0ea311539e7fe237e87eb3c36c0f3036c3f7cfdf45b1b0e125b768

SHA512
8ce0c803f69f38d872141e45c2aa3aa28a4f90128df1dca245b2060d70a3a5c8c6b9f8185bae0917233d7ec4a05a0fb1c81cde5042198db26340256a61b5c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bb60e.TMP

Filesize
203B

MD5
885734fbb5c96793ac2e972efdb642e8

SHA1
72065e0b583bcfc6e24122fdbd60c9379b985975

SHA256
3ed812a01aa1e6a216352bb305d54436fbde9470a599a05b6cc38f36a3206b2a

SHA512
ebe2f055ac7308c4c905570a018bb1e28e4f3d1c7b11df97b44267fa773b4fbd683c4fd0ef1b1b2b7fec84c7d6f22acefe6fec36f6ca68fd625e74675bb82eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5167c20c784d30aef6ff258b79ec72b9

SHA1
c6bbc0fc1c0ea12da0600232e04587b3bf22842d

SHA256
e33fe11f7bd95edf41fa8114c5ec03d27b78e1d6bb5ae598d74d656232e0b4d1

SHA512
e09ad7b3f371f4ed802c02c10f477249ed53ff8fb13df832fea99df4a44eba051142156a3812ed624298de4678e1739ea1ee1e5cbd159a9cf10c4df5f6d628e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
245653346f149b61bcc9218fc39f8f03

SHA1
9c9b4f741f9c039d1d703b825f4d910388d9e3fe

SHA256
d314c429044eaa500d2552a241e5d12dd442a2387a3be5357fda051e97eacf2d

SHA512
1399de368f78a13d9f3fa2a8afc420bece37d060d6bc6bc4b158c01f0d80a5a288f444f85543ef11f9165a52efc0b4288ce31ae0fb2e6456fcf958432f9e1185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae3dacf518626e78203f00d79d70636a

SHA1
7dfc348acc7149302c797cd8a1dee6e56ebd5513

SHA256
7a7573cb2fef05507ee4f4454557e09c7ee8317c4d2fd75646737a1a5146e5b0

SHA512
a2d2af4fa5f1163af2bd430cd7caf7720fe4aecdb60a02688fed07b21e357d996437e1e69d5e8b1142736c06a2bf82de076dfb0bbba9fcd608159257ea668bea

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
623B

MD5
cd9cde4cd72d102dc0fbb95f0dbe9890

SHA1
1d6cc64fa8c9c7aa2469c1fa0212b44d7c0c0659

SHA256
c981a9a126b50b90255e3b143fa0a2e7f8082498b11a2c785a794f29ade795f1

SHA512
361120fc48e05cb7db1aa3f547d859ddb1c7bee420d103d9dd76841d6fe20f9628829c72aeb5e941849d5294a2c021cceba976fbd55883d0d4126a2077b6ad0c

Download Submit
C:\Users\Admin\Downloads\BootstrapperNew.exe:Zone.Identifier

Filesize
552B

MD5
c62824ceb4de7ee12e4efd7386c2974f

SHA1
5177ea45d362b82cafa4b8365d5a0b09c941edfc

SHA256
e3c08693e6e5a75e6d36ac4d6f3249e366a2fb969092c2b83000bd31e110abeb

SHA512
e0701d78c5654f8cd8d191d0777a2682c189c5602f658423b7300ff53c7c019ca46380c2b981144ac5adeab3a6c878e82e88f899a4b116be8261403a3d060b89

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 293182.crdownload

Filesize
39KB

MD5
b59de3dee00b9a8a8130862e8666bf96

SHA1
9fa4f36c3077cf19d5cdcc07f981c43a0aad0801

SHA256
14b0101917f6d61ecee4d3c0d805103db75caa86ef4bb6fedf2c6e27b4a11d15

SHA512
94ddebe77b92cb20e3d482c6a064cebedd59c1d99bb784a093075f40ed7a3f90aabf758249998425d790dafcf66944cac085bea3ca470ed5737c2c776e2ede54

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
c2ad358951538fe9d4034648c21cd7de

SHA1
2ae22976ce9dd5011d7224043b25bbbe3bb8a095

SHA256
691f6030d4027a972ada6dc552454b126e82dfd64ea25adf55a8efc6b28fe23b

SHA512
5b7926ac89c2cb44a8d06b19debc58b3c1bfd4e5e0cb3da18b0e4d6542b3b5a370cfe6450ea7467284869b9adbbb86f98e94b754abe1c63a14225c798e9cca16

Download Submit
memory/3616-164-0x00000000013A0000-0x00000000013AA000-memory.dmp

Filesize
40KB

Download
memory/3616-81-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/3616-1180-0x000000001BEB0000-0x000000001BF3E000-memory.dmp

Filesize
568KB

Download
memory/3616-135-0x0000000002C90000-0x0000000002C9C000-memory.dmp

Filesize
48KB

Download
memory/3616-155-0x0000000001380000-0x000000000138C000-memory.dmp

Filesize
48KB

Download
memory/3616-161-0x000000001E810000-0x000000001ED38000-memory.dmp

Filesize
5.2MB

Download
memory/3616-165-0x00000000013B0000-0x00000000013BC000-memory.dmp

Filesize
48KB

Download
memory/3616-1260-0x000000001C970000-0x000000001C97C000-memory.dmp

Filesize
48KB

Download
memory/3616-168-0x0000000001390000-0x000000000139C000-memory.dmp

Filesize
48KB

Download