Overview

overview

10

Static

static

10

XWorm V5.6....6.exe

windows10-2004-x64

10

XWorm V5.6....6.exe

windows11-21h2-x64

1

Analysis

  • max time kernel
    178s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2025, 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm V5.6/Xworm V5.6.exe

  • Size

    14.9MB

  • MD5

    56ccb739926a725e78a7acf9af52c4bb

  • SHA1

    5b01b90137871c3c8f0d04f510c4d56b23932cbc

  • SHA256

    90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

  • SHA512

    2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

  • SSDEEP

    196608:P4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:PuyIhhkRka4i

Score
10/10
xwormdiscoverypersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

M7FqVOzijgtcg6Xt

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 17 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 59 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6\Xworm V5.6.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5vxkrtsp\5vxkrtsp.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D081A8C10B744C19EB51FE4EFF49DE.TMP"
        3⤵
          PID:2000
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:4060
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x2f0 0x4bc
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2136
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3532
        • C:\Users\Admin\Downloads\XClient.exe
          "C:\Users\Admin\Downloads\XClient.exe"
          1⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops desktop.ini file(s)
          • Sets desktop wallpaper using registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5756
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
            2⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4888
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:684
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
              3⤵
              • Checks processor information in registry
              • Enumerates system info in registry
              • Modifies data under HKEY_USERS
              • Modifies registry class
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:2460
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ff95276f208,0x7ff95276f214,0x7ff95276f220
                4⤵
                  PID:4120
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1964,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:3
                  4⤵
                    PID:3128
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2128,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=2116 /prefetch:2
                    4⤵
                      PID:5248
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2588,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=2732 /prefetch:8
                      4⤵
                        PID:4156
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3392,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
                        4⤵
                          PID:4432
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3408,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=3480 /prefetch:1
                          4⤵
                            PID:2988
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3404,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=5048 /prefetch:8
                            4⤵
                              PID:5404
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4784,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=4728 /prefetch:8
                              4⤵
                                PID:5812
                              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5720,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=5744 /prefetch:8
                                4⤵
                                  PID:5464
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5748,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:8
                                  4⤵
                                    PID:6004
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5720,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=5744 /prefetch:8
                                    4⤵
                                      PID:6008
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=560,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:8
                                      4⤵
                                        PID:2900
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5796,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8
                                        4⤵
                                          PID:4524
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6136,i,11929164925610130931,2943282379799253104,262144 --variations-seed-version --mojo-platform-channel-handle=6068 /prefetch:8
                                          4⤵
                                            PID:3124
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\XClient.exe
                                      1⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2104
                                      • C:\Users\Admin\AppData\Roaming\XClient.exe
                                        C:\Users\Admin\AppData\Roaming\XClient.exe
                                        2⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5552
                                    • C:\Users\Admin\AppData\Roaming\XClient.exe
                                      C:\Users\Admin\AppData\Roaming\XClient.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2476
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                      1⤵
                                        PID:4692
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
                                        1⤵
                                          PID:3400
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
                                            2⤵
                                              PID:4140
                                          • C:\Users\Admin\AppData\Roaming\XClient.exe
                                            C:\Users\Admin\AppData\Roaming\XClient.exe
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5356

                                          Network

                                          MITRE ATT&CK Enterprise v16

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
                                            Filesize

                                            654B

                                            MD5

                                            2ff39f6c7249774be85fd60a8f9a245e

                                            SHA1

                                            684ff36b31aedc1e587c8496c02722c6698c1c4e

                                            SHA256

                                            e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                            SHA512

                                            1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            280B

                                            MD5

                                            576f64b8f21f4203eed3f6c7b065f527

                                            SHA1

                                            e0c4e8f914319e112a4b3562d2d6f4107750aba8

                                            SHA256

                                            c39a636afaeae67ebd98682bf35ff7afafceac020ed21cb564ab954ab1ef6f87

                                            SHA512

                                            af606a5d7d4d96afd80d8e0117f2d5f02cc82b810149f50e26d46a5b8fd7c6b2aa119aa1b7123c54d2ef19d05ca92ca738994e047e24e567e53765fc1c52f653

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
                                            Filesize

                                            2B

                                            MD5

                                            99914b932bd37a50b983c5e7c90ae93b

                                            SHA1

                                            bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                            SHA256

                                            44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                            SHA512

                                            27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
                                            Filesize

                                            107KB

                                            MD5

                                            2b66d93c82a06797cdfd9df96a09e74a

                                            SHA1

                                            5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

                                            SHA256

                                            d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

                                            SHA512

                                            95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
                                            Filesize

                                            1KB

                                            MD5

                                            82662e2fc7803b595e10a4c74b0f8b16

                                            SHA1

                                            78c3392553b4bd588cf642d1f91db32a3ae62d1b

                                            SHA256

                                            329d472198a56dc465d2fb08d46992a88e76da64d190c11a46e0ee1ae0dbb269

                                            SHA512

                                            aa83e89d67f4979f434790513da776e2f671b6f14b4424c3f8400f5f6b728d24a5db88b116776c09adf2974e869141af5ec1758dc2a9544fcaf3937587717d5b

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
                                            Filesize

                                            2B

                                            MD5

                                            d751713988987e9331980363e24189ce

                                            SHA1

                                            97d170e1550eee4afc0af065b78cda302a97674c

                                            SHA256

                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                            SHA512

                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
                                            Filesize

                                            40B

                                            MD5

                                            20d4b8fa017a12a108c87f540836e250

                                            SHA1

                                            1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                            SHA256

                                            6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                            SHA512

                                            507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            15KB

                                            MD5

                                            dfe3e12f8fc92d41ffc6b44326254400

                                            SHA1

                                            d34b725120f547cf18f0002cdf945d47b5605ada

                                            SHA256

                                            2eaaa2f7faf7402636413d251728e071c60ea86810909085c250d4db80e6f950

                                            SHA512

                                            37712db70a29737720fe09d5733d6c37e8dae9ce30fb0529c9a66e58f151b462fbaf0e5c5e31562e56d2b33ee9823c9d106c0c6327a91f8568c1c2803dd8eee3

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                            Filesize

                                            36KB

                                            MD5

                                            2936c908c0523e48db78c39230e1e4cc

                                            SHA1

                                            bc6aa221f18d56facf692c6a81e377fac82159fc

                                            SHA256

                                            f5bc679708acc673112d66d56d749dc435dcf609eb83435c9fd3092a4700858a

                                            SHA512

                                            a56e3602b5a2d0245225aed94b7dee78ddbb48beb84b467dba6785b584d133f2195ac6c80cdf80254e72ed6e0878e7a86f8c2192702b2739fe51a15aed9c2608

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
                                            Filesize

                                            23KB

                                            MD5

                                            43178f7c58c8fa2fdb44daa48d4b5044

                                            SHA1

                                            77d436613f3e2662356eb9402306c7d57574edfc

                                            SHA256

                                            e1c2ceb9ea599ffcfcb808f83fe302c72961963287b5255e45c4f7e0fb308f23

                                            SHA512

                                            70c36c18649b6367856de570514db7d6ad3721a9ca7ce33dadc6b04e638d1fcc9834809ff5430a07e82e7e844e039a6f21b89d1051b38d5a962c5ffd2a2cf7ae

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            40KB

                                            MD5

                                            24299e7ad2e1b8ed86b0bcd794a353ff

                                            SHA1

                                            aca0390e06b8741fab25e8bda33307b2d8ddd48c

                                            SHA256

                                            aedefa50255d41f7a0b8421dd69b7f1f731861b7fa5919cbc2c451aae377d522

                                            SHA512

                                            aac2211529b922c40cad880076d1e2a6326249d740ae2c676a199fbf7d9d1ae5668769b2e545ce03e7fed903b4e6787702b369e4b15cfd8e8b77f67397343ef8

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            40KB

                                            MD5

                                            4aa58bcbab7b5a5240b5cfc28b5bbea5

                                            SHA1

                                            69514a3d8efb9f9297d6ebbefe2489d672b0413c

                                            SHA256

                                            26820c8c3a059b8bd6de7298db48719a793675bb91301042911206be1874f405

                                            SHA512

                                            581beb36d446c9cde485ea98fd80af1812e8737befabfd9c0ff505423e7058fa91936ba8e75644d10427a3ce0c7ac75dc295307697fcd21b0fba46d4149afc76

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            49KB

                                            MD5

                                            6dfdcd68acfb40e14e0f0769d7fd2fbb

                                            SHA1

                                            47b92a00aa37cc41a7cf6872e35a472405b9db04

                                            SHA256

                                            9e97cb36bbde53041c8bcdd2966786d33c480936e676fa481e28371951d6bd99

                                            SHA512

                                            6c2d1df7e4c2c17604834f16712cfa362ccf60713b501601d1940f4daf40bb91cd1b6f506e8f593f60a56be5688a8f9369e409945a72e93783e2233c2ce250af

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
                                            Filesize

                                            2KB

                                            MD5

                                            2f1fe95f0e0f0ae0f13fcc5b9f6afb48

                                            SHA1

                                            0446a31577cabdac804812bb4ca64d87ab602ae9

                                            SHA256

                                            517edfa5b62f49698378618a736c53e0293f62fd5c84205df34a53e625130fe3

                                            SHA512

                                            5704282e273daa035fe14455b513cfccbf3769a63824e8473db81aa01a2db4307a6b31833392b6db70ec78e41c1b5ea4cb91635fdd6ace60c55d2cb27de3160e

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\5vxkrtsp\5vxkrtsp.0.vb
                                            Filesize

                                            78KB

                                            MD5

                                            dcd66e094c952167c0d0a0244f6bf23c

                                            SHA1

                                            fea35120ad891d6356e02783356249cbbb4dd758

                                            SHA256

                                            929fe8cbb2de6c5b299ae7bdbed54c9f0f429430ececc1b59fc6dcb26002b593

                                            SHA512

                                            2827f03b200c6fd3976c4b734e31c96958b114bcc16461b418a504cd1a21b419e731fc8f214ed80f5737dfd41917d359e065568b8224ff18b6cfd3744ec0c20e

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\5vxkrtsp\5vxkrtsp.cmdline
                                            Filesize

                                            292B

                                            MD5

                                            5d49d53952e78726347939f36eeaabb6

                                            SHA1

                                            113673d0bf1fab8d656c8d5fd4b72725f527ce4f

                                            SHA256

                                            1d2a30d482625deabe54b32c1d5c6f52fed17411684db71005b500857bf7cb82

                                            SHA512

                                            ffbf130054bdc03e77ab1a1d7a702ca2bd718fa06cda422ce2e526e85b8a90b2b98f6804e3e35cf72b2be0c6c4b5908fe35d7d058127271701e91189f6119427

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\RESB8CC.tmp
                                            Filesize

                                            1KB

                                            MD5

                                            4fdc9f1e9d41a6b7a185cbb27a64003e

                                            SHA1

                                            20533578f51a8bacdd9cd6bb3b38f5f8bcc1f866

                                            SHA256

                                            8a40ae9481937006809943b1b7696ac64c964f586f790d784da336cf946d28dc

                                            SHA512

                                            4be265381bbf8876a7506e1a6f81766ed957c19677b3f62c1a7e0d682a96eb5a146e0d9f8aecd730455c035e27d19a70710e2658c7b85e5935e6c24679a38bc0

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\vbc9D081A8C10B744C19EB51FE4EFF49DE.TMP
                                            Filesize

                                            1KB

                                            MD5

                                            d40c58bd46211e4ffcbfbdfac7c2bb69

                                            SHA1

                                            c5cf88224acc284a4e81bd612369f0e39f3ac604

                                            SHA256

                                            01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

                                            SHA512

                                            48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

                                            Download Submit

                                          • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                                            Filesize

                                            631B

                                            MD5

                                            ab74dd123516f0f9b4117395e5d8c331

                                            SHA1

                                            74bc7151f75cd38fd441e6d4331800ddf80d5cd8

                                            SHA256

                                            b2495c6efd75fe35f1d0bcf17b4ec57509bea499ffcff7c73e4b73c3e61cffbf

                                            SHA512

                                            b7b390bbc053542cb2882982892b4a52b9cea0f6fe5c44d3c8e7a7ce3024e0bf20f727ecc7928de1e183b3d1daa4dec7c17800da31b5885279e0fc01ca4fd099

                                            Download Submit

                                          • C:\Users\Admin\Downloads\XClient.exe
                                            Filesize

                                            40KB

                                            MD5

                                            751936c49a6dea943ee55bdc4bda90c0

                                            SHA1

                                            337fd3294619539cb1596dddff08499faa52a16b

                                            SHA256

                                            b9dd00b31c7f592a95db496fc05a325d24c8319ca32775bc92c812aaed688d13

                                            SHA512

                                            613a65233bb9096f055d8947cbf1698cb5167088c8288a26ccf0a6ca4f5193b9914475a99305e12bef94892c06aae5bcd4ae25b47af25398b8accf236100c0d3

                                            Download Submit

                                          • C:\Users\Admin\Downloads\XClient.exe
                                            Filesize

                                            62KB

                                            MD5

                                            4c6e55b48527b8f11164a7dc670bd569

                                            SHA1

                                            57664a685b088efcba60c921d40e8688fae68652

                                            SHA256

                                            ed5609a2be0196dcff27ead8cd14d6c5d3c648de968a68a839901095d7825813

                                            SHA512

                                            e0467d8b1014da27b239754999ab1ec44c9c7bed57640b33ae687579167f6c22797c30da99796ccbe2bfb18f395964c5089cbea69ca890b7a8927a584fd2d694

                                            Download Submit

                                          • C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
                                            Filesize

                                            16B

                                            MD5

                                            ff2b41236b0b8699597695c651d01c49

                                            SHA1

                                            ec062bac83d0627c3b2a50b68a8b123b1d9428c1

                                            SHA256

                                            c689067c2fd3fb1b177a28279d3120016239a1703e9ecd092d75d9f4c08f8f12

                                            SHA512

                                            5f86ef98d1b58ec5c253366e3c8e589b69bf2defac89abf80862509433abd92220556f1840be9bc5200e9af5ce0faa8360f4b63ded4716ae75cf0cd7911f8a78

                                            Download Submit

                                          • memory/1256-11-0x00007FF959610000-0x00007FF95A0D1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/1256-5-0x00007FF959613000-0x00007FF959615000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1256-46-0x000001A0E6440000-0x000001A0E64F2000-memory.dmp

                                            Filesize

                                            712KB

                                            Download

                                          • memory/1256-44-0x000001A0E4BE0000-0x000001A0E4C0C000-memory.dmp

                                            Filesize

                                            176KB

                                            Download

                                          • memory/1256-1-0x000001A0BEBF0000-0x000001A0BFAD8000-memory.dmp

                                            Filesize

                                            14.9MB

                                            Download

                                          • memory/1256-43-0x000001A0E4C40000-0x000001A0E4CC2000-memory.dmp

                                            Filesize

                                            520KB

                                            Download

                                          • memory/1256-2-0x00007FF959610000-0x00007FF95A0D1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/1256-31-0x00007FF959610000-0x00007FF95A0D1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/1256-14-0x000001A0E4D20000-0x000001A0E4E88000-memory.dmp

                                            Filesize

                                            1.4MB

                                            Download

                                          • memory/1256-13-0x00007FF959610000-0x00007FF95A0D1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/1256-0-0x00007FF959613000-0x00007FF959615000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1256-10-0x00007FF959610000-0x00007FF95A0D1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/1256-9-0x00007FF959610000-0x00007FF95A0D1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/1256-8-0x00007FF959610000-0x00007FF95A0D1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/1256-7-0x00007FF959610000-0x00007FF95A0D1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/1256-6-0x00007FF959610000-0x00007FF95A0D1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/1256-45-0x000001A0E6B80000-0x000001A0E6E62000-memory.dmp

                                            Filesize

                                            2.9MB

                                            Download

                                          • memory/1256-4-0x00007FF959610000-0x00007FF95A0D1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/1256-3-0x000001A0DBEC0000-0x000001A0DC0B4000-memory.dmp

                                            Filesize

                                            2.0MB

                                            Download

                                          • memory/5756-34-0x0000000000D80000-0x0000000000D96000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/5756-59-0x0000000001650000-0x000000000165C000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/5756-1020-0x000000001D280000-0x000000001D28E000-memory.dmp

                                            Filesize

                                            56KB

                                            Download