xworm | hxxps://gofile[.]io/d/hes3BU

Analysis

max time kernel
52s
max time network
55s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
18-03-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/hes3BU

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.18:31798

Attributes

Install_directory
%AppData%
install_file
winhost32.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000002a7dc-52.dat	family_xworm
behavioral1/memory/3984-102-0x0000000000CF0000-0x0000000000D08000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost32.lnk	winhost32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost32.lnk	winhost32.exe

Executes dropped EXE 1 IoCs

pid	Process
3984	winhost32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\winhost32 = "C:\\Users\\Admin\\AppData\\Roaming\\winhost32.exe"	winhost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2468	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 152439.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winhost32.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2588	msedge.exe
2588	msedge.exe
2052	msedge.exe
2052	msedge.exe
248	identity_helper.exe
248	identity_helper.exe
1116	msedge.exe
1116	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3984	winhost32.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 5032	2052	msedge.exe	81
PID 2052 wrote to memory of 5032	2052	msedge.exe	81
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 1308	2052	msedge.exe	82
PID 2052 wrote to memory of 2588	2052	msedge.exe	83
PID 2052 wrote to memory of 2588	2052	msedge.exe	83
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84
PID 2052 wrote to memory of 2424	2052	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/hes3BU
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ac2f3cb8,0x7ff9ac2f3cc8,0x7ff9ac2f3cd8
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Users\Admin\Downloads\winhost32.exe
  "C:\Users\Admin\Downloads\winhost32.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winhost32" /tr "C:\Users\Admin\AppData\Roaming\winhost32.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,15606699847552983275,482721351155387796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c48e8b68231fb5b2d7f1188b930bc0e

SHA1
1822aef5da8fdd47626fb91afcf79a2be175a325

SHA256
c3b287c29eaa57166b2ab1ba9bd0aaced13cc2f946a04b8d708ac429187fe944

SHA512
2bd09b83e44e0104fbe080a8573690217dc9fbf7fd59ff25a1a9e9ebd2d87ac533f9b99350773d081a7e748b39657115a13e94538b153bceb13ecdfc4672a0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f2dc80f5403feb8461b7ffa09890d6a0

SHA1
d5b61e6d672e7e71571e0132e21cead181da8805

SHA256
eadeadba37eed18e5acba408d7e076270b00403fed372b77164577232232428a

SHA512
5e2119529b99b76be105c43714e4b9977ee2147172c1c44e92bd9b41fa7a66f55d4073c864aac668a912aff2898bd216fb38f2fe34ef65de69ad12965218caf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
5ebca9516835687c412d9496d83a7584

SHA1
36d6ab408ee6714a00797a5c3732be2d5906044a

SHA256
38a8e4cece153c691b79b5b9b8dfb39e13c726420949261874e580ce330eed1b

SHA512
d95450a3c035994367c8ec43397987dc9f9c2d4d147a5850494ed390d80b5ec071719b9c9f2ef7cacec42abdea81411f31841816720a7a7ab641dd624c8f5458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2d6c05cc210f652f1cdc2dc4f475954c

SHA1
8b81cd9aba440fa5052b2f93637869a2b76ed54e

SHA256
94b9dd37e0ab19c2f2e6448f28f92fda92ac23b27ab2619f114b85696b856289

SHA512
0872f454a5e8bb02c8bf245a4a3031ae254202b577adf9eef5a86657c3d98853645759c7f894d672548b05101d67689b6ca21fa19ca824f47a1f66da26e38ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8420bc4414b54361e9375248a4c2069c

SHA1
f36309504be353ccb8c57a4655daf3340ec8ddad

SHA256
e6bdc5df045fdc16984d30e0534cc3dc5b973d6976c11761161399995529243d

SHA512
2e166788f1907fab317877f4841431938fc70c1ab293ddb323dddbd40c998063d9acb6e8b9a28f09a81057c36303b8144eb5f9879f53b066c3ebcaf65576f1bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b1b392e3a264830dab2292cb3b45a9d3

SHA1
895fc339ed0809c91878e76d7204c6058208dc00

SHA256
68a60aa7e901652a305cdf748bde827938a895fe8a5bc91181ca6023d942ff77

SHA512
1b4962092d3c1f87644df94b1f879efeed7b2152a896145608353649f9e86e10b651548250e1eaa841a327dd37da052d0a1d6b19e71b15f768ba4a4376458be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe75e7284990483a2af73fd287dcf9c4

SHA1
503580ffd426c6ffa14a4cc8d353045bb182ba8f

SHA256
b0e10b594ed93f3998798ebafb4d0931e4c51a3736452c7dba8e276a33057094

SHA512
6e28c189fbd8aa2c0f2a14b2fcd886568fc9a3b5ea0e3cfa1db9edc20daf23b0a944b44aa52dfe2b374ef1d72d80f477475725ac2d1be3a7ad397852c1c5bede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd69217822f443ce9436753c4ade7974

SHA1
afe8f8c5b0537944a0f163ccdcf52292726915bd

SHA256
0ed77e5c632eea639f68894d2e1f4c97ab7892136aa6d0a075e2ce8a3ffe0794

SHA512
9a08d8ade82ae77de4baf56caf2bb51bbb00ecf15adc3d76405d487c06e1c497cf8f1c2e463ddf86548165b7b7a5bace98c58d4ceb6b61b1fa5cf6e0dfb72c44

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 152439.crdownload

Filesize
72KB

MD5
e68093921d654ffa2ec636200de9c2e5

SHA1
2c07f12debd6080d8c4cb6de60163826879883f0

SHA256
605606979ff1a0b78608dfef0c8910b7b15794a0b1a5fee6554a8452f67a76a6

SHA512
94fc7d7ae245af222bac6084a2f8d7bb258f7819d308e739482039bea55a912c1f41cfb0d5107cba7fae6a703234b7223d8101dfdd9c0c932764d3894d139eac

Download Submit
C:\Users\Admin\Downloads\winhost32.exe:Zone.Identifier

Filesize
156B

MD5
1251691254c817a884f7e232cc60004e

SHA1
7acbe93e6a111e11be7bee31683b2b7f856e6bf3

SHA256
38cf4a762a4f731ffa8bcfb0a815bff3d7c2e6f7eb68682a3ebf2df2b52ce274

SHA512
517114a967f1b36b8736bae76ba95fa6688454f2a033cd44d8759664ec6667f81eaefac1a17a22ea30909e6fa5dfd3fcf42d70dbe9380825d594042bb8ac7c27

Download Submit
memory/3984-102-0x0000000000CF0000-0x0000000000D08000-memory.dmp

Filesize
96KB

Download
memory/3984-103-0x00007FF998A60000-0x00007FF999522000-memory.dmp

Filesize
10.8MB

Download
memory/3984-134-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/3984-144-0x00007FF998A60000-0x00007FF999522000-memory.dmp

Filesize
10.8MB

Download
memory/3984-160-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download