xenorat | hxxps://we[.]tl/t-z7zfaCXd1p

Analysis

max time kernel
146s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
15-04-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://we.tl/t-z7zfaCXd1p

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

86.121.5.213

Mutex

svchost

Attributes

delay
5000
install_path
temp
port
5243
startup_name
Realtek HD Audio

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4820	svcmost.exe
3608	svcmost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1936	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 958542.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\svcmost.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\XenoManager\svcmost.exe\:SmartScreen:$DATA	svcmost.exe
File created	C:\Users\Admin\AppData\Local\Temp\XenoManager\svcmost.exe\:Zone.Identifier:$DATA	svcmost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2584	msedge.exe
2584	msedge.exe
3236	msedge.exe
3236	msedge.exe
3232	msedge.exe
3232	msedge.exe
4916	identity_helper.exe
4916	identity_helper.exe
4368	msedge.exe
4368	msedge.exe
4148	msedge.exe
4148	msedge.exe
4148	msedge.exe
4148	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4748	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 2736	3236	msedge.exe	78
PID 3236 wrote to memory of 2736	3236	msedge.exe	78
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 4156	3236	msedge.exe	79
PID 3236 wrote to memory of 2584	3236	msedge.exe	80
PID 3236 wrote to memory of 2584	3236	msedge.exe	80
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81
PID 3236 wrote to memory of 2660	3236	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://we.tl/t-z7zfaCXd1p
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffeac73cb8,0x7fffeac73cc8,0x7fffeac73cd8
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4368
- C:\Users\Admin\Downloads\svcmost.exe
  "C:\Users\Admin\Downloads\svcmost.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\svcmost.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\svcmost.exe"
    3⤵
    - Executes dropped EXE
    PID:3608
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Realtek HD Audio" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE85C.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,1424761502361063976,13898699557844767806,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2932 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:460

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svcmost.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1a9c7fa806c60a3c2ed8a7829b1461f

SHA1
376cafc1b1b6b2a70cd56455124554c21b25c683

SHA256
1eb39b1409ce78188c133089bf3660393ac043b5baade7ff322df5a0ca95380b

SHA512
e1cb2f84b5cbd86b107c0a9ec0356ab65a54c91208f9f8e83fec64bf17ae89356a09b0cd39d2726424f4041d7b25b962c23672b8645c2e10f11ff4d2075f4afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f3f6e86c8b7bdc605f5559df800bfd34

SHA1
862d05bfba760ae8adcbb509216dc18ead59a6b2

SHA256
5dfe9be21d4916615025055f1a70151362bdb404b40f074685e39b33ad545a78

SHA512
de576ebf0cbe1c5e7639c42517253796cf4b5770298271ac2e6958404998f2d6b8e3378a535f2f316f4020fd8e60b5cc9c1b6b5171d307ca3215afe8ac47a7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
02cc67bb147e978658f7e4a5b1cdbb37

SHA1
ec9cb8afaa4146063e388a07da10f28bb6f6f3a7

SHA256
07175280858d2a7713fd283c645eaa9d7a8c9224b8ab88fdba108c99443c7bc3

SHA512
3e0bacff3c677af3b46223e151b8bc985546fe2ead6e3ba02c8e87b534f91d0684f986b6d459ee19cb33616b8e82faae01dcaf16aa80ab01455772db5b94f85e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
f50a755bcc3e8a78ff5d25e62c8b31c0

SHA1
d42cac1e97dca0729c8835dc723b720dd99450e7

SHA256
316be337d3f2565b6fc0b9dbf8a5c7c21efc01d00923b2dd7f0dc5d0c69e616e

SHA512
fc2f2b4683a8841d96810e7430d9ad3bf22ce2df05b0e8fce01e5047fc36ecfbde8d8f7b79730665f2b2a709fd87e5d5df68bbcb699dcb7911c60dbb9ac22c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9eb42cba0d00805f10e741f6e3f3c092

SHA1
e37f8781b27b2d140c20347fa49a7ffcf2e7a732

SHA256
37647302a7a37b40286712d8e8713d964e69f1ebd0e240376db0d3d8edd7dc80

SHA512
ae1f76d175d62289f5e379f1c098787c23856c84f5655c88f6c7cf02ed9ce51032176838d2875ec75cc2e8582140a85e15106258f52c57a4e979535e557ad79a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f96c1bc38d58d6bda418850db8b11dbb

SHA1
862218893377598117fb0c15d846928d2686c97c

SHA256
7d4a910cb3090fa169329e954b77e1e335555436fab11d32d0af02f2f808b4f9

SHA512
8cebd0ca07b8df41a79e3f000e1fe0573be48529ff7e13dbedf0dd607757b379c357fa38cfffdcd18b1b61113fb407f265a0569499a809a6ecd79fa0b317daad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
14c6efe3d46ae129e98e15a4da89d8c3

SHA1
736ad3b5c71bca2992f4f28ae6fcc129b6e14e54

SHA256
f44d44ce599b88723bbe20b54562c931df0672dc8af989064f16073e2e741f0b

SHA512
32be11ad70cd2dd8855b8695b35602d0cee506a0d7cb308ab533420ec4436ec4bf85b4132795400d355545fce8ae8b3c6692e4315e7b781b18e15bb64f7aaebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a2c426ec9775e2ad0bae6c7d7fa2ee74

SHA1
7c21d008f704ca4cc5358e83064c8514c45fd5f2

SHA256
85c8e85ff94f4edc54a82f5f83952ef799bae9f9792bd624e5c46926562341fd

SHA512
6f8751ea4002f417e602fa12a33ae1624cb673da162218fd6abc7fb43d7a525c1eaab6b040cb692ded99a3c3371cd27bb7dead140fa840008687ffb56632baf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be76196043cb16f4e27dafb23c0be624

SHA1
6efaeda5ab0f4c8dac7bef2722d60e84d3e429b4

SHA256
63eb64dbe235ea128dfb413c180b56e61d942b6eefe7a4bfe652edfc1f865410

SHA512
e1c234d65b80051660e5825654d9ca6c0a49ee734ec8c3eea216685d366af77377dbd050f97859e2708258bc625b318135118082798b6d6e61c2dbedfb1b7510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ce1f3374d990d1e84040ed5bd36601f4

SHA1
29e6787efe16729cfa6c4f69d745c82aa00ab0b3

SHA256
310e1fb0c9c941755a1ef776f656f19006978daf1016608aae54ece8f52e34a4

SHA512
c62dd923cfec8266e2c86e4e1453c58492a456a16bfc4db12d44560905079fc9bc0cbb66b6c5ac455a390d6dfa47c096140d6eb9ff68e22b3d54f8b4eb2cdb32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
92ed55155af9358b683dfbd3bdf88144

SHA1
b1986ff2b2a83b6ce2fd66b72234339882dc52f7

SHA256
56f12ffdb49e68c08f36620b1f8dce73fc27bcdc338111b14e1042efd89aeff2

SHA512
92a471db6b85cc30f49e44302b06fca6afc1ff165b40d1236cd25beb0ac532fde673f4b7295f75d174c948a2a2505452df1c4e2b551df042ddb7f33814ba8f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cbb65951d34e4b7930d3a5d7405a4ecc

SHA1
ef6164100f1587421dc5099c6a366f640b646003

SHA256
e2950626d3944129ad814afe27bcb75ad96335be5ae7e68769bff5a8c22ebe88

SHA512
030394f027e677dff38a2e806d2cdd26809e416cafa960112df6bac242626cb553339bd105a8b120abbda6e038774735ca66ff8cc1d5f425ff3c05e45f75f86f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c4e9bec789d55c0fb72b538c436a180a

SHA1
cd3ff87c8ea2b60f63f04b8b859f0424c972484e

SHA256
11f1733f258f614680ef3636a624cff7319ee73f753f8a9ce6ece7ab60bfc32a

SHA512
fa68eda33d2429e0e2683d07bb750e76e7639c9a6e21dfe3825764880da5ffc214ee996990346d8d5cb91f348b6b1d1644158d8253dbbb80aa5d8fe4c226e862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57eacd.TMP

Filesize
2KB

MD5
e42c0784f17ab19ced8446fa9467642c

SHA1
c57adfd426a8e33bc6b9871c7b17343903948027

SHA256
fdc55512572fe1926009634b60e0c042cdc73653680c09d88d5a0227d3595937

SHA512
4faadf9d40430a9dd94e4611f2009cbf0352569ada731a1394da9fb5cbdfde97cf77d3e5c7e1c878fae77f5930e27ffe7f19946d2ef9c56385087ab6daa3e805

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
88d117efc8c9cdf938c8b0aeba94566a

SHA1
e1c097c5053120033bf2a2896025c517f8f7787b

SHA256
4feb6f868731402003b75a044e272f0d11d2b92788483e71382d75864d88e033

SHA512
88ba06e14ee4b988237cdad8ddfdb83b884c7a05dee719a99c478949743400c16f75f79163f781b97660869cb2d54cedd49350eb0c408ffc4b7e3cd8d4297bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af709b262c91c431ba67f26a3427aa3d

SHA1
4d6b38203e1955ed14d05ec5d97c372549b28b03

SHA256
c2b267b9757fca7b65815073a17d65f0de76d6ed5276042c5ced68ce2f9df505

SHA512
5bef1b1c2f2e31dedfb6055aa5dc5f5e03e90836d4395f6a6901cfc5d4e2518249aa1cf88cbd3a435524ddd00351138a3befb187120db32faf0c30c6808a910d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE85C.tmp

Filesize
1KB

MD5
31a64e250bf784ee98dec8f698cb9eab

SHA1
a5126c37364382624063c8b56bb6af37d6e253f3

SHA256
982eb76a6b7e4ef0d77a36ba22e2845658eb7ac18ccc925f435835fd733500a3

SHA512
df4dac2495575af76e667103dd66c1b3e315697c1ad28f873284915b6a786880e1a2fffad44c6577a823538a42da317bed31346e11033fde7608ceca48c83143

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 958542.crdownload

Filesize
45KB

MD5
46ae19bb3f96808608ef5394c42df20b

SHA1
3b2223c73b2564b8b9b4002892c8d7ab02ffc5a3

SHA256
58b7e282d54f2daf939093b7f091139ac169c2363b20511e6912891b5ef32074

SHA512
66a3ff8fe9f58e8cc628563d8d7316caa252b5f9754f92b8d31cb3b5b0d0afe0a175bccb207abe35acc2173a64718d31517e6ba626c91ee6641f33b734a5944f

Download Submit
C:\Users\Admin\Downloads\svcmost.exe:Zone.Identifier

Filesize
476B

MD5
7eb95792a4d72b620823ec636dcc81e6

SHA1
8eb09c7f9fa84e112e7848a99d0e28c6d29c00d0

SHA256
7602c20a3430d8380b73f9b7dce83c9be0663b36183472895905497907718199

SHA512
e8d9ae32b669ccea640322d6b8c8ef0eeab2f9c427649c020ac663c4f3f55f5324fcd78db56532ed513723fc09430b3a2a74a65e3bc0e1c2bca2b05e760c4f56

Download Submit
memory/3608-284-0x0000000075000000-0x00000000757B1000-memory.dmp

Filesize
7.7MB

Download
memory/3608-285-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/3608-242-0x0000000075000000-0x00000000757B1000-memory.dmp

Filesize
7.7MB

Download
memory/3608-243-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4820-205-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/4820-206-0x0000000075000000-0x00000000757B1000-memory.dmp

Filesize
7.7MB

Download
memory/4820-241-0x0000000075000000-0x00000000757B1000-memory.dmp

Filesize
7.7MB

Download