Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2024, 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    65KB

  • MD5

    f89900bee0847f4f1e23b1bfda0e7f24

  • SHA1

    24dd536801cff4b3b92276a52a9280069290149a

  • SHA256

    82f0fb933a96858aabe6b741c889611583a0a11132ee6ecd70909fc0aa6cf534

  • SHA512

    bba995bfb14d6d79b8f4feb0934888d2e5d39d7c945cce2046e842a0c0240cc14a9998c3d18093c29ca36c840f580058518df341e0dca3f5452fdc7fcacdcc3a

  • SSDEEP

    1536:/JPMoSzJ4aZfY0by1DLub8ldJJIrlXOF3+v/:BZcJm0WxSb8elXOhW/

Score
10/10
xwormbootkitpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:33920

original-taught.gl.at.ply.gg:33920
Attributes
  • Install_directory

    %AppData%

  • install_file

    FreePornHubPremium.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FreePornHubPremium" /tr "C:\Users\Admin\AppData\Roaming\FreePornHubPremium.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4084
    • C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe
      "C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe
        "C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4632
      • C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe
        "C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3248
      • C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe
        "C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:8
      • C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe
        "C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1064
      • C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe
        "C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe" /watchdog
        3⤵
        • Executes dropped EXE
        PID:4596
      • C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe
        "C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe" /main
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Windows\SysWOW64\notepad.exe
          "C:\Windows\System32\notepad.exe" \note.txt
          4⤵
            PID:3504
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
            4⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4036
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffca96046f8,0x7ffca9604708,0x7ffca9604718
              5⤵
                PID:2900
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
                5⤵
                  PID:4024
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
                  5⤵
                    PID:116
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
                    5⤵
                      PID:652
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                      5⤵
                        PID:2688
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                        5⤵
                          PID:5108
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
                          5⤵
                            PID:2044
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
                            5⤵
                              PID:4116
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
                              5⤵
                                PID:2612
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
                                5⤵
                                  PID:5128
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
                                  5⤵
                                    PID:5208
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
                                    5⤵
                                      PID:5216
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
                                      5⤵
                                        PID:5416
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
                                        5⤵
                                          PID:5424
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
                                          5⤵
                                            PID:2384
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,366461165811060024,12104819591719976604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
                                            5⤵
                                              PID:5836
                                          • C:\Windows\SysWOW64\mspaint.exe
                                            "C:\Windows\System32\mspaint.exe"
                                            4⤵
                                            • Drops file in Windows directory
                                            • Suspicious use of SetWindowsHookEx
                                            PID:5844
                                          • C:\Windows\SysWOW64\calc.exe
                                            "C:\Windows\System32\calc.exe"
                                            4⤵
                                            • Modifies registry class
                                            PID:5372
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=batch+virus+download
                                            4⤵
                                              PID:2616
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffca96046f8,0x7ffca9604708,0x7ffca9604718
                                                5⤵
                                                  PID:3492
                                        • C:\Users\Admin\AppData\Roaming\FreePornHubPremium.exe
                                          C:\Users\Admin\AppData\Roaming\FreePornHubPremium.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3216
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:1624
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:4644
                                            • C:\Users\Admin\AppData\Roaming\FreePornHubPremium.exe
                                              C:\Users\Admin\AppData\Roaming\FreePornHubPremium.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5676
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
                                              1⤵
                                                PID:5928
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Suspicious use of SetWindowsHookEx
                                                PID:408
                                              • C:\Users\Admin\AppData\Roaming\FreePornHubPremium.exe
                                                C:\Users\Admin\AppData\Roaming\FreePornHubPremium.exe
                                                1⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5032

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FreePornHubPremium.exe.log
                                                Filesize

                                                654B

                                                MD5

                                                2ff39f6c7249774be85fd60a8f9a245e

                                                SHA1

                                                684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                SHA256

                                                e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                SHA512

                                                1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                cb138796dbfb37877fcae3430bb1e2a7

                                                SHA1

                                                82bb82178c07530e42eca6caf3178d66527558bc

                                                SHA256

                                                50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

                                                SHA512

                                                287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                a9519bc058003dbea34765176083739e

                                                SHA1

                                                ef49b8790219eaddbdacb7fc97d3d05433b8575c

                                                SHA256

                                                e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

                                                SHA512

                                                a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
                                                Filesize

                                                198KB

                                                MD5

                                                319e0c36436ee0bf24476acbcc83565c

                                                SHA1

                                                fb2658d5791fe5b37424119557ab8cee30acdc54

                                                SHA256

                                                f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

                                                SHA512

                                                ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                Filesize

                                                144B

                                                MD5

                                                894629052801bf79d6e8bbbaa047aec3

                                                SHA1

                                                6608c796286089a9f1001e26c6464a838c9ab5da

                                                SHA256

                                                b6f646d5799aaf0def6c90cb6fbc02512f28cb2b6bf4ba28f04b85485293546c

                                                SHA512

                                                b04c8d2f8269c40274527254068bb945ae43005483fd3279223f7b8a0f7984bb1dbd03eca267af901fb38df3ca2328db22a07b8791c92d3582cb00d6e54376f1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                Filesize

                                                815B

                                                MD5

                                                67a36687a0c1c13ca14963795f054f95

                                                SHA1

                                                ece32ecc629323cd9b668e290735184e0e153117

                                                SHA256

                                                2bf14e3e3a37fb04ca208c31f956c2cfb064ed1c9ffe0f4afe05f7bdd50d6026

                                                SHA512

                                                0f783112dec0e68a2333cc6d287a083770d8f09d1bb4b184c6e6b51c4a0cdf55923d0c2a4d2a5d7145dc0dee7d33ecc190d14cc21a77e450f6974085ee92f1db

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                eae042ea0f2bec058ca2733977107d53

                                                SHA1

                                                f40f961ec653c7d5047b863db548aa35d0b1f155

                                                SHA256

                                                2a13b69143694363a96f524ed568dc42bb2351432b7dc62f3c7ea0cfc1984bed

                                                SHA512

                                                96fa8feace3d44f0b78c5f3ca7a094d0c236d2f4ef09466123c32d0a584a7f69a7c9da91cc8d48be57edf552b86648735aab6e81387a40caba3296246414a1cb

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                4cdc03cc757b8779ed735bfdbc358726

                                                SHA1

                                                ceb394dc75a78011bfe0f75682cb69388abe3841

                                                SHA256

                                                30a20ab5968300614269ce4dc2c85afb86c9afb5201c69b27a068dd62c5d3d81

                                                SHA512

                                                e5255cca67982e045bafd8a7422e69c03937603d6afd8de711e4bb53826d6bba668491900cb4ff1edb6e519544381e2428f65f84eed72dee4e57f9806bb7200a

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                11KB

                                                MD5

                                                a0284fde5a8b7d1fd052d92aedae7b58

                                                SHA1

                                                5251c5fc0f4856d513c67421d2feebaf9e6c0838

                                                SHA256

                                                b7f0736b4b105503f95337c22760d7aee72777248042f9e0ee72893cced8e101

                                                SHA512

                                                b08c9f10815ad2678c081687b95b45c35c8d580e41333828c75fd4b34bb292d559eb7f5669307ec8b2b534e2cc1aca4a5eb1f0dca4e06159eec4111570bde80d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\rsmbpe.exe
                                                Filesize

                                                16KB

                                                MD5

                                                1d5ad9c8d3fee874d0feb8bfac220a11

                                                SHA1

                                                ca6d3f7e6c784155f664a9179ca64e4034df9595

                                                SHA256

                                                3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

                                                SHA512

                                                c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\FreePornHubPremium.exe
                                                Filesize

                                                65KB

                                                MD5

                                                f89900bee0847f4f1e23b1bfda0e7f24

                                                SHA1

                                                24dd536801cff4b3b92276a52a9280069290149a

                                                SHA256

                                                82f0fb933a96858aabe6b741c889611583a0a11132ee6ecd70909fc0aa6cf534

                                                SHA512

                                                bba995bfb14d6d79b8f4feb0934888d2e5d39d7c945cce2046e842a0c0240cc14a9998c3d18093c29ca36c840f580058518df341e0dca3f5452fdc7fcacdcc3a

                                                Download Submit

                                              • C:\note.txt
                                                Filesize

                                                218B

                                                MD5

                                                afa6955439b8d516721231029fb9ca1b

                                                SHA1

                                                087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

                                                SHA256

                                                8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

                                                SHA512

                                                5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

                                                Download Submit

                                              • memory/3216-20-0x00007FFCB2AB0000-0x00007FFCB3571000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/3216-18-0x00007FFCB2AB0000-0x00007FFCB3571000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4576-22-0x000000001DCC0000-0x000000001DCCC000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/4576-0-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

                                                Filesize

                                                88KB

                                                Download

                                              • memory/4576-21-0x0000000002D10000-0x0000000002D20000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/4576-44-0x0000000002D10000-0x0000000002D20000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/4576-194-0x0000000002D10000-0x0000000002D20000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/4576-17-0x00007FFCB2AB0000-0x00007FFCB3571000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4576-6-0x0000000002D10000-0x0000000002D20000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/4576-1-0x00007FFCB2AB0000-0x00007FFCB3571000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/5032-322-0x00007FFCB2AB0000-0x00007FFCB3571000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/5032-323-0x00007FFCB2AB0000-0x00007FFCB3571000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/5676-264-0x00007FFCB2AB0000-0x00007FFCB3571000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/5676-265-0x00007FFCB2AB0000-0x00007FFCB3571000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download