Overview

overview

10

Static

static

10

kiddions.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1048s
  • max time network
    992s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kiddions.exe

  • Size

    77KB

  • MD5

    66457c38d36822b43c72333837268fce

  • SHA1

    45279743be3613147f741715e620fe9ee9136eb6

  • SHA256

    3b280af17ea33850c3652f64436f4f02760afe4f0ba9bb9d63596dc942cac882

  • SHA512

    bcc68460de0100d48806b5092dfcca1b69137f976c727f38e23f375b9c9d2c64f7e641c7e15005957bc975219cbba4fbb695617a3dbe8ea1e5da95f3dd2351ca

  • SSDEEP

    1536:eYFcsoTxxsSq9H0RsqhLJxfRjj+wiGbgZqBQGaYu6nObbHh/GT:er9+URNhbRjy3GbgIpOXHhuT

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:45129

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 18 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\kiddions.exe
    "C:\Users\Admin\AppData\Local\Temp\kiddions.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kiddions.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kiddions.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1852
  • C:\Users\Admin\AppData\Roaming\XClient.exe
    C:\Users\Admin\AppData\Roaming\XClient.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5092
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DenyComplete.m4v"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1660
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcfa3746f8,0x7ffcfa374708,0x7ffcfa374718
      2⤵
        PID:2696
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        2⤵
          PID:1904
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4600
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
          2⤵
            PID:2004
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
            2⤵
              PID:4764
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
              2⤵
                PID:4168
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
                2⤵
                  PID:384
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
                  2⤵
                    PID:4668
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3076 /prefetch:2
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2888
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
                    2⤵
                      PID:2192
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1568
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
                      2⤵
                        PID:4808
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
                        2⤵
                          PID:5044
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
                          2⤵
                            PID:332
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4108
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4224
                            • C:\Users\Admin\AppData\Roaming\XClient.exe
                              C:\Users\Admin\AppData\Roaming\XClient.exe
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3456
                            • C:\Users\Admin\AppData\Roaming\XClient.exe
                              C:\Users\Admin\AppData\Roaming\XClient.exe
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1652
                            • C:\Users\Admin\AppData\Roaming\XClient.exe
                              C:\Users\Admin\AppData\Roaming\XClient.exe
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2964
                            • C:\Windows\System32\rundll32.exe
                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              1⤵
                                PID:5060
                              • C:\Users\Admin\AppData\Roaming\XClient.exe
                                C:\Users\Admin\AppData\Roaming\XClient.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2332
                              • C:\Windows\system32\mspaint.exe
                                "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\TestUnregister.emf"
                                1⤵
                                • Drops file in Windows directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of SetWindowsHookEx
                                PID:4196
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
                                1⤵
                                  PID:2912
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4332
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3268
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:900
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4344
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2784
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3952
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3552
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3272
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:840
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2032
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3128
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3096
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  C:\Users\Admin\AppData\Roaming\XClient.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2528

                                Network

                                MITRE ATT&CK Matrix ATT&CK v13

                                Initial Access

                                Execution

                                Command and Scripting Interpreter

                                1
                                T1059

                                PowerShell

                                1
                                T1059.001

                                Scheduled Task/Job

                                1
                                T1053

                                Persistence

                                Boot or Logon Autostart Execution

                                1
                                T1547

                                Registry Run Keys / Startup Folder

                                1
                                T1547.001

                                Scheduled Task/Job

                                1
                                T1053

                                Privilege Escalation

                                Boot or Logon Autostart Execution

                                1
                                T1547

                                Registry Run Keys / Startup Folder

                                1
                                T1547.001

                                Scheduled Task/Job

                                1
                                T1053

                                Defense Evasion

                                Modify Registry

                                1
                                T1112

                                Credential Access

                                Discovery

                                Query Registry

                                3
                                T1012

                                System Information Discovery

                                3
                                T1082

                                Lateral Movement

                                Collection

                                Exfiltration

                                Command and Control

                                Impact

                                Resource Development

                                Reconnaissance

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
                                  Filesize

                                  654B

                                  MD5

                                  2ff39f6c7249774be85fd60a8f9a245e

                                  SHA1

                                  684ff36b31aedc1e587c8496c02722c6698c1c4e

                                  SHA256

                                  e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                  SHA512

                                  1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                  Filesize

                                  2KB

                                  MD5

                                  d85ba6ff808d9e5444a4b369f5bc2730

                                  SHA1

                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                  SHA256

                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                  SHA512

                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  87f7abeb82600e1e640b843ad50fe0a1

                                  SHA1

                                  045bbada3f23fc59941bf7d0210fb160cb78ae87

                                  SHA256

                                  b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

                                  SHA512

                                  ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                  Filesize

                                  180B

                                  MD5

                                  00a455d9d155394bfb4b52258c97c5e5

                                  SHA1

                                  2761d0c955353e1982a588a3df78f2744cfaa9df

                                  SHA256

                                  45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

                                  SHA512

                                  9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  6ef2b386ddfe8ec9455ca47c16b0eaef

                                  SHA1

                                  c656537021542e9d81de12f30905492e331c47f9

                                  SHA256

                                  c6fa616d466204bb3d236b09f284ef630d39e461bd047b9cb6e6e1e32b08f5da

                                  SHA512

                                  53248e8811cf873c8d66c1217506733bbf164df2eebfd45efe6685bdf0c9bf645be4d21938f915ec0192c68c0e56221e5d58f7a692b82edb1990cc2549f0f663

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  d262423eb898a442f3a0f6e983ff421e

                                  SHA1

                                  27b537069e9d1f60ade46ec36ca4e46422330ea3

                                  SHA256

                                  07b9b4f48f354321d767dbabce58e3379e930fbb7a6999a20a943bff3e14a870

                                  SHA512

                                  a2b76250d4e30cababab98877cf5f6362a6532df3035da84e887b8d0fa6f1973b158f5b4ffebef611df89faa63068204fe4ee7815405aff4f38322c6fe127c28

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  206702161f94c5cd39fadd03f4014d98

                                  SHA1

                                  bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                  SHA256

                                  1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                  SHA512

                                  0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  46295cac801e5d4857d09837238a6394

                                  SHA1

                                  44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                  SHA256

                                  0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                  SHA512

                                  8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  11KB

                                  MD5

                                  59dc3bc132a9ca7882f239033b6e9003

                                  SHA1

                                  fe880cfb2741db6eb84402261fa143b7ed49de49

                                  SHA256

                                  1f08fd50d0ac42c4e0ebaadd202cf8dd190886740606bf41846047395680342b

                                  SHA512

                                  e1ceb7de950b944c8d4c22dd056d2d99305b74cfa2e578853ffd4963015e7a27906a2c3ce5a4367f1d4829a553cd07aeaf0c19d9f52bd70758c32b2a6a63c763

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  3a6bad9528f8e23fb5c77fbd81fa28e8

                                  SHA1

                                  f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                  SHA256

                                  986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                  SHA512

                                  846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  ef72c47dbfaae0b9b0d09f22ad4afe20

                                  SHA1

                                  5357f66ba69b89440b99d4273b74221670129338

                                  SHA256

                                  692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

                                  SHA512

                                  7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  da5c82b0e070047f7377042d08093ff4

                                  SHA1

                                  89d05987cd60828cca516c5c40c18935c35e8bd3

                                  SHA256

                                  77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

                                  SHA512

                                  7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ptoxlyqq.3lo.ps1
                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  Download Submit
                                • C:\Users\Admin\AppData\Roaming\XClient.exe
                                  Filesize

                                  77KB

                                  MD5

                                  66457c38d36822b43c72333837268fce

                                  SHA1

                                  45279743be3613147f741715e620fe9ee9136eb6

                                  SHA256

                                  3b280af17ea33850c3652f64436f4f02760afe4f0ba9bb9d63596dc942cac882

                                  SHA512

                                  bcc68460de0100d48806b5092dfcca1b69137f976c727f38e23f375b9c9d2c64f7e641c7e15005957bc975219cbba4fbb695617a3dbe8ea1e5da95f3dd2351ca

                                  Download Submit
                                • memory/1660-78-0x00007FF725A50000-0x00007FF725B48000-memory.dmp
                                  Filesize

                                  992KB

                                  Download
                                • memory/1660-79-0x00007FFD0E1C0000-0x00007FFD0E1F4000-memory.dmp
                                  Filesize

                                  208KB

                                  Download
                                • memory/1660-80-0x00007FFCFA0D0000-0x00007FFCFA386000-memory.dmp
                                  Filesize

                                  2.7MB

                                  Download
                                • memory/1660-81-0x00007FFCF6330000-0x00007FFCF73E0000-memory.dmp
                                  Filesize

                                  16.7MB

                                  Download
                                • memory/3268-18-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmp
                                  Filesize

                                  10.8MB

                                  Download
                                • memory/3268-15-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmp
                                  Filesize

                                  10.8MB

                                  Download
                                • memory/3268-14-0x0000024E78290000-0x0000024E782B2000-memory.dmp
                                  Filesize

                                  136KB

                                  Download
                                • memory/3268-4-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmp
                                  Filesize

                                  10.8MB

                                  Download
                                • memory/3268-3-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmp
                                  Filesize

                                  10.8MB

                                  Download
                                • memory/4596-65-0x00007FFCFFA23000-0x00007FFCFFA25000-memory.dmp
                                  Filesize

                                  8KB

                                  Download
                                • memory/4596-106-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmp
                                  Filesize

                                  10.8MB

                                  Download
                                • memory/4596-0-0x00007FFCFFA23000-0x00007FFCFFA25000-memory.dmp
                                  Filesize

                                  8KB

                                  Download
                                • memory/4596-2-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmp
                                  Filesize

                                  10.8MB

                                  Download
                                • memory/4596-1-0x00000000008A0000-0x00000000008BA000-memory.dmp
                                  Filesize

                                  104KB

                                  Download