asyncrat | hxxps://github[.]com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/dnlib[.]exe

Analysis

max time kernel
72s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/dnlib.exe

Score

10^/10

asyncrat def rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00090000000234d8-109.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	dnlib.exe

Executes dropped EXE 3 IoCs

pid	Process
216	dnlib.exe
4196	x86.exe
1836	sysfile32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
35	raw.githubusercontent.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1848	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 771417.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
5084	msedge.exe
5084	msedge.exe
1508	identity_helper.exe
1508	identity_helper.exe
4364	msedge.exe
4364	msedge.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe
216	dnlib.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	dnlib.exe
Token: SeDebugPrivilege	4196	x86.exe
Token: SeDebugPrivilege	1848	taskkill.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
216	dnlib.exe
216	dnlib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 5068	5084	msedge.exe	83
PID 5084 wrote to memory of 5068	5084	msedge.exe	83
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 2224	5084	msedge.exe	84
PID 5084 wrote to memory of 1028	5084	msedge.exe	85
PID 5084 wrote to memory of 1028	5084	msedge.exe	85
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86
PID 5084 wrote to memory of 3916	5084	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/dnlib.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9eb0b46f8,0x7ff9eb0b4708,0x7ff9eb0b4718
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,6191558330240375849,1483924482503826112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Users\Admin\Downloads\dnlib.exe
  "C:\Users\Admin\Downloads\dnlib.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:216
- - \??\c:\windows\system32\cmstp.exe
    "c:\windows\system32\cmstp.exe" /au C:\windows\temp\v3jkcvg1.inf
    3⤵
    PID:2872
- - C:\Users\Admin\AppData\Local\Temp\sysfile32.exe
    "C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"
    3⤵
    - Executes dropped EXE
    PID:1836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\x86.exe
C:\Users\Admin\AppData\Local\Temp\x86.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96bb8d8e37ccc7cc35227d17303b9c02

SHA1
c43d735c56a289f0967bb34b99d5bbe42fb70c7c

SHA256
a1b5d3dabe129f0e6d0f14f1761c03560e42ed0ba573d772d153b97fd3140c1d

SHA512
b875282b6dfbceb82b09d2d4d550e325134952c4be0943224f53a97f748cb8f2897c2f1bd367710d40e757dd5db110af14eaa6664b9f291dae480fc30eed3381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a716cf09408168a186b71b7b90a3c89f

SHA1
3e92ec034464d05168d5d38951d81e53d9bd2b0d

SHA256
da5b2ee6ba742cb6db2c69728d3d6d908c5faf584db938adbef6c86ea02829e6

SHA512
763fccdc7f353e8e8b49d8fe79b4805230b3326fd810ac1c4969ffa1cfd9c4fc4154bd619537ff63f310c948ebdf76ab0db9568060669def78667e8f1ff2773b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43ed857d9d592a5e9f56af50aa4c4d3f

SHA1
e841ef095fa1316bd47891f8ca35941bd9c88b22

SHA256
651d90291210ae60630ba5f6f69bd43207046830469d1a2df5385c05a05b9ead

SHA512
c5445b68c789186c1de935aaf25fd61cf35872a802ca04af7289130d9dbd2acb88d1b3df14daa73ae3f8449818ae0a055886525d925397282045b158fdc77d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2642511477c98058be92474c6d43a1c2

SHA1
c470621666e11ccc9c81537cd29e6ca850b39f7a

SHA256
22ff77c5b9fa91dd01f95eca088799d8ec78b06b19543aec9809a5d759e948c1

SHA512
76356d56aa1914cc9e78821d1cf4339e5fa30260dafc81fe36b24636cd2f423ecce8a538ec5f5e828e1289ecddd8f89ef6afb65082dc5d46d27b1b4241a5fdb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d08104fbbed3d48d5ccffe86619c3f76

SHA1
f514bf69d3612b7630e565fb96bf9bf405466693

SHA256
a27f0dbfba113f58b9500f1f429f8e0bccfd4852f3683bbedb5b3709a5efcdae

SHA512
d3c9c5f5beb67cf993abaabc1050062ef7ee1e737dbfb466e11c443002296f80bd3a0dab43b6dfa91df881328a86745227102c03f87d1e5ad0c44706a30a6314

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3jduh1lm.0r3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe

Filesize
52KB

MD5
0c2d61d64f4325ca752202e5bf792e9e

SHA1
e7655910a124dd10beb774a693f7caccf849b438

SHA256
d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1

SHA512
1205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86.exe

Filesize
12KB

MD5
f922206889c896cf2d86f21e9f9db7db

SHA1
046b00f2edb34982db266d903627ced283f4a5ea

SHA256
1ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3

SHA512
abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965

Download Submit
C:\Users\Admin\Downloads\dnlib.exe

Filesize
12KB

MD5
013965d8a511aec735b069e3ec027d4f

SHA1
f2673470953b247525a6a54e53417fd844b0e816

SHA256
27f8adbfd40471340ecf13950e143c0fdc7acade26458edf99781b4138cd4a02

SHA512
fa0e8a2e78c34e6e6b3ab4c225f6c08356e024d900fdc6d3bcc69beb57a17c6c205a34c155d9766917b2fe769415fc4232fcdc9c0f7807c9c0c61ecd7bb13016

Download Submit
C:\windows\temp\v3jkcvg1.inf

Filesize
542B

MD5
5c23ac475d677288f01378eb90a7d32c

SHA1
8801e0122b4c2575bc8dcfbf04421a2c446dddf7

SHA256
7f146ed6fa2a2fbde0cda5e2afc47d4987dc62b8d3edb75d4d7341653bcefabe

SHA512
21c7ec4352e9c2c4a5472b4b5fee1372440589f27cd3f7b9bd756ce9d311b90c28fe82403cf8435119fc0ed13da03b6773f774b68128f1b280f7ecd5cafd4961

Download Submit
memory/216-89-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/216-85-0x0000000002360000-0x0000000002382000-memory.dmp

Filesize
136KB

Download
memory/216-75-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download
memory/1836-116-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/4196-94-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download