asyncrat | hxxps://github[.]com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/dnlib[.]exe

Analysis

max time kernel
66s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/dnlib.exe

Score

10^/10

asyncrat def discovery rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00120000000234c6-199.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	dnlib.exe

Executes dropped EXE 3 IoCs

pid	Process
5552	dnlib.exe
5472	sysfile32.exe
5540	x86.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5968	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 406510.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3900	msedge.exe
3900	msedge.exe
4896	msedge.exe
4896	msedge.exe
692	identity_helper.exe
692	identity_helper.exe
5416	msedge.exe
5416	msedge.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe
5552	dnlib.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5552	dnlib.exe
Token: SeDebugPrivilege	5540	x86.exe
Token: SeDebugPrivilege	5968	taskkill.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5552	dnlib.exe
5552	dnlib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3768	4896	msedge.exe	83
PID 4896 wrote to memory of 3768	4896	msedge.exe	83
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 584	4896	msedge.exe	84
PID 4896 wrote to memory of 3900	4896	msedge.exe	85
PID 4896 wrote to memory of 3900	4896	msedge.exe	85
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86
PID 4896 wrote to memory of 5100	4896	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/dnlib.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff924a346f8,0x7ff924a34708,0x7ff924a34718
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,11416851258901972264,13520027845342072440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5416
- C:\Users\Admin\Downloads\dnlib.exe
  "C:\Users\Admin\Downloads\dnlib.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5552
- - \??\c:\windows\system32\cmstp.exe
    "c:\windows\system32\cmstp.exe" /au C:\windows\temp\5jscwarh.inf
    3⤵
    PID:3812
- - C:\Users\Admin\AppData\Local\Temp\sysfile32.exe
    "C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"
    3⤵
    - Executes dropped EXE
    PID:5472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\x86.exe
C:\Users\Admin\AppData\Local\Temp\x86.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5540

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\290812ad-8a03-4c26-9547-b606c5688494.tmp

Filesize
11KB

MD5
4be4b9b3c1b128840928ba2997f3933b

SHA1
27446f9a0f108f8b7b2272a65339127f0773c0e0

SHA256
27847a0585da5d240dcea3f99d50e47ae5db2be418b717d49f1a677faeb0f31b

SHA512
332d5d20017349dce22b48b328e39885e706df87c0b7de8189f54d775882cd0d72a4065f2970923ef544498942500bfb756a092e147349c6ccb54061ba25de69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaaad45aced1889a90a8aa4c39f92659

SHA1
5c0130d9e8d1a64c97924090d9a5258b8a31b83c

SHA256
5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b

SHA512
0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ee50fb26a9d3f096c47ff8696c24321

SHA1
a8c83e798d2a8b31fec0820560525e80dfa4fe66

SHA256
d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f

SHA512
479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
afbba89bdcfae1a65b8e12fcb9ed7dde

SHA1
c2bafaf67c80c1773e7c998a77affcc47dce28d4

SHA256
3278ad4449c54e3d74032c2b185b39ddf19fcdbd6ce7d2252197a7665a809d1f

SHA512
57d62a56e866d8f88754207fe31540f65c494249a2c9ebde457917cd35e7393c3d66567fceadd8d893acf3e77764f1f5229785124b8fff269785140c7280bff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
57bec678651430b196257664e945f49a

SHA1
5ed6208f66c49a69add6531895ecc7a1d5ea3a93

SHA256
fb751360f5654c4c81e703e7d56ade13f7ae2411bc568da622f08f6a84d777f4

SHA512
728eedc5b228add4281dd70847ca7de0b1f5423c59c43ed67e86c9c21e6711228d883e7219dad03a56c338e6a9f225477f65a52fc5f95f5a02082bbc5b0678bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f56df3e8-c312-4d90-9c77-17a09e25a671.tmp

Filesize
6KB

MD5
cf5e9e9040a3cd68d335194dde3702e1

SHA1
4dc2bb3cbd8a433a88aba5b911f0e5ec20b5f2da

SHA256
d34b3edce0558c2b1c6a0258c6f11028d35a86920539fc24f2938d49f23a66db

SHA512
c80c815a201cd6d7104d4a5784649c76bf167013bb2d0cb2d5d909cab1936e809a264a6ac4a0a267701862a7c836261641c03e3ac3c9291a0290845ef9a883ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
071522cb7603e62a388b0dfdfff492dc

SHA1
929a48cfb46053f89e423f368e5cd3f62ed1c339

SHA256
d9b8a65db7d18f6d10feece0fc41ef81547b1d70391b87d3fe5ad347acd2d57e

SHA512
f135b75f47ffefadc6eb47864477930dad1f1d171d76850c3b1bd8572768d5d53e1534e7ece0f63ebb182ba19fa6404bdc8b73f59e021ba25a8262fa8c3e50cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ypmm3vsr.hex.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe

Filesize
52KB

MD5
0c2d61d64f4325ca752202e5bf792e9e

SHA1
e7655910a124dd10beb774a693f7caccf849b438

SHA256
d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1

SHA512
1205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86.exe

Filesize
12KB

MD5
f922206889c896cf2d86f21e9f9db7db

SHA1
046b00f2edb34982db266d903627ced283f4a5ea

SHA256
1ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3

SHA512
abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965

Download Submit
C:\Users\Admin\Downloads\dnlib.exe

Filesize
12KB

MD5
013965d8a511aec735b069e3ec027d4f

SHA1
f2673470953b247525a6a54e53417fd844b0e816

SHA256
27f8adbfd40471340ecf13950e143c0fdc7acade26458edf99781b4138cd4a02

SHA512
fa0e8a2e78c34e6e6b3ab4c225f6c08356e024d900fdc6d3bcc69beb57a17c6c205a34c155d9766917b2fe769415fc4232fcdc9c0f7807c9c0c61ecd7bb13016

Download Submit
C:\windows\temp\5jscwarh.inf

Filesize
542B

MD5
5c23ac475d677288f01378eb90a7d32c

SHA1
8801e0122b4c2575bc8dcfbf04421a2c446dddf7

SHA256
7f146ed6fa2a2fbde0cda5e2afc47d4987dc62b8d3edb75d4d7341653bcefabe

SHA512
21c7ec4352e9c2c4a5472b4b5fee1372440589f27cd3f7b9bd756ce9d311b90c28fe82403cf8435119fc0ed13da03b6773f774b68128f1b280f7ecd5cafd4961

Download Submit
memory/5472-207-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/5540-210-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/5552-79-0x0000000002C80000-0x0000000002CA2000-memory.dmp

Filesize
136KB

Download
memory/5552-192-0x0000000002BD0000-0x0000000002BE2000-memory.dmp

Filesize
72KB

Download
memory/5552-64-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download