xworm | 0fc1658f9e5bcdc8f1d437fbbfe30a1e12a6535c3610b65521cce786246f5a99

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driver-booster-windows-12.0.0.308-11236.exe
Size

25.3MB
MD5

3bd43fae300070dbf4387ad227fc4fc1
SHA1

d67db4bb37acfb52d7a1922d37b85ce6cc6d753a
SHA256

0fc1658f9e5bcdc8f1d437fbbfe30a1e12a6535c3610b65521cce786246f5a99
SHA512

da65632725340cc32b74a4e999c7a0d7ba7105eba9eab17e0c35ecaffd2205ab7d31d41d11300c5d940f63122020d9aa7a43877a20b22414d25d5d170a9743e6
SSDEEP

393216:9FKV6EAgMhJ5f/3X9F3M9i2DsQ8isPBhHtWrreJwrVF+oNMcT3Xy7yoW:9cMvzXELDs5isPbHtOr7v+oNMsXT

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

MadeInMood1-40937.portmap.host:40937

Attributes

Install_directory
%AppData%
install_file
XClient.exe
telegram
https://api.telegram.org/bot7375237961:AAFlPWXmEriRUUWDWeG1DeZifKaAFaWD10Q/sendMessage?chat_id=7534517325

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b4d-6.dat	family_xworm
behavioral2/memory/4728-13-0x0000000000980000-0x000000000099A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	driver-booster-windows-12.0.0.308-11236.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	driver-booster-windows-12.0.0.308-11236.tmp

Executes dropped EXE 4 IoCs

pid	Process
4728	XClient.exe
1544	driver-booster-windows-12.0.0.308-11236.exe
4644	driver-booster-windows-12.0.0.308-11236.tmp
3448	setup.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driver-booster-windows-12.0.0.308-11236.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driver-booster-windows-12.0.0.308-11236.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4644	driver-booster-windows-12.0.0.308-11236.tmp
4644	driver-booster-windows-12.0.0.308-11236.tmp
4644	driver-booster-windows-12.0.0.308-11236.tmp
4644	driver-booster-windows-12.0.0.308-11236.tmp
3448	setup.exe
3448	setup.exe
3028	msedge.exe
3028	msedge.exe
2076	msedge.exe
2076	msedge.exe
4640	identity_helper.exe
4640	identity_helper.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	XClient.exe
Token: SeDebugPrivilege	4644	driver-booster-windows-12.0.0.308-11236.tmp

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3448	setup.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 4728	4044	driver-booster-windows-12.0.0.308-11236.exe	86
PID 4044 wrote to memory of 4728	4044	driver-booster-windows-12.0.0.308-11236.exe	86
PID 4044 wrote to memory of 1544	4044	driver-booster-windows-12.0.0.308-11236.exe	87
PID 4044 wrote to memory of 1544	4044	driver-booster-windows-12.0.0.308-11236.exe	87
PID 4044 wrote to memory of 1544	4044	driver-booster-windows-12.0.0.308-11236.exe	87
PID 1544 wrote to memory of 4644	1544	driver-booster-windows-12.0.0.308-11236.exe	88
PID 1544 wrote to memory of 4644	1544	driver-booster-windows-12.0.0.308-11236.exe	88
PID 1544 wrote to memory of 4644	1544	driver-booster-windows-12.0.0.308-11236.exe	88
PID 4644 wrote to memory of 3448	4644	driver-booster-windows-12.0.0.308-11236.tmp	94
PID 4644 wrote to memory of 3448	4644	driver-booster-windows-12.0.0.308-11236.tmp	94
PID 4644 wrote to memory of 3448	4644	driver-booster-windows-12.0.0.308-11236.tmp	94
PID 3448 wrote to memory of 2076	3448	setup.exe	98
PID 3448 wrote to memory of 2076	3448	setup.exe	98
PID 2076 wrote to memory of 4524	2076	msedge.exe	99
PID 2076 wrote to memory of 4524	2076	msedge.exe	99
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 1028	2076	msedge.exe	100
PID 2076 wrote to memory of 3028	2076	msedge.exe	101
PID 2076 wrote to memory of 3028	2076	msedge.exe	101
PID 2076 wrote to memory of 4528	2076	msedge.exe	102
PID 2076 wrote to memory of 4528	2076	msedge.exe	102
PID 2076 wrote to memory of 4528	2076	msedge.exe	102
PID 2076 wrote to memory of 4528	2076	msedge.exe	102
PID 2076 wrote to memory of 4528	2076	msedge.exe	102
PID 2076 wrote to memory of 4528	2076	msedge.exe	102
PID 2076 wrote to memory of 4528	2076	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\driver-booster-windows-12.0.0.308-11236.exe
"C:\Users\Admin\AppData\Local\Temp\driver-booster-windows-12.0.0.308-11236.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Users\Admin\AppData\Roaming\driver-booster-windows-12.0.0.308-11236.exe
  "C:\Users\Admin\AppData\Roaming\driver-booster-windows-12.0.0.308-11236.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\is-5K5UR.tmp\driver-booster-windows-12.0.0.308-11236.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-5K5UR.tmp\driver-booster-windows-12.0.0.308-11236.tmp" /SL5="$60248,25692353,139264,C:\Users\Admin\AppData\Roaming\driver-booster-windows-12.0.0.308-11236.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\is-EF2V7.tmp-dbinst\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-EF2V7.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Roaming\driver-booster-windows-12.0.0.308-11236.exe" /title="Driver Booster 8" /dbver=8.2.0.314 /eula="C:\Users\Admin\AppData\Local\Temp\is-EF2V7.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.iobit.com/en/privacy.php
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e99346f8,0x7ff9e9934708,0x7ff9e9934718
        6⤵
        
        PID:4524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        6⤵
        
        PID:1028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
        6⤵
        
        PID:4528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        6⤵
        
        PID:3084
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
        6⤵
        
        PID:2276
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
        6⤵
        
        PID:4296
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
        6⤵
        
        PID:3164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
        6⤵
        
        PID:4920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
        6⤵
        
        PID:3440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
        6⤵
        
        PID:1844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8187331229666464022,3481802111712760913,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5084 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
f70640c98b0b35f1097cc9ff07a1b682

SHA1
a30a0319d9d3c8b5e4f990e26e5a24fdbb2ab8cc

SHA256
f22d584faf27f9683b4688376fef35e57caacba82a6ccaf1ca2ee678471407c6

SHA512
c0cc13583bebdb7a816f35badeae2179c1a6aed08b588af9bd108abea762927574b9fcb20d0ba728c20c08c5b9fad5cddfc2e36252ed8f2a2eafd4157db67b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c65af31e397f72af75d2ad351cf2d008

SHA1
20ec0bb8ec508fcb33425355b89eb54520de808a

SHA256
771bc72959b5ae174bc4717d256d32048904ac6debce11d4426c3cb2c02cc357

SHA512
b212a98d2708ac8fad16990cf5142518de454fe3fda76d1fc1c1790496f363f4f07dc42e299e16b0aa8cbd5b1156b6763afbccdb07350aed33eb5fc9214620d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
acaa9a1850cbd69a1c9d401effebe3da

SHA1
ae5eb041af6bdc15b52c753cbe1674c073484e60

SHA256
2bd2383008b0bbdd40a3b16e99a396d2da04a63de12c92aad0a4f5b457ee38fc

SHA512
7f60e7d504c5fadb4ea6208c8928b1ff8fdb1dc7cef26d2138f44ca6af1db67e5ca35ded335a417580e6df1f33e0321cdfd10d4af1e68d1a3877c5c363efac93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96b66734963318b8e8f40b00136ee4ae

SHA1
9b8c608ed06d6f6280992cc3608601f7a0809cb5

SHA256
a16ab44388d6aad4543737ee2404c1db9acc1e7de018d4d5a4a05ccb20e2f3f0

SHA512
619eae38b825ffdd84a5930f6c989d4d0417e09e66c4d3a41a5144466abdf4c99c7cd6eb5bb05682a6fb7458fb0af12e028698cbc04ae14988cd2df74af5e920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cd2f00d0e857fd0c5553940842065fa6

SHA1
8bcf88fd673c87e8570ff7f33713d432c5ec8b8e

SHA256
2f18af27e5d6efd350b133030a00140e5b2beb40f412470d8d756827f31596a2

SHA512
45e7f1c498be02a2d902435b2483e0eea9e9c07d0e88c88882818e8a47550f39f5982660ba226037a0043f8f7683edf1ef037a131025d6e0c7ce50bfc2de5e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9b9aacc581d0a22ec0507b05aaa6a346

SHA1
d28fc4b5bbd57b82f29123d6b7c781ba7831b31b

SHA256
6a413c8fa162c998f25f8de58c252e819eaa313320e04227f3489756777b0142

SHA512
0442a83b656b423da6f65831bd1824ef38b5ceb4741fbd269dfa1d15b98af30256bf8397f266fb171854b45d6c23af0fe7aa9c35c3d272b0bca6ab48f33b4dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\1728579741\ENGLISH.lng

Filesize
18KB

MD5
385e3363164f2fbc7d87cabd20b9d988

SHA1
20886b519dcf58fcfa07b42cd0aa1d597b8087c2

SHA256
e05b8dd4fd12ac5ed2e24273fae743dac95d87851a4da2cb3c51abaa8d4b6200

SHA512
0731977ff05c1c1a96efbd388bf6847b19bda70cbac4c2f173ee1dee2ec3d448102945676da9149950ac27abd85591802ec660d4f66f0145b73d1c797c73d63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\45575.7099473495\install_cfg.upt

Filesize
2KB

MD5
d8d534176371d50f83a71426414d8c4b

SHA1
c60f9d72fefa153f65bc87fe32e0af065115082f

SHA256
b1ab16262ba915d6699d022dec969800548cb4272fb120820b8e391d8b529881

SHA512
2812a71a0c256c2479d02fb8ed7ce3db728f81422d0463e3039f00f1064b976ec8ba77f912760c0558b22ca015c482ae46b0015ae21d528d95360e86936141e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5K5UR.tmp\driver-booster-windows-12.0.0.308-11236.tmp

Filesize
1.2MB

MD5
5e68859c0b4a4b3a30bdfc94b8317bc9

SHA1
06a34be233b89832090eb8f646c968a09d40a145

SHA256
3e9126730a72f811dffc8f6e598af754ec598fd8f864704c372c37a07c559956

SHA512
36c45a8c41b800a548003319c46b880d4fe8194df72e791519c491b58e8256fd18ecd2cf5c494561ba89213e1c696914ab5576a453b3dc01b29dd72a60cdfea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EF2V7.tmp-dbinst\setup.exe

Filesize
7.1MB

MD5
37a7f71eb59a663fdc4945d47c2f97d7

SHA1
4cefdf21fbe991cb6bfb0d7905f0f6dc9717dc61

SHA256
bd9219966fd8c175dd0fd96c58f31fa060319aa96c499c66c761ef6bdc68aa75

SHA512
7f5fc8a5d2503a95be0f341f30dddd3a2fb5287f3231e5662b1d17d494a42f9d8f15dda9c9bb32fec91611633550bce0efd2428591ca3969ec95e9fe82ab223a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EF2V7.tmp\EULA.rtf

Filesize
28KB

MD5
b0381f0ba7ead83ea3bd882c1de4cd48

SHA1
c740f811623061595d76fce2ebb4e69d34316f3b

SHA256
44bc9472169403484a0d384f1ca81989ef7e4b07441758e8a0110078933cbcb5

SHA512
6cfb8bc562d22843d043411720db97d0b4cbac96a20983d83d19e59b8428ec202f2532cc5af254438dc34fca4161abbd3f6bac8d397590e41b6d41e60700e78a

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
80KB

MD5
3f20e1848d5e3caf88f26d40ba4a1c9f

SHA1
8ba9589078750ed15638770f4b863c33304e0be6

SHA256
5820f1e5bea3eb1ec8b1ff956715764e02d41e7545ed3439db88914f2c733758

SHA512
d261ba186a751713e223697339c4c2119e462ebef288b6afa2d3c508990a16078de9857b3c2d67b4786cd4b5c45c67e3d1dbe7f0385b6b94640b771ba558fadd

Download Submit
C:\Users\Admin\AppData\Roaming\driver-booster-windows-12.0.0.308-11236.exe

Filesize
25.2MB

MD5
b1536eac5254923e8379419c47d38b92

SHA1
7daa851d4b36adb2123f6ec1d00b0a92b6278b12

SHA256
ea5926dda070d8ede648439431afa1d6080e4ad50892615c4a6bacd4f9d5add3

SHA512
1eb0eedd0f073ddf5dbd9decc79b138da16f952bff646a19704e6029a7ebf094d38eadae75d93ec7e18d473cfe8879aa3a0dff1f6686213a5e623350ebe04577

Download Submit
memory/1544-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1544-85-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1544-29-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3448-324-0x0000000000400000-0x0000000000B5C000-memory.dmp

Filesize
7.4MB

Download
memory/3448-277-0x0000000000400000-0x0000000000B5C000-memory.dmp

Filesize
7.4MB

Download
memory/3448-300-0x0000000000400000-0x0000000000B5C000-memory.dmp

Filesize
7.4MB

Download
memory/3448-326-0x0000000000400000-0x0000000000B5C000-memory.dmp

Filesize
7.4MB

Download
memory/4044-1-0x0000000000BA0000-0x00000000024F4000-memory.dmp

Filesize
25.3MB

Download
memory/4044-0-0x00007FF9DE0D3000-0x00007FF9DE0D5000-memory.dmp

Filesize
8KB

Download
memory/4644-83-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4728-34-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/4728-13-0x0000000000980000-0x000000000099A000-memory.dmp

Filesize
104KB

Download
memory/4728-14-0x00007FF9DE0D0000-0x00007FF9DEB91000-memory.dmp

Filesize
10.8MB

Download
memory/4728-36-0x00007FF9DE0D0000-0x00007FF9DEB91000-memory.dmp

Filesize
10.8MB

Download