Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1798s
  • max time network
    1688s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-11-2024 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    60KB

  • MD5

    de5e007cca8560c530ed376d6647436e

  • SHA1

    6d93702a99859ee7c8014ad28650139f544e486e

  • SHA256

    b666248414334aa764720592fd1d5d5789c3036654ec98d8e4bc9ff6da75b218

  • SHA512

    f1e4b994f5dd0251b99e536cf203d7c98590b8ac338006b120d4a8362c764973eb5353eecb949bfde177608d3c04076396da26d3f1359068275fa7fc2c1b234f

  • SSDEEP

    1536:F8QzsjdmRvsl4nTzqDZqwhUQbPtyA26rj6lOLECD:hkl2CAwbPtcOw0

Score
10/10
xenoratxwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:17647

Attributes
  • Install_directory

    %AppData%

  • install_file

    System32.exe

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    12345

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 4 IoCs
  • Detect Xworm Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 40 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3472
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff05293cb8,0x7fff05293cc8,0x7fff05293cd8
      2⤵
        PID:5008
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
        2⤵
          PID:2228
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3548
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
          2⤵
            PID:5104
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
            2⤵
              PID:4908
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
              2⤵
                PID:1516
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
                2⤵
                  PID:2868
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
                  2⤵
                    PID:792
                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2812
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3696
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
                    2⤵
                      PID:2380
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
                      2⤵
                        PID:4172
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
                        2⤵
                          PID:3160
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
                          2⤵
                            PID:3116
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
                            2⤵
                              PID:1380
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
                              2⤵
                                PID:896
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
                                2⤵
                                • NTFS ADS
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2232
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
                                2⤵
                                  PID:3740
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
                                  2⤵
                                    PID:2380
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
                                    2⤵
                                      PID:4612
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
                                      2⤵
                                        PID:3884
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,14388521630326529265,5330172370486912830,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6172 /prefetch:2
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:4020
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:1316
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:1064
                                        • C:\Windows\System32\rundll32.exe
                                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                          1⤵
                                            PID:4056
                                          • C:\Users\Admin\Downloads\Release\xeno rat server.exe
                                            "C:\Users\Admin\Downloads\Release\xeno rat server.exe"
                                            1⤵
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious behavior: GetForegroundWindowSpam
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2964
                                          • C:\Users\Admin\Desktop\h.exe
                                            "C:\Users\Admin\Desktop\h.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:4068
                                            • C:\Users\Admin\AppData\Roaming\XenoManager\h.exe
                                              "C:\Users\Admin\AppData\Roaming\XenoManager\h.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:2232
                                          • C:\Users\Admin\Desktop\virus.exe
                                            "C:\Users\Admin\Desktop\virus.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:768
                                          • C:\Users\Admin\Desktop\virus.exe
                                            "C:\Users\Admin\Desktop\virus.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:4700
                                          • C:\Users\Admin\Desktop\virus.exe
                                            "C:\Users\Admin\Desktop\virus.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:3696
                                          • C:\Users\Admin\Desktop\virus.exe
                                            "C:\Users\Admin\Desktop\virus.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:2812
                                          • C:\Users\Admin\Desktop\virus.exe
                                            "C:\Users\Admin\Desktop\virus.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:4216

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h.exe.log
                                            Filesize

                                            226B

                                            MD5

                                            1294de804ea5400409324a82fdc7ec59

                                            SHA1

                                            9a39506bc6cadf99c1f2129265b610c69d1518f7

                                            SHA256

                                            494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

                                            SHA512

                                            033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            152B

                                            MD5

                                            826c7cac03e3ae47bfe2a7e50281605e

                                            SHA1

                                            100fbea3e078edec43db48c3312fbbf83f11fca0

                                            SHA256

                                            239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

                                            SHA512

                                            a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            152B

                                            MD5

                                            02a4b762e84a74f9ee8a7d8ddd34fedb

                                            SHA1

                                            4a870e3bd7fd56235062789d780610f95e3b8785

                                            SHA256

                                            366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

                                            SHA512

                                            19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                            Filesize

                                            2KB

                                            MD5

                                            267fae8ae83eeeee68c8b79f19d1b4df

                                            SHA1

                                            2c2c81d94d10fceb2bc0205fd27a70341feaaa04

                                            SHA256

                                            05c512c8f4dd6ddc1b48ae0a369612ce5bae789122f88eb1e6e91d617eca9f24

                                            SHA512

                                            e9b7569dec7c757ccd7212f0cec62f788a46ffdca4639107faf57cdc3ce521a5f8d6ded38f2f1ead47caab84cfd8254ae17a525ec8570aa0e510410f365d44d3

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                            Filesize

                                            940B

                                            MD5

                                            648712a25d60e14b82a2129d98ee304e

                                            SHA1

                                            937ddd5da3be0290a66071bff3797016056ba357

                                            SHA256

                                            d7560e58692dd70eb6426d69625fff557b39b9482751c4fdf435975c625c54cb

                                            SHA512

                                            8305059501bfbab862402173704c4b608e3058f1f2871ca11947f7dc048bc9774616e645c785aa61d4db163cb5f96a43650238a80004d02aa4036a76a03a6a0a

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            5KB

                                            MD5

                                            a1923b4023ec5642b155382670a78df2

                                            SHA1

                                            b2d75718286bb65be75d0310fc2e193bff85347c

                                            SHA256

                                            29582554c557f4cec2d8c2e167e82f9e47636bc619978c7131d8d7609aba2c13

                                            SHA512

                                            99b104093d29838b47716d299bf340e05f31a9f07b36196d1896150fe94b9a5fb520128ed6a78e7cb8a9227f3a8d3b21f6db5aee83cdfd4542f54d0bdad6404b

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            6KB

                                            MD5

                                            2d15b9396fafdd142a13ec3c94f6f16d

                                            SHA1

                                            25d71d457635d08115f2a12f98aeb29cf6e033ea

                                            SHA256

                                            6c4f3e4182503487deb3500d4e6600a1ebfb34718173dddef9d5f6ced887c189

                                            SHA512

                                            177daf405beb7a299ee8ba41159cad8bcb34f9065eb0c9f65c0de88ad0da77ca1034b605b505c220b56b2a1e61885d58766cf57b441339e3790836e40320b83b

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            5KB

                                            MD5

                                            2ae77e740c0c398e6133b078abac0646

                                            SHA1

                                            5960df26ea008aafe04a3ea0d55068ed05fa7849

                                            SHA256

                                            4b197e3d37dffbe0625b97b6d68854bb7642c0b523db73aa15895c4552d7cdc5

                                            SHA512

                                            6f6bb5a174df5bdeaec59695e4403a0e23b2b2a7dd5d02e414da95423514c77bb176b22e0fc61bb26fe011b09fb01ec7a587935c65bc9bda543e2322511960fa

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                            Filesize

                                            1KB

                                            MD5

                                            2d537d73f800ac0551dd382037834a43

                                            SHA1

                                            c97edf173162aa042a94dc20ecb6a974f5d9a137

                                            SHA256

                                            1e309881ec9cc5f54f92e944ddc02e8d8eaef348fa7b3e104cf94b14942911bb

                                            SHA512

                                            08735398aff3856aeeb39de7272de616f447f4a6a00923140260ad0b5916f947f4c072b217c024805e629a56c5ff1133ceed531effd2c6b0d60f375f97c5790f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                            Filesize

                                            1KB

                                            MD5

                                            1edfb02a680b7097a74dde62d92e45c7

                                            SHA1

                                            f51057022203b6af72232598fb7b1f98f66ac086

                                            SHA256

                                            bca7f7e541fb90a5c0f925c0f1c0e6076b4b2bf0d06c65189d7d00ad0575de75

                                            SHA512

                                            e2da22c9205217dcba8d705641518f5acb9ba79d42ce4cd97488f44f49a5d5b07b1fcd37e35b7eef8e7a6c21edda4df4f75bb1db653e2700daca48755df80157

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582630.TMP
                                            Filesize

                                            1KB

                                            MD5

                                            4abd0b04d26707842cd90352307e4af6

                                            SHA1

                                            6fd940a6bfccc7e48f2ee25b3f2ba4e57d62bbe1

                                            SHA256

                                            b8774b083fdf77a2e8bad255743c5eb1877705d6bf0936df48706a786479b15b

                                            SHA512

                                            15bcdb22cc73d4deb3709a4d2f31a0ede7046ed12f8b58b4c37e44955fa552625d1f38c47bf556211bc9e6c7d8dcaf2c6076e6d5c5e7977656454e16e2c672b6

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                            Filesize

                                            16B

                                            MD5

                                            46295cac801e5d4857d09837238a6394

                                            SHA1

                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                            SHA256

                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                            SHA512

                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                            Filesize

                                            16B

                                            MD5

                                            206702161f94c5cd39fadd03f4014d98

                                            SHA1

                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                            SHA256

                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                            SHA512

                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            10KB

                                            MD5

                                            a6bda644e507624c6cad47ac7d6613ee

                                            SHA1

                                            1c5f69f0cf20734c3aceefbb420f54a53ea52512

                                            SHA256

                                            509f56978e3509614f354782586a31135fc39c165c00eb87d2d29e802c741961

                                            SHA512

                                            dec7109f1ab3a84849316697c6630cefdb5c0b05895be77dc618272257a9f502480f50183bf7f43250cb15559fef69efb6febc82fa7d3fe91222f865278e1a5f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            10KB

                                            MD5

                                            2687504b868c9987ac270b11197d779e

                                            SHA1

                                            1b6d134a15d43358781a0157c1fafadd11673c66

                                            SHA256

                                            dd14217fb1032c0bf63d0ff3133244536a48f1d801a385eb6d913df9a1c35ca2

                                            SHA512

                                            e09d8d81e79e82a59453c048cb7a1d1e9be82e65616d55cafdacac0b173d85b09f49efd4f2b7b0617310159faefea7be0b5f165edab7339f16c64bfeca056682

                                            Download Submit

                                          • C:\Users\Admin\Desktop\h.exe
                                            Filesize

                                            45KB

                                            MD5

                                            26aa0e661539b9297b7928e8a691331a

                                            SHA1

                                            ca89ba72269a51478dd90455163650c32d7d6958

                                            SHA256

                                            0e11435586625fc8b6765f42ac42ab7d3ddc29bc8beeafb5cc95276ed30bd68e

                                            SHA512

                                            576e97272155c86b6c57a077396785f5ee7a65ff3469bdd687150937fbfb7597e83cb21ff9e2f286b8ab3f4e8795fa5d0cf486ea7fbea38c3844e35d6afcb69f

                                            Download Submit

                                          • C:\Users\Admin\Desktop\virus.exe
                                            Filesize

                                            45KB

                                            MD5

                                            e069304f72f1993e3a4227b5fb5337a1

                                            SHA1

                                            131c2b3eb9afb6a806610567fe846a09d60b5115

                                            SHA256

                                            5d00cfc66ae11f68bae4ac8e5a0f07158dae6bfd4ea34035b8c7c4e3be70f2c5

                                            SHA512

                                            26f18e40b1d4d97d997815fe3921af11f8e75e99a9386bbe39fb8820af1cbe4e9f41d3328b6a051f1d63a4dfff5b674a0abafae975f848df4272aa036771e2e9

                                            Download Submit

                                          • C:\Users\Admin\Downloads\Release.zip
                                            Filesize

                                            6.4MB

                                            MD5

                                            89661a9ff6de529497fec56a112bf75e

                                            SHA1

                                            2dd31a19489f4d7c562b647f69117e31b894b5c3

                                            SHA256

                                            e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

                                            SHA512

                                            33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

                                            Download Submit

                                          • C:\Users\Admin\Downloads\Release.zip:Zone.Identifier
                                            Filesize

                                            26B

                                            MD5

                                            fbccf14d504b7b2dbcb5a5bda75bd93b

                                            SHA1

                                            d59fc84cdd5217c6cf74785703655f78da6b582b

                                            SHA256

                                            eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                            SHA512

                                            aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                            Download Submit

                                          • memory/768-542-0x0000000000CF0000-0x0000000000D02000-memory.dmp

                                            Filesize

                                            72KB

                                            Download

                                          • memory/2964-423-0x0000000006130000-0x0000000006142000-memory.dmp

                                            Filesize

                                            72KB

                                            Download

                                          • memory/2964-418-0x0000000006140000-0x00000000066E6000-memory.dmp

                                            Filesize

                                            5.6MB

                                            Download

                                          • memory/2964-421-0x00000000060C0000-0x00000000060D4000-memory.dmp

                                            Filesize

                                            80KB

                                            Download

                                          • memory/2964-422-0x0000000006110000-0x000000000612A000-memory.dmp

                                            Filesize

                                            104KB

                                            Download

                                          • memory/2964-419-0x0000000005B90000-0x0000000005C22000-memory.dmp

                                            Filesize

                                            584KB

                                            Download

                                          • memory/2964-424-0x000000000A470000-0x000000000A492000-memory.dmp

                                            Filesize

                                            136KB

                                            Download

                                          • memory/2964-440-0x00000000085C0000-0x0000000008672000-memory.dmp

                                            Filesize

                                            712KB

                                            Download

                                          • memory/2964-441-0x0000000008B20000-0x0000000008E77000-memory.dmp

                                            Filesize

                                            3.3MB

                                            Download

                                          • memory/2964-417-0x0000000000E70000-0x0000000001072000-memory.dmp

                                            Filesize

                                            2.0MB

                                            Download

                                          • memory/2964-420-0x0000000005B40000-0x0000000005B4A000-memory.dmp

                                            Filesize

                                            40KB

                                            Download

                                          • memory/2964-496-0x0000000001940000-0x0000000001A64000-memory.dmp

                                            Filesize

                                            1.1MB

                                            Download

                                          • memory/2964-497-0x0000000007030000-0x000000000704A000-memory.dmp

                                            Filesize

                                            104KB

                                            Download

                                          • memory/3472-24-0x00007FFEF38D0000-0x00007FFEF4392000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/3472-25-0x00007FFEF38D0000-0x00007FFEF4392000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/3472-1-0x0000000000F20000-0x0000000000F36000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/3472-0-0x00007FFEF38D3000-0x00007FFEF38D5000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4068-526-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                            Filesize

                                            72KB

                                            Download