hxxps://gofile[.]io/d/lkw1cL

Resubmissions

20-12-2024 01:58

241220-cdx7mawmex 10

19-12-2024 23:39

241219-3nsm1atnbq 10

19-12-2024 23:39

241219-3nnztatkcz 3

19-12-2024 23:31

241219-3h5elstmbj 4

Analysis

max time kernel
300s
max time network
289s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-12-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/lkw1cL

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\92e7104e-5887-4afb-b934-d7e2f843c8c3.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241219233204.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
728	msedge.exe
728	msedge.exe
2152	identity_helper.exe
2152	identity_helper.exe
5240	msedge.exe
5240	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5660	7zG.exe
Token: 35	5660	7zG.exe
Token: SeSecurityPrivilege	5660	7zG.exe
Token: SeSecurityPrivilege	5660	7zG.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
5660	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 4600	728	msedge.exe	83
PID 728 wrote to memory of 4600	728	msedge.exe	83
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 4776	728	msedge.exe	84
PID 728 wrote to memory of 404	728	msedge.exe	85
PID 728 wrote to memory of 404	728	msedge.exe	85
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86
PID 728 wrote to memory of 2608	728	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/lkw1cL
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc8c5c46f8,0x7ffc8c5c4708,0x7ffc8c5c4718
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3112
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff64bdc5460,0x7ff64bdc5470,0x7ff64bdc5480
    3⤵
    PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4585226784709609390,7057657154311559460,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5460

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17521:80:7zEvent12605
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b03d78ec6b6f6bfc8ce2f6e81cd88647

SHA1
014cb7dc4aa1bc5d2cb4ec25ec58470baf5b6741

SHA256
983928a84fcf0791614cc3d17d92d62ffbed0bf0f141d7544d0cc762977a3905

SHA512
4699916bdfa5776d72ad2643fad072a7a19783900608290bd1246a19624d61b58a1d80eceb74215b7198aaf04c526fa8703d38f3c5fdcc1add19b87508685ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
95ba0df0c4c417ae5a52c277e5f43b64

SHA1
7c3bf3447551678f742cc311cd4cf7b2a99ab3be

SHA256
fdaa82c65558793b81117a66acd5645d4072f6b71f164ed2717a17cab6e727ea

SHA512
fcb35a1949664f218ae40c25fd6eaefc4ba6417034a522f0800c50ee78e530c33080faa73ff9ea82f35749d404d6b9c94fc7e8e224689503e699a5ec2b0d5abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
7aac2e1bc21fbf18f0daab4809a27631

SHA1
26ce805b7eabea5419bb06f9ddf6b87b64bd0c2d

SHA256
e23d7c56a3d7c6f452b7c4eb9da16abc081eb55144bb6906d467241f80f07739

SHA512
aa0a9538c69ad884a3667654e15ac39c731acf4b3cbb2c07cb0e554a8c67185aed03a08d05c56f1c6c05a79844d73097da4ed86f9e36dca9b2aee3eccebea8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
d9fc4abe413fa3f39d9ea42803398de1

SHA1
b1804abb902357f6525df29c33b3a4c7b398c29d

SHA256
b8100e4105e29614f2c301c7ffed4cc10f97402a1570948aca522905a6243446

SHA512
9fd5a62e0429e25fa4b4f9c5bde903de4cb0a66efbfd55a3820ad4b35b8aa7380687a6dece7ddb6d0b5c30d39499c83443efa1bae8c711013ecab110aac34e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
7c0d79b95ae2cf3dfd2a4054af266439

SHA1
c632524bc5141e51619f1bbab0149e8c9ad7660e

SHA256
482f5001679264f5a3f2a293accc44b07e092ea861755a66428fadcb0ff43d6d

SHA512
e2f8cf3582f48b0886ae7299646b1029f36c0e081fad45445b4a99f04b5993106fe7a0288842c50eb4ee10ad2dd32c98a848849b52e190c869144d5701804411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe588373.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0c552af83af873560ba9789c34e48383

SHA1
dceb97558da667f57eecb1755849e3d15fc1fe13

SHA256
234d295a524f8342ff316588301e792efb40e440214b541174ed943b20638699

SHA512
ad818c74b8de0a1a1e5d49cd3dc114cbb3b3525f3805662785353947652e4a1cd84fe70f65b49ff0c87920d121628ce4d5d8acc30c5276bc84e6d23fbb35902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3693720ac467d56300add612dd4d7546

SHA1
24f1938d1dc377ff71dc627578400fa68cb90263

SHA256
5a385cb51a7945740efaf67528bf4c8489738f5deed7a56b519aff6059a5f458

SHA512
1e708ab453b3e72bab3e2ecb858efa58bee1d568df61acf2424a9301901bba7ff8294569fc70f372d3a46bef79572d9e12a5af3446e2b06e2182784bf0514a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d3ca7feb8b9834d883247340f848536b

SHA1
281f711bdfa6f636e7f89cd1a8e3ea972093374a

SHA256
a96afc668b70765fb3ac8b8857bb58c11e6e08fc42f586fa0711dbaeac9211cb

SHA512
2ac5ea867d7ae78d3bdef7d7b64c58fdacd660c674fd2cb329608b1691a6822f5df07ac8683217b50e5b15caa1f827dea91f85ce6bbbf1196af37bb1ae9122ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0493f44576fd7d9b6216b7387a26543e

SHA1
47d35c7f2990ec4668ecf1c01e0e5f623153a3f3

SHA256
0679b6900e2118e17164159f449fdc1f6bf20c0cc0b056cc9aedfae42a830ca8

SHA512
a519962ffb281d471bcf63c0bf75bed19d4eeac591cf6bf8565af14dde1d57fe8cabfc05bec52b2087ce8c6f637dbefb438ce22054895dc116b31bffa18e9cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1cc3bc2b1c52831cc0b972d856888e8c

SHA1
9ffa8cf55aa29f6cbdd5ec39b1b33938b29e9990

SHA256
a8f894b23c518e04d94f1bb51343443de8121366171d2f05441283dbb1cfdd2c

SHA512
85bd6789da57c911f9cc35929ab302829614a4f03b3de30e28ab16558279ed02200a7db802c9bcd6b2e5886ea3c323d6a39eb8c3ee309d8b5702be65dab7c3dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
01896ca0f531fa6c9098b57879777e2f

SHA1
5d758de3aef4a1e9c5ee8b629ff65214388368a6

SHA256
f8d4e8d78fa559d06a4339c9e738830f1917e0dac491f774778733b3666462ae

SHA512
d6bf0a24ede0ed959824da893e5ca6703e0895e223db587119e7474d133a9a1a16689e0ea4fa35e6c1ac6a0b25b88cc08fde40915de120892ac593d4145b204a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a91de67440880e0be6242006fa1c593d

SHA1
cfd83e161c30e352a840d548795f88bf2b03bbe8

SHA256
5ce8732e3f224b075f56464cffd1b7fd93daae6fea0a5a4439416865fa30166e

SHA512
af8cc122b76252720907803336a7532a99e2ca04e14a63989f542d567e95129437f50c647c5b28493d098c1faada05677511ada58f115f1c7f8cf152cd01f9be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
fac41bbbe33d6e894fc73e36466f162b

SHA1
75ccf9c0f936923529b180f21cbd1ee3ca7d8fa3

SHA256
af1bc29cca7c314aa57f933213097de876c8eda65e05b94933f75f1b0bc2dda2

SHA512
d56149e5fda0c27295069b43bb8b04abb4046e727024235658853d7bbe3c87151f2236df54761abab90c7aa04d0590fcded74d5162a9eb10ba139240438165c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
91c62d934b601ed347c81350cd9d0964

SHA1
92b01dc9d219f5faddca1c9e8d51652d78a7aa01

SHA256
d1f73f0f6bf49775af1f8f12717ab39d80e5f4f1de60346035cb9f0e55a24976

SHA512
7e9071f8a3d72b2db417b32f2e3aca97b1fde3c5cca527de32b0e652cd641b288b8440e5405ee99ee3f684860373c8c5ff60d056974082dad45e8a4cd3e95918

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2.7z

Filesize
36.3MB

MD5
8e391f6618b90ddcefb8048b768c20c8

SHA1
5ba1ee1aad993c5b76ba722706c146e3456e16d6

SHA256
5730c3bf3e6bc163dee6bab4660722c55eb1a4d878faa1f5b2a1c3e5929a0528

SHA512
b1358fc3f0694b84a12b1e50e049777ea2b89dc5ac3b12ac852b0e5929d8a51ed53479c2ea0e2e194faa570c370ed61bbc654cc4625d0aeb8514b44bbef08df9

Download Submit