quasar | hxxps://github[.]com/spedrico/Xworm-5[.]6

Analysis

max time kernel
43s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/spedrico/Xworm-5.6

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

freericosigma-26438.portmap.host:26438

Mutex

6a812a16-bed7-4c21-bbeb-bebaa40c1199

Attributes

encryption_key
58C13ECD5BB3F935EF7290F45BAFB86709207A11
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
system 32
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d79-269.dat	family_quasar
behavioral1/memory/2892-271-0x00000000008E0000-0x0000000000C04000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 3 IoCs

pid	Process
2892	Xworm V5.6.exe
3968	Client.exe
2892	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4312	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4312	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3928	schtasks.exe
1452	schtasks.exe
640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4556	msedge.exe
4556	msedge.exe
3272	msedge.exe
3272	msedge.exe
3884	identity_helper.exe
3884	identity_helper.exe
3192	msedge.exe
3192	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2644	7zG.exe
Token: 35	2644	7zG.exe
Token: SeSecurityPrivilege	2644	7zG.exe
Token: SeSecurityPrivilege	2644	7zG.exe
Token: SeDebugPrivilege	2892	Xworm V5.6.exe
Token: SeDebugPrivilege	3968	Client.exe
Token: SeDebugPrivilege	2892	Client.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
2644	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 2816	3272	msedge.exe	82
PID 3272 wrote to memory of 2816	3272	msedge.exe	82
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 3520	3272	msedge.exe	83
PID 3272 wrote to memory of 4556	3272	msedge.exe	84
PID 3272 wrote to memory of 4556	3272	msedge.exe	84
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85
PID 3272 wrote to memory of 4180	3272	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/spedrico/Xworm-5.6
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebdd546f8,0x7ffebdd54708,0x7ffebdd54718
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15143599959876795163,10503537725504754671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:1780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Xworm-5.6-main\" -ad -an -ai#7zMap23030:90:7zEvent24463
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2644

C:\Users\Admin\Downloads\Xworm-5.6-main\Xworm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Downloads\Xworm-5.6-main\Xworm-5.6-main\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3928
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rVqFSdYSLkjC.bat" "
    3⤵
    PID:3960
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:640
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4312
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2892
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:640
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i3Xq0Daws8gf.bat" "
        5⤵
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3a624ac34adb47d0edb29bd590008dda

SHA1
8770b7325e767d99d7d3104b64e177ad5c5dbccf

SHA256
956d060fcd9799b2190764d889bde89b1ada66b53bc8def517f374e23ec7d541

SHA512
23675059ba05689d97776e4522a5c58c111a2eccafa6df945377bbd6e69378c29a2881748af56da2e473e26db46c29d78cb0e007515a3a343b78a5b6c886c57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9aac33cc39b7781522f8ce22ba4a5ab9

SHA1
67cb8ea77b41d62cae29518a64d3a9880e9d4cbc

SHA256
bfa38080881b967b32179c6da64ada75821a5d33622d1c0b85e9facab5407701

SHA512
d166b2319e3ebe6edd81d1aa2dde4df1aabd098743c3b27e25a3a41e66f457ad72ec1cabd04218f605172e0202e6d669e2b449ba9c26f067dc172256032d8ed6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b6e0a63241526aa467f59359e6b775a7

SHA1
fe3c99c0c17a240ddc58a401c38fce8eb59e499c

SHA256
31ffcf9b911dafb17131bb4320e16c444b00bc9364fee97a6a06c13b92774dac

SHA512
1f11427a842d8f5602c2d332aa325f62f097757694509ee6734723579e3328dd7fed4471c1c52cca838e5b68b8928c03d15775c857714be1def9cfdc3ea221a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
06f4809f90007085dbae15a4459e24d9

SHA1
b086590e83f46503914bb130fc1ee9df58544a73

SHA256
ac3ec864c350f7c2b1497bc718d2f18b935a10dc08bb4afccba05bfb7ea7a899

SHA512
7539bcc2cb8a01af3561d1f2344d913867c6b2655df0c1e3e7e53c917f6251d35a56d44fe79c463aea09e9246c53b23c67c8c6e3d42219619893d179a6ef84ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3dc596e9229d15a4dba276c8c07cccf6

SHA1
063e08e7c8d57780c8128b79f55a4ac2a8fe4cbd

SHA256
15fa9a784f4bc593e58d460e60dddf5ae32c06bc247ceb561e6a1cec57c82335

SHA512
94d2bb547249e4f09d224e946f1d274b2a65eaa845ff5f25e6f416a1c0a945258ce597e2cdc3eb0a16089bd19a5ef25fa4698ddabe7e0f71a7b5798b8974a875

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3Xq0Daws8gf.bat

Filesize
207B

MD5
793a674089656e4774c9b0dc3535b21d

SHA1
4daf4f246711cf6ef628a3d447fb7549c4678a4b

SHA256
ba61ed73cd89fb612fde268f18ff8b4adcd7a265d8f7815d5de71502bd1d9b5d

SHA512
be3bcf00b7e85e5c4419d5ec38cd9a1f2c952f91b38262a7fb39fe6531a336e34ac5120b768506ba8f736e3e670387a23566d5ae0b0f036d2795ed41e8783132

Download Submit
C:\Users\Admin\AppData\Local\Temp\rVqFSdYSLkjC.bat

Filesize
207B

MD5
8b099ff06e33eff4efd267775efdbf80

SHA1
478878ed23d7322802b09f8d6edbf47641c18b0b

SHA256
98b8b5bc4a36af054a74eacde012d809365a400e411012fdd70b308ba41c3abd

SHA512
23020de97ad7420c2dddfeb3dbf69716314f4e686368d283bdd585a2ccd562c35f3977ecb65f9fd20d1bd6654c25ef35b2a357e55703784032f3655fdb56d611

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 881086.crdownload

Filesize
7.8MB

MD5
01f672b5dc0593881a045cfd5f5f599d

SHA1
63f8da088a947cc2e12319167c89f0feef96f38d

SHA256
7c895813ba15558ae2cd031c9e89537dfca8a6ddf50a282fa1b36a31ee127612

SHA512
2fc435be2727b132da1002bc79629061ef0825ad9fd6cb48e298a11b570e2bdebb61c06f0a04d34e3618545a1550006916a0a5e76d3ad1a0b766ca77689afb0b

Download Submit
C:\Users\Admin\Downloads\Xworm-5.6-main\Xworm-5.6-main\Xworm V5.6.exe

Filesize
3.1MB

MD5
c315235357ed22f5d6ef31f6998b34fa

SHA1
708dcdbd6de3fb6be9a6bb1424133075aa64d747

SHA256
c3d533032bfdd76b16eb170ac1b60fccad8c48933de2fe9d89a31f2853660850

SHA512
17d66d4f822e38ddcfdb30403b23ef264868bdcfe2642d068874636e087c818d13daf05ac26bd7319c078ba7cef6da4b50318c20e9d4885c4c550ff41bd0d9ef

Download Submit
memory/2892-271-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/3968-277-0x0000000001420000-0x0000000001470000-memory.dmp

Filesize
320KB

Download
memory/3968-278-0x000000001C020000-0x000000001C0D2000-memory.dmp

Filesize
712KB

Download