xenorat | 8f37536779a162c72c3e7c3746cdec98deabc7b93b1bed72665f247453313ac9

Analysis

max time kernel
147s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-12-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skibidi.exe
Size

51KB
MD5

86d77c17544a48930449ff45e391d426
SHA1

c7380a8887af46a859081e964f254902d05f35fd
SHA256

8f37536779a162c72c3e7c3746cdec98deabc7b93b1bed72665f247453313ac9
SHA512

4df914cd2dfe2ab4f04fc19846560d0f86a5e8e91bb0ed113fd2ba0dc8d27ca3b3607613069aa2d6ac511f1faf81680d0222c9272c919640a425aaddce28174c
SSDEEP

768:CivdjHrddilbVauou7EoBEqxHB6+HLdSkGPs2yPo+LGZYebFDaYxJ6RNSgNOD:bpHmVauoBbk6onks6CSYebFF+f4D

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

10.9.169.14

Mutex

Xeno_rat_nd8912d

Attributes

delay
2000
install_path
nothingset
port
9003
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2764-1-0x0000000000AB0000-0x0000000000AC4000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skibidi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skibidi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skibidi.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3420	msedge.exe
3420	msedge.exe
2572	msedge.exe
2572	msedge.exe
5024	msedge.exe
5024	msedge.exe
4444	identity_helper.exe
4444	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2612	2572	msedge.exe	85
PID 2572 wrote to memory of 2612	2572	msedge.exe	85
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 1512	2572	msedge.exe	86
PID 2572 wrote to memory of 3420	2572	msedge.exe	87
PID 2572 wrote to memory of 3420	2572	msedge.exe	87
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88
PID 2572 wrote to memory of 3132	2572	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\skibidi.exe
"C:\Users\Admin\AppData\Local\Temp\skibidi.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2104

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bing.com/search?q=task+manager&FORM=IE8SRC
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb80483cb8,0x7ffb80483cc8,0x7ffb80483cd8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:2
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,7017157835850282947,6515235133764593532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\skibidi.exe
"C:\Users\Admin\AppData\Local\Temp\skibidi.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4912

C:\Users\Admin\AppData\Local\Temp\skibidi.exe
"C:\Users\Admin\AppData\Local\Temp\skibidi.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\skibidi.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e1c6c6ef199f4e35335bdc0179569698

SHA1
f4e5f962467ab593866871d98fc425a1f5ac38a6

SHA256
d2e2f531bd3666b96eb805e70ebc09282bcd2f992f3cb9379bc5b1993be55326

SHA512
0d3ddd96f53bb548932791dfaad02b2fca0c76e91d4485246ddfbdd638e15a6aeea579c8fa1080fe0f3ce1ad450435adad721ce7e61c36aff980c86cdf40b55a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
402B

MD5
54c1d311012f48e50ac72e9b0d6b8e71

SHA1
2a7569f5395a1efd20d031ed5e65c424b2e89861

SHA256
a69b42b2df74adb169138aab69eca376a5148930e440e90d8a57404069b6f38a

SHA512
9d1fa30376fa78197ae987410687c80463b5dbf518b7b789de8ec6809f58d3800033cd5c55a9573fcd842d656e7ead6ffb0f63841374e058558ae3ddc7f762f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7cac223685f4da1f3cea6d2d3d83eb9

SHA1
59ae50b52abef1dcc99002e262950fb1d55e444a

SHA256
fe16042092d2d799f76f70d7e7312afd560f1697238fa4a027d825a09e1c8a43

SHA512
9f1cd47eda01348ce12a20d28c087662f8e33dd8e82181c882e85912fc678978b7997fcf338a071e38fc644c7c6a394c2b4b126cc5663df0771f1861b679b42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a5cac21d738b20f827450626f84ddd5

SHA1
ecb8e5f1f1a2d858dacb72946dc9f54f32ebed29

SHA256
e96eea84b4e34459f2029fde89d9e1b343faf796f9121bf9b3a8f566cc84d361

SHA512
f6450c1d1f9e7efa7d34c8dd03d88f7f477be563dd9f5d42e52016d1e96cae581c155dc31232ffe00da2811e6b3c164e7cd7402ed0161794f4a6687abefac608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78cda14451e3786692cb8820c6c32b0f

SHA1
444500b07169b6eb914eb82baa85505c1852bc4d

SHA256
9d15fbfb2e20b0f0ad157a5480de61dd719f1c1013f7568993e0110b548eb409

SHA512
29ee40ae3dc97c124d4c4933d3fa70032a38433bcd3c53ae671edb37fb6d2264feb1f376da95b6e32907e1597bd612bbbf51b7d92b7a3554d0bc821fecaae90e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\56f85b46-f5d2-42cb-8a97-3b398886ea88.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
memory/2764-4-0x0000000074EB0000-0x0000000075661000-memory.dmp

Filesize
7.7MB

Download
memory/2764-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/2764-3-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/2764-2-0x0000000074EB0000-0x0000000075661000-memory.dmp

Filesize
7.7MB

Download
memory/2764-1-0x0000000000AB0000-0x0000000000AC4000-memory.dmp

Filesize
80KB

Download