hxxps://drive[.]google[.]com/drive/folders/188HIssXvxpMoP6Khlgdn-cZ_Q1njjIQO?usp=sharing

Resubmissions

04-01-2025 02:03

250104-cgtzdavqbz 6

04-01-2025 01:58

250104-cdtjfavnbx 6

Analysis

max time kernel
251s
max time network
252s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/188HIssXvxpMoP6Khlgdn-cZ_Q1njjIQO?usp=sharing

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrosshairX = "\"C:\\Users\\Admin\\Downloads\\CrosshairX.v2024.07.03-20250104T015816Z-001\\CrosshairX.v2024.07.03\\CrosshairX.v2024.07.03\\CrosshairX.exe\""	CrosshairX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\crosshair-x\URL Protocol	CrosshairX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\crosshair-x\ = "URL:crosshair-x"	CrosshairX.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\crosshair-x\shell\open\command	CrosshairX.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\crosshair-x\shell	CrosshairX.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\crosshair-x\shell\open	CrosshairX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\crosshair-x\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\CrosshairX.v2024.07.03-20250104T015816Z-001\\CrosshairX.v2024.07.03\\CrosshairX.v2024.07.03\\CrosshairX.exe\" \"%1\""	CrosshairX.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\crosshair-x	CrosshairX.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5016	msedge.exe
5016	msedge.exe
4864	msedge.exe
4864	msedge.exe
4328	identity_helper.exe
4328	identity_helper.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
2140	msedge.exe
2140	msedge.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe
Token: SeShutdownPrivilege	1964	CrosshairX.exe
Token: SeCreatePagefilePrivilege	1964	CrosshairX.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe
1964	CrosshairX.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1964	CrosshairX.exe
1964	CrosshairX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 768	4864	msedge.exe	82
PID 4864 wrote to memory of 768	4864	msedge.exe	82
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 1992	4864	msedge.exe	83
PID 4864 wrote to memory of 5016	4864	msedge.exe	84
PID 4864 wrote to memory of 5016	4864	msedge.exe	84
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85
PID 4864 wrote to memory of 3520	4864	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/188HIssXvxpMoP6Khlgdn-cZ_Q1njjIQO?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9264246f8,0x7ff926424708,0x7ff926424718
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5584 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,4308388575777522726,3914015594919941668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4956

C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe
"C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1964
- C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe
  C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\CrosshairX /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\CrosshairX\Crashpad --url=https://f.a.k/e --annotation=_productName=CrosshairX --annotation=_version=8.8.1 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=21.4.4 --initial-client-data=0x518,0x520,0x524,0x4f4,0x528,0x7ff7983406e0,0x7ff7983406f0,0x7ff798340700
  2⤵
  PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Cryptography" /v MachineGuid"
  2⤵
  PID:2228
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Cryptography" /v MachineGuid
    3⤵
    PID:2120
- C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe
  "C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\CrosshairX" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1904 --field-trial-handle=2116,i,17658605572654647427,5083632165403934529,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3576
- C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe
  "C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\CrosshairX" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2324 --field-trial-handle=2116,i,17658605572654647427,5083632165403934529,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:1212
- C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe
  "C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\CrosshairX" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3064 --field-trial-handle=2116,i,17658605572654647427,5083632165403934529,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  PID:3864
- C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe
  "C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\CrosshairX" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3368 --field-trial-handle=2116,i,17658605572654647427,5083632165403934529,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  PID:592
- C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe
  "C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\CrosshairX.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\CrosshairX" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\Downloads\CrosshairX.v2024.07.03-20250104T015816Z-001\CrosshairX.v2024.07.03\CrosshairX.v2024.07.03\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3452 --field-trial-handle=2116,i,17658605572654647427,5083632165403934529,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\31ca6c09-c2b4-4ffe-b18f-adccebf0013e.tmp

Filesize
3KB

MD5
a40e3f272e7f307ad5766adaaf5bf1b9

SHA1
708c2a7fe5907b6c1f6406dcb64999e66da1e3c5

SHA256
99c8d30ccc9b60107c94ee1d0c3c60fe1628e114fa73104781d40bc375446fa2

SHA512
5b58f88cabc1fcea2320dd1b7fe37cdb9ce805322bb5a18161cc0083b5817d49cee2b647f059a6265492ab5449ff6560b72c86a4f55c12b8d3ad63eac8a5f121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8a7ec54b2cf73a766999890bd246edac

SHA1
aa21324517fa12d2604971d6793dfc61e0e7c6fb

SHA256
077cdfad76c3107bda2d320497282c9626d0758117cf94d3c44c11a40cd12532

SHA512
8df251cd697b410e93128601138691a57792cb7e81661b99f29c18ee1905507b516cee3b961dfb17a6ce1ece9de682ab85a67755798528a0035e9ee89d3f3e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f4f0c721e8bd1e404efeb564ce24bc63

SHA1
2ece8ed93bc07957e59074d80f12bef7805a930a

SHA256
2f01be19f86ef8aeb1835e17897401692108ac7b340a2b39b748f9890b683649

SHA512
eddb57046f0c7509f64791f26c6cbf93ec6da5a76f77f350f2e3b3db905aea6d131175ac0d681591c1ca5828b0506aa26a4a48ff27d833719f9d809f82a064d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
472f68c5bc08d36b5d1c6418369fb6c6

SHA1
49ce3aafafe14c79cc840a43d1cb30a255313c2b

SHA256
28fc83ff412510203ef86b97a2f0abac1e42a05d038ca8a0524a19db3c51e10e

SHA512
6284e6a0a8262f97f2e0b256c89e9c8f4319e2cdb46a0ffb72b5f4afed7b871171f083e8e3cdb0aa2933e07cc73fe4e8fc432bc4b3da0c0b2dce5f51079f1993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8a17b8a77773851d528c7176e7ae999

SHA1
09670ab9405bfe912fbc5bfe15fee0252b4b5b30

SHA256
51f587e5f71037ba10d3c3045e19c656ee6129676f82b51e6200a2ba1c904db9

SHA512
3012821fabcb9c148c47fec95046471e4dc73e5b40607328b46ef2327a80e9a414eb51fe4605effff8bac1a16d75b932a068f2ce628eb422fe6eca38482b50a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
042f794f2b41f1a7483a17fb91bf0ad8

SHA1
457dd2f830e86b2630bf4f8f202996a83f8d09f2

SHA256
cc4989ca562dfcd0782351f3cd99be77e3d7e045517fbf1098f6eed2678f7935

SHA512
efd3c86d1a2e439c1c924612e9bdb2a004a6ec8d1939fe501d7c9e3c8998c924922f65229656bd9c2d309bfc1653614a401fbbc21b757df07e96d82fe320e149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de1faf2cdfdb81e5e13d29e927dd4d03

SHA1
58dc275c84f668b6fb068f95236b15fdc5562746

SHA256
6872ca26687d3b2ea379da8e46f9edcd277903c6dd8a9f7dfbadca0de3d2885d

SHA512
af131b8f92e8f467dda4039e36d18a78503c732cc81bf3f6121d8f0799fd88b254bf8e3d7762b7f1d0097eab652092727d4f4df6aa41285c7a98da9c03ec14a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
91ee1bff9878d951bea47a433ab92c55

SHA1
88e259718de571afd767edd8ef83de24ca53cb1c

SHA256
2648d9a7297449e640e1c409c20491daae78279f23b4382d1aabf9b0eb47fa61

SHA512
f9dce091050e28617761987fd0e71adae4721c8f1f9b2da39572f4ea8d9e7fedc37c6c45e1eb47368adf0db17d3ddc490a115f3d738ead30912a659119c0c7b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
44c64b0f568d01b01ae78637ba631b23

SHA1
d349a38df82249ccff8f2a8322fcb03a7295bf66

SHA256
541cd7a979d6269f56408e31da6fb0c814558d5521cd9e84579b19d1e73ae244

SHA512
120994de1ae6972923f34a904425525bb2518488ac3c7ca6292840056b504e793c622a826892cd9986cd9a4ad0b0b00fbec5d25623d1570981eb08eaca399471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8fba290ce0b8c20faee3331a518c67cf

SHA1
75aa99f0dd3a68e9114ce7b971473a9cbb83a5c5

SHA256
f8c4c8bb472567d852bb5baa36a6992903e2255eda59a52e105f5cd125f981ae

SHA512
01d752e553761f21d345182c1459fa45e82508c05edb965eaa4fc3df51e7daf3e983569f61ce346004cce5cd08789c57e779a0fee672450113a281ab2c206066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6a2e8e5ef3c93d3bc30ff244dbc03f4f

SHA1
5c30d7ffea13f4d5814442044b315831f5a43259

SHA256
b4089a4cd42f2cfbfc703bea2b22deae841941150288d32c2bc206786d1d05f9

SHA512
922708ba4917c6a3b3b38de6fef0b7c0fba20e60eb0aa5c22c97f74a34ef809689f2256edfdb6fdc05df40300e5f81f1e5fc15342b610adf83f2a4d7a1f7ae1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed22b79491f72239f247539f8706510c

SHA1
cb2e2965c7f64024cb52099f0bd3c3c9f1cbeb9c

SHA256
bd342d28e227619b5e1188095ba43ffe3710cf8ed4a3a1b6dfe9866d82267e49

SHA512
fc9973257a1917731426248ce6884b5f66228b0b6a2d27df8101a31ddf91ccc93e7ded60fdad124513457879015811d89a417c0aeb74bf25b11312b9734ca534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a7ce80502715511a51465365d9b0ace2

SHA1
75db206b635ccfb1ad577c2756f5e23c2e712a6b

SHA256
4a4e91f52eaa4a1e4f9f4864ee2b68dec07528155faad9c2fc456b3d772a6e65

SHA512
18419b5f9efa7383df0c02ee71c163db54e158291577ee519fbfaf45c5c42e2b187516d6575125afd6976e6d4a7a183f14dcfb75970c62383f78d169828d1b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7a46c9050c3157cc7cae1921c081dc20

SHA1
257901c294ea001d1d95ba8d0401b51abd3516d4

SHA256
9c9b10618f6ed110e0e331c66caaf7ff364b7bd1b6604c0eb7239c8324fbf358

SHA512
ce1db69e825700933fa558a3569022e9a48ccd5105c3929646f702584c282955cf1060e5072c70d6004b9ec877dc6495b582616cff25ccc8329d1b7c787e62e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5ec743df2318e884f2f46776fc1efe22

SHA1
4e135425ffb7a007694880627c8fe773bacc8dbc

SHA256
28b217f3a319cb6199f615ee7d5ddb63ce64d4e97471547ea5d25098d450c971

SHA512
6bee1fe1ad754610566fd8c00aecd9c43913dfa654c66c17f8e4ded5d80b29f5591cf929caaba11e3dede559179baf02c20257bf0a8afbda8f5006725d66daab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
59001d07275add75e78e031a911f7c0a

SHA1
afdbfa994aa48d216a8617ac82cbf12c19514b87

SHA256
a1a5593ad35ced05db890ad61721e38c150cf4b7723bd180b27c283fd7688ded

SHA512
68bcc1ecc36bfc89bb9977aa7c19dc20e6902600bcc6c9644185a5beb2924e78b3ea3f829a1b6c7425aa12f0d9d688e673bf77f4b101e17300b28f848e614e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
97c06fc5e254103921d2a09b4179ceb3

SHA1
02b83a4cd7ae1bc7aef4994f1041d27db3641e01

SHA256
8112889625ed33bcc5127b753621771a64d26c5f17b97649ee5afee63ac15358

SHA512
84e19a44e6673273cc6d3c94a4a34c4e751ef385670553dc939783c614378df4860dc555b9306301416c1344ebd17cd9a8ff9e3d9ab33e5327ddcbeeb13bd1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e26dbd0f5b77606034ac4f96ea60d3a3

SHA1
d73db0e67fb9b1453aebd5fa6392df837f6976fc

SHA256
d6f5014748d9706f6bde621efeb9915c66dfaa6e5b5ee5c6737acb0555612c35

SHA512
6000b2dfed94448c047c9d48fd8012a695bad2203a5e0c19cea7a0a493d35896b9c371e690da1e2b49a248ee31365e1bacc8fc02896a6854935b4b39b017016f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cec9.TMP

Filesize
1KB

MD5
bec04846c0f3715e51f6090419bfb6b1

SHA1
0ebf3add46e2373ec24216796a29cecde7d4371f

SHA256
63396dd74f8aa64dd3fb304996822b6e445d2185a33914bf8fa1335df559df34

SHA512
6a50b7ef1deb70328ba0b6c18d48344fe89ac4eedbde61a5e642171d8d31e7201e5d4d5c6df1f522992d31fb87b8503d7c69874af3109a4456c074ddaffee909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ec91edb68595a07a364367ce956d596d

SHA1
8c44bef70f07c9cef9da367805991f0a09145f16

SHA256
a670c9aa2e500ff209d3cd870530547379f75606b9eec7c2955d649dc909a711

SHA512
f5dedd7436a7192c59400a190a9f8c61cd7e596f3056102af9ee28363188699049682d480b3a7cad6ec92673b9657457387865741a68b04696a3ddd2a2800dfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3a5fcedb2c1b2f0542acff0aeec69439

SHA1
27dee41065dc8d99890c289e5c3b6e84ef1646c5

SHA256
35f50c0fa20e3325558868136c513499eadcd60f5a57f0f036a50d6764225734

SHA512
98abdb0076ea032bacb91b4047646050925386fb4e9f945035b15aa0375189c77c7124bdbf627850bbe4b5f7332d0a799fc803a06a86bb7fdf6489c5665bc6fc

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\Network\Network Persistent State~RFe5b0c12.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\Network\f0b462eb-49ac-4f95-b0a6-76b0f601a23a.tmp

Filesize
775B

MD5
0549971943e1c4a0257afee873fcb57b

SHA1
808f6f708a9a81758a0f9c5827184110d3d8ae9f

SHA256
6856ab09aea2399c393a5d4a3c37725bca92fa9573dfdecbb82bd867054cb527

SHA512
d47f6262c18539f8c46633e877a2aa185bc3316917b3d0b8e5e8a733d8f0d34619880dd4b3a30c49b58f13e6ec525ae10b31da073143500d58d52f7663ed6c43

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
138e20f245c675766851bfd53281dc74

SHA1
ce6a98a032bb637007cd46c929e853dcdb39ae32

SHA256
53e3865e8fc644c6e17b7baea64ed18e5afc68910953c3490827f1c0e5191fb8

SHA512
b9861fde0bcb9a8a7a5fa8c1e178cc066540ac120804a6b8163184b26003b19ff853c630ef085c51e5f1177ccd8b389dd05588ff312eac1103e0fa3319b1dcf2

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
24dec83e859f4f0b3754fdfd1212adbc

SHA1
814e657d8cdc22d30d5b9a36cd063ba9094e791d

SHA256
a234186a44a33c0baf4a387f700ef37baa8818e176d416166266a33c2f7afeeb

SHA512
41972dfb16d06e93e1d7999539bb0f12220c570aaa2fd0352ca4904f4a035d4dbd68acb11ba0047a4b94dc3433dba09570bf1ef28b72d00692694e2610026a74

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
fe00ffc9d69847e2916ba1afef7ee854

SHA1
af2ec7669a113319e158fc40edb2754be5138543

SHA256
0b0da5a58ea3761737b71cd64aedfa8986a8ec9a175aa886b9fb70852809187f

SHA512
2c3d8ed3cf2a5aa8ffa4db3f782e837c39f8ea211d4f87cc2884231c3e71711518b548582267f966cea7042194d44926b0ba5c7ed276300a615c8ee4d3392230

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
9cd43b05baad777792b5235cd067b797

SHA1
b9f5949cc7b8e39772b549a1d34c7cc0b568b7cd

SHA256
c00162f8a3c58aff186c23652abbe519b820344ca4d872d0fe3160fe960ff7cb

SHA512
01c501f4bebac3ac1871c329e3ee46488cccf0e877facb09f733ef029e2e56f9fd700d3c3c152905c313c11f98b3b116d9d913732f40644baad42cd50c76c669

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
ab69aed4f95271b56d7c3e5b635d768b

SHA1
ec1e9563c1113a4fbcb776984b8102fab7bf764f

SHA256
a85f368aaecb8c30e50e65d9b0a0b9c8d7daf4ff9511a4f8c1fdc9510421a0aa

SHA512
5895feabe2e2894b40a18cf4cb57a692f80a50dbdbc9b43e5a011292e81d4e0f3d21d107eb4d07bf6766afbbd944e8d0bf91fab03b243f5401a0ef1864b1942d

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
555f9c53e6c8b9287961430180e827f8

SHA1
d65fd7114701e15f837e55a3dcb0858e26040538

SHA256
b53a4769e81f6812b2e92d2f4b5f4c4f102b7aced2da0b9fd262497240bd37f2

SHA512
1bf55bb4a257d8f40fa54c01d4b9a271e5a94646a3bc495ef0b68dca105fb7f93b937bc974e402b8928e210100690fad07875671d672767431034f235767ce8b

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
063c2ab1d70ab050c72b3b7b312bfccf

SHA1
cdb4f46eccc64108fd39262f3978f0454d96909e

SHA256
922eb85da0e3706b5c36f5b435f708cccc811865cb6e7c9896bdfdd3c58184df

SHA512
0b18bcd17ba37ddd9cc9af0f6b596f34180593da602559b8e11f22ec57b4850448558335863c07c0eb82b095829503c9a947384e0630fb0f0b11692a3e07fb3e

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
26KB

MD5
3f68a05d75cf581b8139428978ee529f

SHA1
53ed96393054851ece87f4f76c87800e4db3f76d

SHA256
067aec5ecd601caee05ccb9fbf8f8bde8a194c49656274febdc7f26e5ac3a148

SHA512
8a630009d9b3c10e74cb131e8c103cb31bf9c4122895b568266be997d750e846639842d05c116ddd0132f100c52e10bacd3d28dfb557a71401ca1b8050e401ac

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
10a2f33dd983161201695fc34546daee

SHA1
ac89c2ab50fec06549ae672daf8e9a5118cfc16e

SHA256
2511ad2c306300347628af7dbf272a9021324219214faca33e8e3af3397f8de6

SHA512
3554526fa7186bc233b1e666908a6ef865931a048d64e31d015284becbff9c032f032bf65422d63758f195d68882691193e4acf72a834a2038decf3e26d0234a

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
222bfbeb966b1e88bad2689e3a157682

SHA1
ff2bae036ac3f8f56bb7a969c4083ba26751f319

SHA256
4e8dff36db583a5e574d8ffabd06217d457e74e1fc07cb5dd8916170acf39b0c

SHA512
6b502968bb3f6e1a1faac3aa897a7001ce0fe10b5ff7741926ba49600ff19545b0894ca77db1d2a99c95cc67dcf9054a90fdcc820ab27af5899b8dbf480741b5

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
622134c97d8689bd17c86b1049994164

SHA1
b8be57530469f3572c7fb054f61ceaa0b9856917

SHA256
4b336214fce4789c1de82cdcf89edf3fde1b932d784edcf182b4ec29372befe0

SHA512
5a89e2517b689dbaed953a2d6529e3a1c49e886f77c38180435e73a03799ec62af0d830650be125e0d196f9c9a6f9a9e710cdac0d81c67d69f73877e1ffab6d2

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
c0a5794307615f6036c86db333efa9f4

SHA1
e5b5e677a3f69ac2e99d23d9ab15e8db4cc6b211

SHA256
96d46cc8d93fc688c5f6d040c7a14837747a6137ac49f2d70cb5d9642123676f

SHA512
f336f646fefc2aa6a6ffe7cd8e83c826ca4ab63c40e41df59f43092ab8f03ba6c68809b76e7c8f5df7d6bd3bb33ef9e678d820964f54de92702beb0f9c274c10

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
0a13fe3d57dfe027611d394f31b8732e

SHA1
527cd4fb49eda757c131056bf3d8e75d5ea5bae0

SHA256
be72abf5f87dd1af65aad1ac1d7a7c5788e7aac030186ac949846b62db6704a4

SHA512
7ce60fd42b8edc9837f8eedc87c60ea578a7258338bf045a73d600918de0cb65d090c5fac89f3eb3e43f5190238d0e55160e59ed5407619888fd8d6db18504d5

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
3KB

MD5
76e6faed866ff1d62c1a76c886e0e2ee

SHA1
b2fb41c9ae5a56e91ce5fb56f8d2ced7cc56c473

SHA256
dfba467406b95d8ba78519916188465c59c5bebd5d82180e954721390c041d91

SHA512
940062c48b51fd623a63e070ac79fcd94bb52af11320df34a1c146a9f47b3f97f01b4d2b7cda741c5e6ddaf47d873c2d9117ea03e4b91beb757d768694ceefb3

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json

Filesize
5KB

MD5
0ccd8f1dbd202da49beed5620029fb0a

SHA1
89d04629a221b5d12fa73da9038d50f6f2859666

SHA256
1ed1f78315097c25488cf1773f3a6110262c3fec37b58c7fb41324df24c78347

SHA512
0265c57fa219cff54c7927fc1f81226244db789d9899e9dadff2a9da22732e9e12a690f2b39c643a141f2f11eab4333e7e794f0e0c952a00b78c98f377fabd8f

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json.tmp-5956052908043b48

Filesize
3KB

MD5
69486841d887f1324f0e56a891e9a5d5

SHA1
ee6366259e2f4a74f1cfc97f480dd0d7bc323d8c

SHA256
fbe3a379236243b4d00a576cb6cc521110a18d1a15189fe52fb20c4714e06f36

SHA512
30a06338f6c9855060b98e26b2d9062541bbeb1dd56893e58829404530b3d67a05dba698f53cb00c500a5f2713507e11975bb8ff31557873ddb304c72ee8e328

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json.tmp-59560531561f2bbb

Filesize
3KB

MD5
6daef5eef729b2acf5f655d580f67df2

SHA1
a989fc6c53a1680b69b7f5e536b498580223cfdb

SHA256
e98bbbc4862de51cb08b5941a8f5125e62d45ebcc23678d640789dcc77847bff

SHA512
77c50ef0035c227444ea017fed83ade2a29f08f28905bf77e2170a954d7e550629ca3a3cf8208d4f0d46eb9cf7fad6ad74bafc7d078fa0ea0ae9269aec9d4463

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json.tmp-59560701860fd168

Filesize
3KB

MD5
ddef8de70aa4ab17f11cb62df526eda7

SHA1
dc3b27629420a998805c3764e06654f0eaba4ae3

SHA256
93dd97f09d3683152529dab4706d86645636c7c3a4e2d9ddf7d560232b5ba521

SHA512
609c660102af2b84ecc6a2e102339244b1c38be4dc359c9602061150399651424e0e3b83cac836d6da98bbd87e4e1c8c5e486703890f1a1dad19b16d1918301c

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json.tmp-59560750401c5107

Filesize
26KB

MD5
228ce4b3f6d7c83af05532ef4a7b0c73

SHA1
b17860171f714f4324b2b73046ddf13b61f23113

SHA256
d8c4ccaa49628a4de2f588af366a257588935cb4aad03d161076fda516bf0095

SHA512
3deaad1f01b0f0c9f2665f6afe5f4425de666984838d1c59a6408063d2ac7b3cd142301e13be57592a72554ec98d9471bcbcd45aaa558dcfc3aa0053a49ae884

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json.tmp-5956075301623a70

Filesize
26KB

MD5
5f9c7bf7679a517e4d0ca8914764c7e9

SHA1
73cf176c85bd35054f00e2b130afa5859b420a13

SHA256
dcf42e8ba309c9185c425b61052ae23e8bbcf2799eb9314516d46b8d335116c6

SHA512
a8a61bcf20269ac0e0ff98068ffe4674fa229dc720df20dca8a34ba9d1a6c660b69f4fc7d66e332d697ee590165625b2c2f92281f836b2b791d532d6a8525480

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json.tmp-59560771867a5791

Filesize
3KB

MD5
a335958dd90f09e5f169bf8bdf138f89

SHA1
90db699915e345809f380dbb322f66ecd26a6899

SHA256
27cf03f5e5aa4b89d0da0771e57ab9eedefef0152c5ea29f12cae082a75e71b0

SHA512
d8c2dc8ccdedc0eb2ee4e9de3bd06e1292894d35b6549fa9691cf696fdbb50a2e0ca6c07215b70dceac45cd06314c666f5aa3dfca1d9e8058cac398d18993a35

Download Submit
C:\Users\Admin\AppData\Roaming\CrosshairX\crosshairx-user-preferences.json.tmp-595612445413ea61

Filesize
3KB

MD5
2bfd0a3a6d4f9f23693697a210ceefac

SHA1
297dc4298cdd4dd0b7247fd39e1a3a21ee086f4f

SHA256
a211f68b15bf2a494581271de7d2911de635b2c90322309b0a1ed77739445ae8

SHA512
0ac9369af9dee10e9c1d4b90756102f06ea95891b8c7e29d2ee9bef50b3bf45030818b9cc7c5dee92cca638ad9bc5da2c6c53e93b463277b4bf99917c9daa5a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3576-5159-0x0000029F28320000-0x0000029F287D2000-memory.dmp

Filesize
4.7MB

Download
memory/3576-1563-0x0000029F28320000-0x0000029F287D2000-memory.dmp

Filesize
4.7MB

Download
memory/3576-5226-0x0000029F28320000-0x0000029F287D2000-memory.dmp

Filesize
4.7MB

Download
memory/3576-1539-0x0000029F28320000-0x0000029F287D2000-memory.dmp

Filesize
4.7MB

Download
memory/3576-1538-0x0000029F25A80000-0x0000029F25AB0000-memory.dmp

Filesize
192KB

Download
memory/3576-471-0x00007FF932C30000-0x00007FF932C31000-memory.dmp

Filesize
4KB

Download
memory/3576-5108-0x0000029F28320000-0x0000029F287D2000-memory.dmp

Filesize
4.7MB

Download