xworm | b46624ea261bec807dc1f93431ab3156450646976443c27322a7a9c4eec5e5f0

Resubmissions

13-01-2025 01:00

250113-bcnq5axqbt 10

09-01-2025 12:16

06-01-2025 14:21

02-01-2025 20:47

02-01-2025 20:45

Analysis

max time kernel
148s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-01-2025 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Firefox Installer (ratted).exe
Size

170KB
MD5

200eb10c73336127006740ae06003933
SHA1

32ef06528018d4f9fc8da3a7e7e07363b3a143f4
SHA256

b46624ea261bec807dc1f93431ab3156450646976443c27322a7a9c4eec5e5f0
SHA512

026eb0e018f25449f664dbc2655cfb5c360fd60a928fec344bd31b3cefa01a3fcce4dd1fc87b3aabce7557db57cb1247a1984c69b3ecb00d83f388fd6b09a0ce
SSDEEP

1536:4ig4nFL9z2BOwVCMs6se7llqn17KineXd2wVKtivEYoNRh8RX9EIKhI49No:5zFL9zWOw7sgbcUieNJqKoPC5+Lm

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

109.231.31.129:2021

Mutex

H7HNKbba3h7eEPOa

Attributes

Install_directory
%AppData%
install_file
FlrefoxUpdate.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2488-1-0x00000000004E0000-0x0000000000510000-memory.dmp	family_xworm
behavioral1/files/0x001c00000002aab9-12.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
3660	FlrefoxUpdate.exe
5100	FlrefoxUpdate.exe
660	FlrefoxUpdate.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2488	Firefox Installer (ratted).exe
2628	msedge.exe
2628	msedge.exe
4908	msedge.exe
4908	msedge.exe
5116	msedge.exe
5116	msedge.exe
3304	identity_helper.exe
3304	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	Firefox Installer (ratted).exe
Token: SeDebugPrivilege	2488	Firefox Installer (ratted).exe
Token: SeDebugPrivilege	3660	FlrefoxUpdate.exe
Token: SeDebugPrivilege	5100	FlrefoxUpdate.exe
Token: SeDebugPrivilege	660	FlrefoxUpdate.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2488	Firefox Installer (ratted).exe
3448	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 4164	2488	Firefox Installer (ratted).exe	77
PID 2488 wrote to memory of 4164	2488	Firefox Installer (ratted).exe	77
PID 2488 wrote to memory of 4908	2488	Firefox Installer (ratted).exe	84
PID 2488 wrote to memory of 4908	2488	Firefox Installer (ratted).exe	84
PID 4908 wrote to memory of 3452	4908	msedge.exe	85
PID 4908 wrote to memory of 3452	4908	msedge.exe	85
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 4724	4908	msedge.exe	86
PID 4908 wrote to memory of 2628	4908	msedge.exe	87
PID 4908 wrote to memory of 2628	4908	msedge.exe	87
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89
PID 4908 wrote to memory of 4424	4908	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Firefox Installer (ratted).exe
"C:\Users\Admin\AppData\Local\Temp\Firefox Installer (ratted).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FlrefoxUpdate" /tr "C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa62c3cb8,0x7fffa62c3cc8,0x7fffa62c3cd8
    3⤵
    PID:3452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
    3⤵
    PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
    3⤵
    PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:1948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
    3⤵
    PID:4060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
    3⤵
    PID:1984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:1
    3⤵
    PID:3536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
    3⤵
    PID:1652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10237623154228429343,18433089880606986053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
    3⤵
    PID:2684

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3352

C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FlrefoxUpdate.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
854151955f5c357465c59b4874bda302

SHA1
d4f4714f1ebad7dc7e79bf0bd0345089e981b573

SHA256
72e70fb956778b022bd37f48f55315fbf8df99ebc5eb08ffb1344f9ab7ebf09a

SHA512
671fcd1cd160ded85f8f3d2532573e2ae3c5f647c19f496e29f3dd5f3b7cfb6c158a5ba12e5a35f278ca76602184cefd3f943f2c0431036e18cd79b2b5cc6882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dfaf25286e9a5cafba896b159c195113

SHA1
bfb882c9d704df5bfc3b56dde23d21c32044bceb

SHA256
0bed934b90be77dc27d6bc08a9f4fdf28c89eec3325f93a2839fd78a3812bd99

SHA512
d43b706594e9f6236b81fb845e4221588be7fba3e26339fa14484f8be66e1c49cee5348a51b220a45e25aed3e03756830ae44849c9b0a365481e1a46f32e98a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9836ca62824c7839ad63b2a5099ff8e

SHA1
f35e2b8d7e48ba7593b9a97b57909358bc95d92f

SHA256
41a29d9c508d9d1308dcbae00bd85b0c0ab3bb0c4e766a04cee0dc12e75e915f

SHA512
298b8b5be2aa1812287bddb25da2591e6582d1c4aa510504c068fc80edf645c1afc49e186120875df18354f715cbea49db8e62e78518304c7b0cc86880d69ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5a40c2ce7294311fc15ec27cc13ec54b

SHA1
be4caa907ccf35c18718c60207ed34d83ccf6bf8

SHA256
c572df05f7ef2deb3787693d6d4ab7d0cbcb371e3edfc2b8b6e71426bd56180a

SHA512
92e99818cfac62f9f30abcc4942e31bdd66daa1e1a1fa99fa9d8e5dd743afe33ca73ebbad903306bcde14c9870be5f36c9ede0d588418e42ed2136476dd59886

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
76fbe77cbc68f3bd5f0decad25775716

SHA1
2ebc2dea0b2224ea73fb5413d94ad38218122bf3

SHA256
8d59129db45c9f234318144380c9d167d89a9faa8e2a6aede9b5a3bcfdf650b6

SHA512
1a5d850914bd033defe42de3a333c2a7497927a07289258acd5ec08e973b4ed45030b0f299d6da5bac16ad607ed471b3db52a5c9676a532ecaa0836682618230

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
0c71204dc7dd088aa8f1b279e29d7bf5

SHA1
475dbeb8589312574e6b5f3ca2913b8b80af155b

SHA256
28f655f695c0992c73fa7b02fca2c93b65aec5b8c82297e1be30ed9016eb54a1

SHA512
f10ec78286923446833e4f19900a790be0440885688fe273a811648de090a765ea82ef8ccc062987ec12285e0de608b803671d01358a18dd4504f90845169826

Download Submit
C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe

Filesize
170KB

MD5
200eb10c73336127006740ae06003933

SHA1
32ef06528018d4f9fc8da3a7e7e07363b3a143f4

SHA256
b46624ea261bec807dc1f93431ab3156450646976443c27322a7a9c4eec5e5f0

SHA512
026eb0e018f25449f664dbc2655cfb5c360fd60a928fec344bd31b3cefa01a3fcce4dd1fc87b3aabce7557db57cb1247a1984c69b3ecb00d83f388fd6b09a0ce

Download Submit
memory/2488-27-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2488-0-0x00007FFFAB0F3000-0x00007FFFAB0F5000-memory.dmp

Filesize
8KB

Download
memory/2488-5-0x00007FFFAB0F0000-0x00007FFFABBB2000-memory.dmp

Filesize
10.8MB

Download
memory/2488-4-0x00007FFFAB0F3000-0x00007FFFAB0F5000-memory.dmp

Filesize
8KB

Download
memory/2488-3-0x00007FFFAB0F0000-0x00007FFFABBB2000-memory.dmp

Filesize
10.8MB

Download
memory/2488-1-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download