xworm | hxxps://gofile[.]io/d/VOsiS4

Analysis

max time kernel
894s
max time network
845s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-01-2025 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/VOsiS4

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

wAEaFrFLQcusSZKU

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000462e6-162.dat	family_xworm
behavioral1/memory/1184-216-0x0000000000850000-0x000000000085E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1184	XClient.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250119025823.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\55074857-7b5b-4106-be8c-b26ac315487a.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 886406.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
2944	msedge.exe
2944	msedge.exe
2424	identity_helper.exe
2424	identity_helper.exe
1900	msedge.exe
1900	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1184	XClient.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3384	2944	msedge.exe	83
PID 2944 wrote to memory of 3384	2944	msedge.exe	83
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 5088	2944	msedge.exe	84
PID 2944 wrote to memory of 4788	2944	msedge.exe	85
PID 2944 wrote to memory of 4788	2944	msedge.exe	85
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86
PID 2944 wrote to memory of 3708	2944	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/VOsiS4
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffbe14846f8,0x7ffbe1484708,0x7ffbe1484718
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2796
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7c9985460,0x7ff7c9985470,0x7ff7c9985480
    3⤵
    PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3684 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,3994054387021756373,5526719217094715020,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2724

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef0e81b130f8dcf42e80097a75e5d04d

SHA1
d8694b7c5fba1ee2e73e69dd7790ca5b1cb882db

SHA256
fc53158d948d1742e3f960124f9fdb138eaa4aa711d0f43833fa893247de4918

SHA512
c85df1696537dfce601de46183b1b22d7f0007b0f695f1904bbd1a6e429d7787c3d6199bcecdb21936d811b35eeca57a9800bcd3a3b585569aabeb0b5b497efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c58ccb4da696442ae40d3db9e4b41c3f

SHA1
e27933a94d57f04c75b8bff25ad7012171917f87

SHA256
d0d75be801bf0c5f715665c73214bfa38fd714dd9ee846de410855d96dd75931

SHA512
82a7cd39758d67f1d177ce7f46a5ee560eb60207ca7ca1e39b9a08a269ed140532bf1ec85899a033a54d20a0d59592d1cd5f5d35f71da98f6b6e35cd904e1872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
3f08927087c46ff669905dfb3ec31ed1

SHA1
ebff6ab4dda81494c41247edaea6cadf7dbb21fe

SHA256
ca60d579b6497fd55bc82b5cb26ee737e6c7f03d04538e2f6800af4d64fbe8a6

SHA512
e23f3d418085d56c7bfd5e3b7a25116c931a2690a3da46357d9ddf01b5a6fb91c17390da23071e3942e08d995d9f5aecfaf9453b5a47672d65925acd08291ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
9c3459ed79a853834411879daff42fba

SHA1
af38b54e5b97a36a0e096bdcf3445da7f443e032

SHA256
2ee6c292c96b2d5c734cf2b9bae75a18ba258dfd4b200b3d50378d8bf3655f4a

SHA512
efa34b52743ea2fb693bcf8887c4a341b3272ab8acabb065d94622296faedaba65694c982376fbaff11c84dcf5483a34b5b2dcc0286e619c47d58dfe09261e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
7c0d79b95ae2cf3dfd2a4054af266439

SHA1
c632524bc5141e51619f1bbab0149e8c9ad7660e

SHA256
482f5001679264f5a3f2a293accc44b07e092ea861755a66428fadcb0ff43d6d

SHA512
e2f8cf3582f48b0886ae7299646b1029f36c0e081fad45445b4a99f04b5993106fe7a0288842c50eb4ee10ad2dd32c98a848849b52e190c869144d5701804411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5870c6.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
35fa0ec3f5384146d947845353e97fce

SHA1
d9c4ecd8adde877e3d6db6c4ffbd286c3d628ade

SHA256
f2a2cf029f9f86b7537cb8875f5b6506c1cb6eb52605dc1f00e176cfccb3b0d7

SHA512
e54d7cb10e84cce3a03a654175658c5546d71d57b2844138c0683c192ed642330f199ede63e43bb783de4b43b48c0cd9c9e5d5d16806effd7b8961712cb20410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e6ffcc2352d22285d2bae6fac4ce89f

SHA1
81587ca8a130b16d17f52cef8ccc95f3a66dc1a4

SHA256
07a7d3b6343dcaa7a60adb4c12d82e6e5470d1813199663ff6b3a92495d025d6

SHA512
7d90047db442fd05504d575a806e659338db260cc037f84df930715854ee728cdc39066594c10052d13c7eeec3e34da65df30c2595f46d63ecbcdf33d7644b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bd3839aa48e57aca1230a53685f9f62c

SHA1
8348d0f91f2a392090e94f364f5e00b0397bb57b

SHA256
99cdfae93c6fd9f72ab1db5c290e5a9674063313997837d5388068a26eab0947

SHA512
de864ba9454aea9316b9d7e6994dc93b7a994d7e2bae9dac71d0c305fe05da41ab413a6a58a5497044d50d9e0411f1d42741993bde387765759e1be25dc44b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
62aee047a3c6cf2fec2a29a34157633b

SHA1
51b6eed704d65a62d8793ea18885d12aa39a5cf2

SHA256
342e67b65a4070bbd6e7c2fbf75c98e727d9db45fa071181cae0f5eade726ddf

SHA512
21ee4907a0dcf077f9233542462b8bfd01d976dc1fe4a7b7c4ad70d691e7b9101bddcc292e13fc83a22f56355aa5b93949ac124c84da1f43a80851bf313d895e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a18e33a424007376b810134dde07fec6

SHA1
3acbb4070e7fab6fea0f6c618aeca0964e39f7f8

SHA256
12852fe3bc04c3a3f6cdb76d7fa37cf0d7f91ffe801c70caf5ee4f5bb34e2821

SHA512
3a08afee6762546ba967965d72b90a0e0ed2a45bee0e195696c92f511c4b92634acdb669e6320359cb436e809c9672c0371042990aaf26b90da06da523ce6b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
47acf70e8bd035f54ab42c9ecb88e893

SHA1
e2615787efa2237ee38019bb0dbdfa57c0f576d8

SHA256
e42b5e25bfd732e951ae2f617c394290feb8e82d9d7380d983e23598f8ddf8f4

SHA512
f2f623fddb4c76bc4cb3a6813f5625590369301bad335e9b0aeaa5aa11285bfb9e4d669fb707d39506de9ae751a13936abf4bad4e8129f3e5ea1f98cf2ee5726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
322226c6f136f1b2c96e2fcba20e3f61

SHA1
aeb6266963eb19af75359d50a1ab3f8cc931bb5b

SHA256
53a14313dd9a12d015d8f390e06210317f0a991ed8e15fd2de415cef38e6bdb0

SHA512
2c020e6d06729937f2486910fdfa4a702738be208157c89aa5236765e0100d032270a6555e5d854d3596b6dd976883ae5706c1606038d71288c3023fc942aef9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c723086722768bc63a9454eb7bfd6d96

SHA1
e850851195c017ff294c9c10f97e001b7cad0f7d

SHA256
0bc65790e1feb45b39027b66ca4568b09b5e063a5b24c5a13a4aa9af513930d9

SHA512
de2f2427f2b4f49f5c4fb1f10ff97e0f1a2f9f23b90f4f18ab3671b4f7a1fd6b6e0fb06ac928517024150ab33ae76fc40349c55aff2d598734443bebb8a17a2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
877ed3ab7df7038f31a468ed64dcebdb

SHA1
c82383a44d393d59d3495755bf18ea8c3859696e

SHA256
03276797b8b5b7a65ba532af41ff58d141f119650f971b294db373286b7dde34

SHA512
bd368d6365b51becd877c6e611b984e01c500fae80a0407627d2ff4615591d171de473e4fa9a5d59c146a4b01c0e03b2769bf898cd1666f160a21944f9bdde8b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 886406.crdownload

Filesize
33KB

MD5
2f0701e49877d73fef77dcf42661ddef

SHA1
eb40b71949ebe1dbc52b867ef365321af9440e1b

SHA256
50e4d753e6397e0da28c47478e5dd268a6e0f19d125f2e008278c6609c6ee14c

SHA512
bdf3153228abb219def5313001c2454e15c5875c3420c83336e9b65f99d9001b047c0b06d5573e7050fe4672334f926e91aa1f584ee603a2fc8a469013b5d634

Download Submit
memory/1184-216-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download