xworm | hxxps://disk[.]yandex[.]ru/d/2u19YwwbXZZn7g

Analysis

max time kernel
596s
max time network
529s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/2u19YwwbXZZn7g

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

AbobusTsb-31029.portmap.host:31029

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023db4-717.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\CrackLauncherPass1234.rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
5948	msedge.exe
5948	msedge.exe
4928	msedge.exe
4928	msedge.exe
5132	msedge.exe
5132	msedge.exe
5584	identity_helper.exe
5584	identity_helper.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4120	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
5948	msedge.exe
5948	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	firefox.exe
Token: SeDebugPrivilege	4068	firefox.exe
Token: SeDebugPrivilege	4068	firefox.exe
Token: SeRestorePrivilege	4120	7zFM.exe
Token: 35	4120	7zFM.exe
Token: SeSecurityPrivilege	4120	7zFM.exe
Token: SeRestorePrivilege	5824	7zFM.exe
Token: 35	5824	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4120	7zFM.exe
4120	7zFM.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 1836 wrote to memory of 4068	1836	firefox.exe	84
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 1696	4068	firefox.exe	85
PID 4068 wrote to memory of 2604	4068	firefox.exe	86
PID 4068 wrote to memory of 2604	4068	firefox.exe	86
PID 4068 wrote to memory of 2604	4068	firefox.exe	86
PID 4068 wrote to memory of 2604	4068	firefox.exe	86
PID 4068 wrote to memory of 2604	4068	firefox.exe	86
PID 4068 wrote to memory of 2604	4068	firefox.exe	86
PID 4068 wrote to memory of 2604	4068	firefox.exe	86
PID 4068 wrote to memory of 2604	4068	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://disk.yandex.ru/d/2u19YwwbXZZn7g"
1⤵
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://disk.yandex.ru/d/2u19YwwbXZZn7g
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 27434 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d76b5fdd-62a9-4a13-a265-4afb022db282} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" gpu
    3⤵
    PID:1696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2388 -parentBuildID 20240401114208 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 28354 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d8cfcc9-7e87-4101-9487-9e07b1bf173f} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" socket
    3⤵
    - Checks processor information in registry
    PID:2604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 3204 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37744752-d3f9-49bc-94d0-77e8cfb8ea16} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" tab
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3680 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 2776 -prefsLen 32844 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ec5a3ae-6c00-4e95-8340-a80a739fe388} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" tab
    3⤵
    PID:2592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4668 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4660 -prefMapHandle 4628 -prefsLen 32844 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8893ce0a-8781-4e55-863d-3363f08fa9f2} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" utility
    3⤵
    - Checks processor information in registry
    PID:4896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 3 -isForBrowser -prefsHandle 5612 -prefMapHandle 5632 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {786fbe1c-f812-430e-b5dc-8d43f855bbf2} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" tab
    3⤵
    PID:3148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 4 -isForBrowser -prefsHandle 5780 -prefMapHandle 5788 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a76426d1-dc3d-4d24-a727-972a810ad084} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" tab
    3⤵
    PID:2120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5968 -childID 5 -isForBrowser -prefsHandle 6048 -prefMapHandle 6044 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61650e84-da29-4644-af78-e0a74215eb0c} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" tab
    3⤵
    PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6004 -childID 6 -isForBrowser -prefsHandle 6276 -prefMapHandle 6188 -prefsLen 27268 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbfdcb09-57c4-4759-bcc3-adb6a42a8c8b} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" tab
    3⤵
    PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6388 -childID 7 -isForBrowser -prefsHandle 6396 -prefMapHandle 6196 -prefsLen 27268 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a42cf07-4e84-4b09-9755-f69f6be1691d} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" tab
    3⤵
    PID:1692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5852

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\CrackLauncherPass1234.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe090e46f8,0x7ffe090e4708,0x7ffe090e4718
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,9499315529810191225,13359894936457365992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,9499315529810191225,13359894936457365992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,9499315529810191225,13359894936457365992,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9499315529810191225,13359894936457365992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9499315529810191225,13359894936457365992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe090e46f8,0x7ffe090e4708,0x7ffe090e4718
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3628 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,10153498755326629431,9645863199533749888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3556 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5632

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\CrackLauncherPass1234.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f4a0b24e1ad3a25fc9435eb63195e60

SHA1
052b5a37605d7e0e27d8b47bf162a000850196cd

SHA256
7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb

SHA512
70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c9b7e612ef21ee665c70534d72524b0

SHA1
e76e22880ffa7d643933bf09544ceb23573d5add

SHA256
a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e

SHA512
e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba8941f15b6abce65796d9d994bcedd9

SHA1
354cfc5ca55ae89769df29280afd9f1937f6a457

SHA256
6eef8d3fab2da8f2b3fdc4c48c4394d99ba3d407168e4de4c4ac69b2460a055b

SHA512
f219b2aa99b499b2fb559007b4c9cc6e2e84c7109421b5585ec5198505f115cdf8df465fd68a9b9936e662e4d3b904a6beb293e66d550d6cf6098ad25dac2205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
398fa65a94a5d7f267f95595055dce0d

SHA1
d757d841b56a9b24861e77da59870fc67a16f7d5

SHA256
0bb521d47d50e87073f83f7c5b306f5af8b8c51fb47bde89f03ad509a9f812de

SHA512
fa015acdb5d897b2b5451e4f4b5d35a0ae4652df95dda5c316e2256b43fc559ed0cfb17302738d9d3ffa85722982a17492cf9e31b8c9f148ec101eb7c3ae526e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
b0c91eb2fe62558cde611b04ecaadaea

SHA1
e98dbab0236fa87dd3a4a591ec698825ba858f08

SHA256
58554f9ee1f662c329623800cb54e07705ebfe402782c1742977af0f67b0eb09

SHA512
504bc93f21382e77358555a70054e5d795f6719760c308579e7e97d071a0e93143def5f7f06fa0739861a6a219740a773659d7f9aac86ffa97c5cc9b33b0e5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
1adbe46d4964360adf21c2028f347292

SHA1
cdd88da1170fc6689008eaaa5b906ade963d983a

SHA256
16be7cc8cc3958ae2243bd09590d1648a3a91b24ee6c17f6c24f0e5496e97176

SHA512
5c6a36ea00f78dbd15638e349bfcb6f6a4435a3b28f53e5828a1395173945196797a350f62c354c4eb69b57af18a9aa7533f4ce10901cae84d99a21f9cd80840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
61d263c0919e827d396cda5f62850d92

SHA1
6eb4aa5a79329c8850c4582b523d79badf34372a

SHA256
998e6a21bd7d116a483d5d1336aa0d7a72d9dcd9dafece9911f4dd6f8a037eaf

SHA512
65e9e3b5fcd7bd6cfe985f594893e9ca8bcbae28f07259a71fa7b39b8c607f1ec3a59a5d8105315f0087c802c62143f3ed36c9c4d3f9654553e323b4f47469a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
adfc5a229963a385af4a01c1b696742c

SHA1
82fb636e7fa59cede91a2089a4b2a012a701e158

SHA256
b700c3ffbf80f4383747d7a0366df83064e8557ba0e2e2313a442f1e78acef68

SHA512
353dad88cbc7a8ced44dda7521964d550003707e22a4f638333be6fc6b01dc905b065caadd1aceb0e5a7874d814028f2cf3f3801c76bfa197f86410fd3cc2a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
2e9fec5511751ec89a885efdb50637a0

SHA1
180285171a54d2800839b3cb1242ec3bde330b27

SHA256
2e24d195c1d3cc27f63b7e1936c95b014e6fb63eb5cceb097defa050a9bdd0f5

SHA512
0567cb97973d54613ffd003e382e844abe5aff537a4fde596f4480ff2402eaac735a536395c8dc75613c044d444b959aede3b2949755981fcb4e98d4d2b01a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fd2aff424199bd36e4190393a5d9be77

SHA1
01c30c830f19ecb81356ea255530ed12d50400c0

SHA256
ab2ac3981c49930dfd25bed88c60a2d494c516777dfd7583aa32b02c8bb005d4

SHA512
027986e081913434441852b9c1d0679a14d3199182dc42354c10ae4e96466bfc85ed7d5cbf93708cbba59a675d2833c228a97b9e8d9f41b86a7f5b00da98f6e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c98ee638ff70fb98aa213984f77809af

SHA1
7c52df363c29714b7abc0beceace0bac65c348b9

SHA256
45c3ce27ff22ef959083ff3811b83229df062ab14ef3d78d41655ab4dda81d89

SHA512
a00f7085328dd3f5f22f4444c08a01982312bebe4a450ab5a097bf933f24156443672425fd61f118f6f4923857a3cae329c8a800ea1eb537fe2c7c012a1e030b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09dd55d931f25ed235b1f83eba08b0d8

SHA1
b36c87ea24a0c30c34917ba5908ea2e3ebfeff4d

SHA256
4d7fcf4af119a0aa63253107942a3613e6883edbb1e2d7588763f22f53e61f99

SHA512
8022f2f9ffbf470dbe96cd11c3137c61da5f5605feda8fc68a8d9722cd9ca77ccc029059138d804be80052dcbdcd880d96ffe343df07d3a1914714ab42d6a6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b7824f781296acda5ad04419264ea019

SHA1
fb00dc9718d1f65522d401b9fd50176097d8dfd3

SHA256
104d83dd4459fd4036495ac5529ed159d75a63243d8d549232264bfdef2e2097

SHA512
8c7fe38c7d5082d8b40da5fcf867df24f11154c445ded8631fb15b333cd3586f279705c8255f73e07ef610cd3062a5739998e08cae70c8655b6a9e672b1d860e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8daf34ce8134580c1e9a3b58e0e35d1e

SHA1
2967abb5231385873bdc19e5c4c25c7f44e38013

SHA256
3b66902ba2e1a48ea9954aad68b6535ee82cbfd700671aa1b4431b6b5fa1c993

SHA512
137e95560bfb874f3fac149c489ee0f9e7a7b9e896b42f275d94bcd6436bfe14e19fcac278aa5aaf78269671420a6ce04314749b70f97fa9655355ed7239c1bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73f5cfbc084c1353526e4cb88ab23a0b

SHA1
be5cf8864a57131f997c40173cb6e645740e061a

SHA256
2dcd2b780896a83e060d56143a0fb1d7c3b5084602b05c09606856a2cd1e3e58

SHA512
002426ad88abd61022c72f98b6139b2ce0ee6b94844de56daa58974f55e8480c8e272d49f6ef267e2d91496c82eb6ea40db8f0ce7b5ee73fa218ffc6750455aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
4c264cc17d7278ea3914b534d15807ed

SHA1
a41c3ad5ef25c1df183beab12dbbeefba9a8286e

SHA256
feacbf7d14c92e8116bb03961d28dfd22fb8115aa1c82b66b6275012421e8d57

SHA512
02d486ee6bfe684b62205d64d12d9afe723f283cfd406e28c595ea8e8c4bce5bad0da4dae2805128112c9d433499274e48babd7f62fbb1ca283ff2164b9d3dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13385242449842732

Filesize
457B

MD5
e1fdff1c564d2078c3dbf4e792d49665

SHA1
49da0204bd1955a289ca01db5782b42c5bcdefbf

SHA256
1a1798ef3538561358bee48bd676341de8e36bfbaaa4c36858ced389227e9ef3

SHA512
dfc6496ca1c2dee6c1c55da1dcbe85f39c7f44c02c48bded9ed24ea17caa23131d01df8416a28c866dc45878a9fe9bacc708c40e6d02f1cc2e8e43272259c601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13385242449842732

Filesize
933B

MD5
13205794d7d22a73d54ef0f413f98718

SHA1
4ef221b6f137d3b1fb2b0a1dfc60c0280738d9f2

SHA256
8442b25992172cf7764c99b871dd4541cdcd35a73109924d60bf10edc83343a2

SHA512
daa5843ca5429a0538b9dc5ffda3411f7eb2b785b40e3d6d2c4ec70540fe67792d98a52df4e28b3c01d6f3fffd3f7207566d9d65057f19f3f1b14c45965b2d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
6525f3248fced25a662a620fa98d27ca

SHA1
30eca5f7970bcd5af8f2cbdecdb3281b1709da6e

SHA256
5faabf71825600d0b2478702d89f5eede724400d62901d286093ceeed4b3745a

SHA512
dbe43a23919f07f17e8d8e8a277a16b8f7b46efe7994943d357f1e419fa4ce3441f5f1c3f1cbbfc16cbcf9d42317e269cad6402c13923c2ee79ce12d514b1962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
a7c2e56e4187e2d568d9d5017bd982e9

SHA1
96f10c7acbe3d64e385591edfa59d4547f7e3363

SHA256
b2119482c33af8b2a8d5703cec692a8ca6d5e7709eed608ce9001e2de8acb902

SHA512
807439d548769e31f14e2e8a686a00199850c6c98cabca9cacd38fa8ae9b1369b0fa2c13a8651d59d7c690ceab3ebf99caf052b73143716a6626e2ae839d1a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
9478219a2b8ca2d1844ae4aaa4984573

SHA1
9be1193db28751f5b313a22e53dd5e236dda825c

SHA256
8db15248839ff90b3ce710f1d52c79dd39c41387316d3024356237ee2f52da5b

SHA512
6bfe37f648df47e9ad4e51803a38d4864b7712c6f7bb7a0ab0228119e7a71f9b09b53930769549dbc80a933838bfde27257235fe5036b0fc327baa15985315b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
accad9ef4943d13d568d9af3945e92ab

SHA1
0e89252e2863ed7bbd517372649e2b2ad351c9cb

SHA256
4133babbacaa4c14cc6a524be692427e72ff8b7b3653e5ee2ba3a1459abbe6a1

SHA512
f3985a8a91d40e279596330829d2618bbd24d804ec583fa9b73e8dc9ae27bdfd7270e79e993eb240473a827ad5f934a06d4515fe7f54daccf6406b733dfbb57c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
08c7489cbdb8e23074a3a235f111516c

SHA1
64cab27c209851b9b5ee30dd4b9e73ac2935a0fd

SHA256
c86bfa65017479e5f718d48bc7bed97d2769feab9889c063b1ee72fc1deae8cc

SHA512
8ede2f2a2fbba872473ecc9341c84d71079d422839412f60f5e7a38914e25c9a619e276fac2b941ece48f9fc07494408e36d9d2b337c683df8a3d2f6ca48cdda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
e77329c5567b96f8ce81f3258bed947d

SHA1
da3ea949963b6e9a2fdf4506f86b5c2ca9b3ebe4

SHA256
0683ddd1a8a8202b168924963e74007ec3055807e35cddd238c64d4d04bd6314

SHA512
c3466b0033bce9a913917cc9052e7bc2e8af88d44021430ec0fc99384f3bc8d5b3f911c95a2b4e671563febd06ba06dbb6ff96e855e40a3db7a84b8180b2b536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
4c023044cb75924241a4328f176defdb

SHA1
2ef9b76d3a0b6c98cb0d9501b8a999c9af19326b

SHA256
e4cb6cf17d2ca17895d0ced2480a78674bc01dd69226ce8b8d9c8f2a3a1c4feb

SHA512
eee9bfe8a7e76d0936e819dc0f1cfe35acb5c27476c941699317792f6f16df23613534c18a528ac8672124e22691b07ec9b4dcd8afd960513b2431f1159cd7d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
e3ac4922b5f150ee125accf7b70ccf3c

SHA1
723fd491af54c103f8025d5169fa1949cd272f56

SHA256
929ed5758d3518c22d1928a6fdcc6fabc3c165280f5a836e192ade3b10f57ef2

SHA512
4ee9779b1a4d6ae8850355d431ef4d4345935bb89b125c91c5e4ce7e751daf24b610f79223e3a3d33e6bc48410e339ab465191bde54f4828d4e5d686ce318a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3910ca175d584c8b8bdb52c4aea23102

SHA1
76464acb1e4ec60cf48b4c580ce25bae605dcb49

SHA256
b092f9d3cd9a6e22b38483be904955daa703d54197f8d3549cb56260469b8243

SHA512
a1e3d138e6fb60b2c588756a4029d12fae1010ba0a209cd0d9b8e39c409f0e26d02d53589b46f1faadb71e8fbd6a4dd1acd82facb67d14f8f36f61cfd3128c48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f9dbb0bae8831cb42cce2bb65e64b391

SHA1
5a3e91d46dd5ef3205e95acb5fedb88522b414f0

SHA256
f77e2080909e35a968284d5866e6ce751304ad3ea27f366ac328b504ecafeb80

SHA512
6ccaded71d6d5824bf98115ca6a3f6f584085493252bf109c3a99d28655d3486abd4866c4b2dd148a0ad372de06f5b6b82d91f71dbab34dc53d59f35c7bb8e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
24ba79739df993e93118188d37bed439

SHA1
0295db934c067f98de1fc9b8f4ad717b1945af69

SHA256
e8b7a4de15606d719a5ba7003f0809ba6cf6f62b24881d2bb6a27c10e2e31398

SHA512
8f32e618ca2cbb5271f75a8c09f19cc242318dbb20367140cb505d084637a1109cd9784de384e6f6162bf1110fd28a7ded7d1e65944ecfdedbc4c369147cdb00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
9f1a65e6de8bd5c18d44e921bbc8232a

SHA1
e5c54a5212cc2879c25ad1265904aff273a9f35b

SHA256
bb3745587029678bf72297ed45b5b3bbf4b6b77ad15af7d9d417f12bf80dabec

SHA512
76db5e0e07587ce3aae4083b5142991d727049a15f3e065990f31c88abaffce62317457c334f7a6062635e30335c88cfdcda805d700d7a5ca11d8adee88cfb4f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
5cae76daa884cc3eaa86479efe3580e8

SHA1
9b1409a8655cc49c762186d5d86c244a8ba0c06b

SHA256
3411cc2e0746fcfc7c31f74234fb70a16b5a4cc8b8d9cad868d6d4ee98c9111b

SHA512
bd1e5a4f19c1002a3c54c31edd3bee6446dd505233b77d93fe3b543b68e0e80e1e2747681ee9ad532ee11e5089cc36bd78de994fe1ca95157042e7ec31813793

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\AlternateServices.bin

Filesize
8KB

MD5
e3c33e209df3b1acc438a4940c4e841b

SHA1
9f843e696477f7da4beb0326f82ab096a24592b1

SHA256
58e025948feb12b42899d3f27fda4f3d2f358aea2d5c557e9e91c352ef5665e4

SHA512
6a303a4de0b6987723f22f0cda69d46c003c169b3aa87744e8fd3e7aa8931a9ad797980c2dd1a6ed703c7da387901f73903d8c8087b93403fc31ea98943cb0e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
390515130c1339c773e9ce507e5272fb

SHA1
947154535650b257ce09d82562dce9a941f75054

SHA256
64dda5c3ea3790ee3e59bcac9d0162130ddd2a4b64c95469bd55146ce4bc1952

SHA512
d5fedf5ebecea14de452e40164d3d2775611e08ea694286793f78208aa8a4df03617809a50fe5e31c099145edbb627bfe16db953fd7017c9eaecea9d35b22461

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
2735be8325137b6297929c384211e269

SHA1
e6f35bab850ca621e7dd05dad19e6764b6284654

SHA256
17a6d0ced5eca3482354067024d47db7b95a8e249a49427e6021b5cf34ea3898

SHA512
d2e53fd93710612155b81742f01a888bdd195a78b5e255cd9d0dc911abb398dddbba9529575101d0a6b16d47e0d968af145c05337df66dfc204972d1102287f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\1c5c57bb-ea71-4e8f-806d-8148f2e2942b

Filesize
27KB

MD5
3bfea0d19385974e070c80b211aa9188

SHA1
1030c1b870c3e853613a853d854b6d82fd304fed

SHA256
8cc30b3d1d6c01138a9569a49989b4cfc2174fb5f4d3aeb7b9d67b53bbb785a6

SHA512
6b9149b0bc715b15a164fdfaa24aebfdc9ddc2425f4dfca8d16f09dec96937e5e6ac0032c9ac661d640c5735b5690a79b2185131ad2ebdcd1dabec9bdd3cba30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\23dee0b5-9934-44fe-8213-1780f1da339b

Filesize
982B

MD5
5108146b911ce32f4ee4228885fda109

SHA1
4aeff0c30ffc865ee304851c82410e48f6034673

SHA256
4440c7fcf87a6ee51ff6e7cffba44e18837f3de4af6c0be028e16f0546506a94

SHA512
52266da9024ce988f86f7bac0174e2b5684fd15bc72cb8f4de27c17e45ee68d8feebe38b282d758778061d1e9af243ae3c312a4d5930fdaf3c72675016ccedf1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\8cddc19a-544b-47c7-8a5d-4b2bd0d31bc5

Filesize
1KB

MD5
1453794c7096809da6de43c8bea46bdb

SHA1
d6e86483e56ec14666c6ba9ac188409eedb3e6a8

SHA256
cd4c8c13ee1d88e5140a3128242d4c9d54bd775a64c30134e08056e7eff38f1d

SHA512
2357d21e91b01426441179be6642a9bcfe76653e64b50186d39bc3b970df1e5158db0ec670d5b258f3299c9b882899a70312ee8c720a0fce185de414b1e02eef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\f0bffd7c-c056-4bfb-bc54-9e2d987b6477

Filesize
671B

MD5
68a2518bcb3028bebf23bc49f0dafa24

SHA1
f6d0868ab27cda680921fed797f8f06cc6d51bdc

SHA256
7d4f23f740bc51e4c6647c5f36bf4f9fea5ba57c24a0402a90bd10f612f84069

SHA512
eb1b57ce2e5765e502e21a9711eaf5bf1f25806bc74d9fc9ae78e2e5f425baa63db395c2bf27a73f1b55cf2ba2e71a16db4fee915eace12ec675e8008831c1fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs-1.js

Filesize
11KB

MD5
43b687e296a7e73d2367d2f8e30d4c42

SHA1
1e59934d5cd14bedc7d2658f35caedec77c101a4

SHA256
6a922140171cc182bf8cbd60a939d59965df6c2b0b64137958ef198cb1ad24d6

SHA512
7bee3967a0ae81192746c14f00a7dd9171b50ba27b28c9842c9a34fabc44e0f1e71cf1150c36fea87307b3522d68ca58b8b8083340b96af79281e13209633a04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js

Filesize
10KB

MD5
f45dbc92d26e020d4405a3f7bcc2475e

SHA1
2c0595d86a3188d3d156205745c5794a678ab632

SHA256
63957d03a7abd6317c7a980efc85375967ada0263940932ec374ee5ce872ed37

SHA512
b480376f270aef41542269388d818ee4e3efcad31bce1e2c6a5b596d85515f409fe345ce56ff0809a902dd3d811271f88ce94ad06c3114beb10a213133487b43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js

Filesize
10KB

MD5
e0d72092f2c303a4a80f0f366de532be

SHA1
3101b0b0454e61f26a9a4771683a58eb484b339a

SHA256
7c7275fa059c577b7ab53d879f830551e005a67fd4b8a76d92a1215adb3f9881

SHA512
978e22556993842e2648d8e9882941e0a9e73f62ad9877506eae7b7efb42531a2aa7762038c098cb95a35d657a536a6437085c0088cc9ed19248d7c49b36079f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js

Filesize
10KB

MD5
d87a8764c479f2c65789b1473e376aff

SHA1
40f90d20da5f0bc18e9ae87ce7f1a2acb3ed23ab

SHA256
0b48dad9cff62e57bb91f6ed82ee4c9ea1a4bb5ec5b63e385e0cbe66a753cbf1

SHA512
6f527fb76380045f1c021ef666ecb40cae9d8de762dde6ba40bc7defff90f80ba742de17b933e002c1d665f30d08a9b024df4a773cb1418a9678850b040b4c60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js

Filesize
10KB

MD5
106b7d35807eba72bb5e068c1a5f22ed

SHA1
e6b44c092e88fabea50d840db8d8d4b566e281ed

SHA256
419c663061d92f4333436ae457a1c733fb40eb03736f31692d149313470f1bc6

SHA512
6f3a8662cf7d6e1146c5ef74f4cc0a9dab6a0c495f22b0425bd94da390c8a8d0bdf09f91a90010777e6a032df791b2e9e0af5d0194ec24a276773f48873f1649

Download Submit
C:\Users\Admin\Desktop\CrackLauncherPass1234.exe

Filesize
73KB

MD5
fa0d41dc7ca9c40b5bd4ddc84ddcab86

SHA1
86e94ea9ecbcf30f187e68fb8c5afd6ee2891ba9

SHA256
35dc677cc4ded7c3ef15ed4130c13c23c62055f78161c2d93318113c2fd0de66

SHA512
6e4dbfd1edb207bb017da41864811d793f23bb032e0838b24cafaac41f51806333e67b6f69a18d12bc8ca08c6b533d56f9d287c464b445ead92e8bd49e7e5d13

Download Submit
C:\Users\Admin\Downloads\CrackLauncherPass1234.7k_RvzeZ.rar.part

Filesize
42KB

MD5
4a107fdd8029eff32332c61262d59b6d

SHA1
77265ae4e7bd9e29aefb04300602407b3de94db6

SHA256
aea9584469b549fcfa0bb94e8ccf50613f0f0c6addbaca1c5a9ac8a31c9504cd

SHA512
e83010daa75da56da09c74440a0207cfd3feee338b394357ca3886181d11a7d1638e18a5ed7751bd918f6bbb4a3b18e18b1779397db2759fb3dcd7459c7e55fd

Download Submit