xworm | 0e2ec9b0d60ba6bfc32a86dce7ed5e60d67fb142d4d14bb4a11956fe8b19d7d9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XCli1ent.exe
Size

36KB
MD5

3d8ec94b7dcfaf52bb472918378b49a3
SHA1

f868a911a25973f330ec2b56e50a746e6f32b14d
SHA256

0e2ec9b0d60ba6bfc32a86dce7ed5e60d67fb142d4d14bb4a11956fe8b19d7d9
SHA512

a57ac00fdc6377469d3a95bdc2715e68ca408aecf8b7e46444f401f8d93e787a5c1485886109f833b9771d07e9866610e808ba756167f55eef13750ff81f59d7
SSDEEP

768:DeVXtHcDQZS9rc50UZmx/F89RF6OOMh6QJP:D8dH+o51OF89RF6OOMQy

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

database-victoria.gl.at.ply.gg:55358

Mutex

eIDPhmFNz0rAKYvF

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4032-1-0x00000000005A0000-0x00000000005B0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3704	powershell.exe
2940	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	XCli1ent.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2940	powershell.exe
2940	powershell.exe
3704	powershell.exe
3704	powershell.exe
3704	powershell.exe
4032	XCli1ent.exe
2296	msedge.exe
2296	msedge.exe
664	msedge.exe
664	msedge.exe
5084	identity_helper.exe
5084	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4032	XCli1ent.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4032	XCli1ent.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 2940	4032	XCli1ent.exe	90
PID 4032 wrote to memory of 2940	4032	XCli1ent.exe	90
PID 4032 wrote to memory of 3704	4032	XCli1ent.exe	93
PID 4032 wrote to memory of 3704	4032	XCli1ent.exe	93
PID 4032 wrote to memory of 664	4032	XCli1ent.exe	101
PID 4032 wrote to memory of 664	4032	XCli1ent.exe	101
PID 664 wrote to memory of 2280	664	msedge.exe	102
PID 664 wrote to memory of 2280	664	msedge.exe	102
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 1580	664	msedge.exe	103
PID 664 wrote to memory of 2296	664	msedge.exe	104
PID 664 wrote to memory of 2296	664	msedge.exe	104
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105
PID 664 wrote to memory of 4744	664	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe
"C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XCli1ent.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XCli1ent.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://exmple.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9565a46f8,0x7ff9565a4708,0x7ff9565a4718
    3⤵
    PID:2280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:1580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
    3⤵
    PID:4744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:4372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
    3⤵
    PID:2508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
    3⤵
    PID:1396
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
    3⤵
    PID:5008
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
    3⤵
    PID:5304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6608563429566185913,2887875076984357529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
    3⤵
    PID:5312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
af2a10db79022aa433110f77a7dfe9e9

SHA1
5134409282cab896b9db33581250c28f59bc05e7

SHA256
4ad1568eaef414c1aa7223f133b71850ff6b3ac4e8a65901496dee77c02514ec

SHA512
adbc842a750d722b9d9ade092a13a54fae1866ab5eb441361d2a1640f62e1f3ff584ed80a23b0baf428efbbdafa9bcbad478cabf224c3c61ec033c98a494c50a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
185B

MD5
efa3b79297b792ddfa72609e2389407a

SHA1
7c959b0d9c508607119d7c112fe81939169c8ccb

SHA256
04371cb7276a5868761433e311d805f97da580075fc9bf1a66f0a9d8ac9a4017

SHA512
1f08b7ea9823ae979382586db83b05c0d0dc5cb565b3946fb8134c0dfaaf61fdf80d6c666ceca6522964ac446d2a2e798e1f0eaff3dd2ab5cae88a793db20eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
69ff1131364cded9943ee602b7ff9bc8

SHA1
2fbb91dc4311d02bd52121e45dc76a1b3234112d

SHA256
222c197694ce2668507b052cdcca79482d8f5598eebe6d083c42a1409b673b4c

SHA512
fd3390b8b9da8367ffefaf93e724a5bbc7e821c055c6b1118f7c0703909de9e51d8e1b226651f06d18c5ee515da56cc3c7b97b567949671ffd511c74ec07adf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28f3ea05ab80bd4d5cbc9e46a8eda38e

SHA1
718ffa810c431dd9f34e52d66b49d712c1a1d78d

SHA256
7ac106cb7c53344eb13455581315d602c0ad32298e0e25270bf9c6a2ebe47a72

SHA512
3efbb6de4395d09de1e07757f7fb2f5a10d30e5a78955b996e71bc22c83168d780589062dc5cf69eb27709c88f31b687574a3acd0763ce032c1152ab9d3df6e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c9f55b4b255d1f56526c0b7c463bc442

SHA1
87ea89e1a5abb839364de3ae1baa93bbc607f501

SHA256
62b2362ceb818c3bba63f0ca17eead2fe86460d610cd8a46a2b9c52e64e0f125

SHA512
c7b8901f12479726c79f58e6d423497a87c8cd9f9e515cb24a31de24206af438e06179bf670c5da9c468aa451f649f87a3559a9ce7583b7079c12c6b8fc838a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dzpnjysb.uod.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2940-14-0x00007FF95D630000-0x00007FF95E0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2940-18-0x00007FF95D630000-0x00007FF95E0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2940-15-0x00007FF95D630000-0x00007FF95E0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2940-13-0x00007FF95D630000-0x00007FF95E0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2940-12-0x00007FF95D630000-0x00007FF95E0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2940-2-0x0000025B5EE70000-0x0000025B5EE92000-memory.dmp

Filesize
136KB

Download
memory/4032-33-0x000000001D660000-0x000000001D66C000-memory.dmp

Filesize
48KB

Download
memory/4032-32-0x00007FF95D630000-0x00007FF95E0F1000-memory.dmp

Filesize
10.8MB

Download
memory/4032-31-0x00007FF95D630000-0x00007FF95E0F1000-memory.dmp

Filesize
10.8MB

Download
memory/4032-0-0x00007FF95D633000-0x00007FF95D635000-memory.dmp

Filesize
8KB

Download
memory/4032-1-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download