xworm | hxxps://cdn[.]discordapp[.]com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper[.]exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&

Analysis

max time kernel
36s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper.exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

paul-nw.gl.at.ply.gg:51413

Mutex

AVvzTAnLyW8qQCcO

Attributes

Install_directory
%AppData%
install_file
kev.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d9c-113.dat	family_xworm
behavioral1/memory/1896-123-0x0000000000960000-0x0000000000970000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
8	3884	msedge.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	newuimatrix.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	matrixnew mapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	-.exe

Executes dropped EXE 4 IoCs

pid	Process
5600	matrixnew mapper.exe
5764	newuimatrix.exe
5852	-.exe
1896	.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
59	raw.githubusercontent.com
60	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
67	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5764	newuimatrix.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 17412.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3884	msedge.exe
3884	msedge.exe
4808	msedge.exe
4808	msedge.exe
4560	identity_helper.exe
4560	identity_helper.exe
5420	msedge.exe
5420	msedge.exe
5764	newuimatrix.exe
5764	newuimatrix.exe
5764	newuimatrix.exe
5764	newuimatrix.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	5852	-.exe
Token: SeDebugPrivilege	1896	.exe
Token: SeDebugPrivilege	5764	newuimatrix.exe
Token: SeDebugPrivilege	5764	newuimatrix.exe
Token: SeLoadDriverPrivilege	5764	newuimatrix.exe
Token: SeShutdownPrivilege	3448	Process not Found
Token: SeCreatePagefilePrivilege	3448	Process not Found
Token: SeShutdownPrivilege	3448	Process not Found
Token: SeCreatePagefilePrivilege	3448	Process not Found
Token: SeShutdownPrivilege	3448	Process not Found
Token: SeCreatePagefilePrivilege	3448	Process not Found
Token: SeShutdownPrivilege	3448	Process not Found
Token: SeCreatePagefilePrivilege	3448	Process not Found

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1600	4808	msedge.exe	85
PID 4808 wrote to memory of 1600	4808	msedge.exe	85
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 1308	4808	msedge.exe	87
PID 4808 wrote to memory of 3884	4808	msedge.exe	88
PID 4808 wrote to memory of 3884	4808	msedge.exe	88
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89
PID 4808 wrote to memory of 3412	4808	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper.exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbea6946f8,0x7ffbea694708,0x7ffbea694718
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,9873394525122018261,11586970196061287335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5420
- C:\Users\Admin\Downloads\matrixnew mapper.exe
  "C:\Users\Admin\Downloads\matrixnew mapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5600
- - C:\Users\Admin\Downloads\newuimatrix.exe
    "C:\Users\Admin\Downloads\newuimatrix.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5764
- - C:\Users\Admin\Downloads\-.exe
    "C:\Users\Admin\Downloads\-.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5852
  - - C:\Users\Admin\Downloads\.exe
      "C:\Users\Admin\Downloads\.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39c51e5592e99966d676c729e840107b

SHA1
e2dd9be0ffe54508a904d314b3cf0782a9a508b7

SHA256
29f29a3495976b65de3df2d537628d260bc005da5956b262ff35e9f61d3d9ed3

SHA512
b20532d0131b12603410c3cb425cb5df0ddc740f34e688455eff757802ffc854be771b30c3ff196e56b396c6fe53928a1577c8330b00f3f7b849fcf625e51bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39e376ee2f541e6b1ed0bca701e8fb59

SHA1
bfe3cc2eed8721339d433533aef6e18e0a13a9a3

SHA256
80eda1e4d8c05e257ff17ef734d606e67d8ab70b3e351430b2b231631eed5e04

SHA512
a3f082c32857db0e3dec24394a259fff85e21b6a7b057ef55933504c23ec38cbb3237eb519d38385fc53cbc584c52aaf66291f44231245d9afee509a108a3350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7bebbb4186a2cd8d923c6b05eb6e7239

SHA1
88430e203e64166a2dd1049413a82d0580e6f76f

SHA256
bdcbb978f746ccd8a1e6ec5c8b3d38e9b13b32468f7f6d58ea26675119685f2a

SHA512
8f9e6b7fca5ac54dd032390a1a14103ab831d595a7c83d69d8955ed395773c706f541626a49b705af219fcbc225c058bf3ef1518630d660f5110590d1c6d8bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bb77fd1936f35a89bd4baa36d31d663f

SHA1
0061310b6137ed8f44e19eee74739cddf1f2cd0b

SHA256
0e7142fd4dc9868e8d998a3510a92edf86a5c8a2452a1ed416bb8045e8841bcd

SHA512
87f66c071963d70f06e8e2e60f0889008a10e323c47f140b0dc00e7e687176475314ccfaffdbcf0504848aecaf78c9609c65d12c6522cfd47d047a64a98f1fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
284ed311cf90c8ea421110c7874d3a64

SHA1
b3ad4979ef48f995a70ae267c4dfc18861b9c922

SHA256
dec9e257f34c6e0257a6e8b8bc19af3375d491adace565a7c5f12ed69515a981

SHA512
1c2ec2bfe538d09a506008a9a33e8aef7617d45a677f553a7e95c72cc55cad79664b81b550d0e24b31a89517731152d047405e8439275855a0ff9d0237809c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a6cb086478424e5d8ae1875a80b196b5

SHA1
f6b3b71ebded95374cc5d933144dc2caf1332b76

SHA256
91d8fb5b7aa368ade02004f0874fbdfc76bb998c110d7df06f2b077b0283c3c1

SHA512
d4ce46690dab2dbf37313b978a48df92dd0819e1fafd9c8d450ac281ad5f4811acf4ba5219a4a07f07c148ba6248f60bb79a4034fa8e0742aa88cda342d8b252

Download Submit
C:\Users\Admin\Downloads\-.exe

Filesize
428KB

MD5
4e4ef72e167c726a5918dd38c9ec901d

SHA1
0d6502c6c0e0e60be7883ea09514b0bd1a1dd1bc

SHA256
17bfc5e52bc85dfafe14e428825ae1b36bd9f016c0a26dc2049057e4a4d71e69

SHA512
c86161039a7c09bb28614a62f40b34b27f0894fc84ed60ef24919048e0aeebaa0ebe00cd4d5cf2a4537f0f09df2ee3eae666c1ce4ae93711e362ca6591e74f24

Download Submit
C:\Users\Admin\Downloads\.exe

Filesize
37KB

MD5
01f86862e5a3fab03f886eb19089da95

SHA1
8749ecbbac9f911deaee8d5530ef644ca0270258

SHA256
ecfb4e772dd3be3c70e2833558b53c9352466ef193694a32a2a6e4926d810d81

SHA512
c03771ab0e115c95c2af29f1ec3e331e90bac38074bd1eeda741a6e9f4f93d7cf55dd2a6354219886e50055730c10a363f264eeadcb2c06a1fd06a3670e41a86

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 17412.crdownload

Filesize
4.5MB

MD5
2661e9a9b063a4d7a96686aa8e4ffa04

SHA1
cf6af9701e80fb8000f0820e649e9683f7e0e659

SHA256
a3b2fdc9903049997ece0fd5ae96922642477a8ad822c9d8a53d574b8459aca5

SHA512
6bda80210f421d64d8a954564689bdb3fc8f8e229e748c0aca846e9ae2f2b7bf24533a85ba22d0d2771f36a88e38d5918b9b387a6224f83301f5eda70bd3bf83

Download Submit
C:\Users\Admin\Downloads\newuimatrix.exe

Filesize
4.1MB

MD5
f749fcc1351aadd81b6775332859fff7

SHA1
d774f21509b2e96ae96c08824387c353d8b5bca2

SHA256
fa1c0114aca150636c782bf0a161aa46059827ba4690090cf5fe076ffc50d82e

SHA512
434a5fa21e0e138945382398726540393308b4eccb7e3b42f557c6683fd39b519e7d8dc507c73e4fac14c961776d6d938406b07bbf7b14f2f4f15a6f41b090fe

Download Submit
memory/1896-123-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/5600-75-0x0000000000410000-0x0000000000894000-memory.dmp

Filesize
4.5MB

Download
memory/5764-127-0x000001BA24B20000-0x000001BA2573C000-memory.dmp

Filesize
12.1MB

Download
memory/5764-128-0x000001BA25750000-0x000001BA25751000-memory.dmp

Filesize
4KB

Download
memory/5764-129-0x000001BA24B20000-0x000001BA2573C000-memory.dmp

Filesize
12.1MB

Download
memory/5764-132-0x000001BA24B20000-0x000001BA2573C000-memory.dmp

Filesize
12.1MB

Download
memory/5764-91-0x00007FF7B4B70000-0x00007FF7B4F84000-memory.dmp

Filesize
4.1MB

Download
memory/5764-157-0x00007FF7B4B70000-0x00007FF7B4F84000-memory.dmp

Filesize
4.1MB

Download
memory/5852-108-0x000000001B400000-0x000000001B49C000-memory.dmp

Filesize
624KB

Download
memory/5852-104-0x000000001CC90000-0x000000001D15E000-memory.dmp

Filesize
4.8MB

Download
memory/5852-100-0x000000001B250000-0x000000001B2F6000-memory.dmp

Filesize
664KB

Download