xworm | hxxps://gofile[.]io/d/aDd2yE

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/aDd2yE

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/KESYt2Qf

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023d1f-72.dat	family_xworm
behavioral1/memory/5400-122-0x0000000000DA0000-0x0000000000DB8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
46	1516	msedge.exe

Executes dropped EXE 6 IoCs

pid	Process
5400	RedWare V3.exe
5500	RedWare V3.exe
2436	RedWare V3.exe
5428	RedWare V3.exe
6072	RedWare V3.exe
2700	RedWare V3.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
96	ip-api.com
54	ip-api.com
93	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 66608.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1516	msedge.exe
1516	msedge.exe
3916	msedge.exe
3916	msedge.exe
3924	identity_helper.exe
3924	identity_helper.exe
5288	msedge.exe
5288	msedge.exe
5544	msedge.exe
5544	msedge.exe
5544	msedge.exe
5544	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5400	RedWare V3.exe
Token: SeDebugPrivilege	5500	RedWare V3.exe
Token: SeDebugPrivilege	2436	RedWare V3.exe
Token: SeDebugPrivilege	5428	RedWare V3.exe
Token: SeDebugPrivilege	6072	RedWare V3.exe
Token: SeDebugPrivilege	2700	RedWare V3.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe
3916	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 2348	3916	msedge.exe	85
PID 3916 wrote to memory of 2348	3916	msedge.exe	85
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 3420	3916	msedge.exe	86
PID 3916 wrote to memory of 1516	3916	msedge.exe	87
PID 3916 wrote to memory of 1516	3916	msedge.exe	87
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88
PID 3916 wrote to memory of 1348	3916	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/aDd2yE
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5aec46f8,0x7ffd5aec4708,0x7ffd5aec4718
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5288
- C:\Users\Admin\Downloads\RedWare V3.exe
  "C:\Users\Admin\Downloads\RedWare V3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5400
- C:\Users\Admin\Downloads\RedWare V3.exe
  "C:\Users\Admin\Downloads\RedWare V3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,3100351225427046387,12090071951642941523,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6060 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5784

C:\Users\Admin\Downloads\RedWare V3.exe
"C:\Users\Admin\Downloads\RedWare V3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Users\Admin\Downloads\RedWare V3.exe
"C:\Users\Admin\Downloads\RedWare V3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Users\Admin\Downloads\RedWare V3.exe
"C:\Users\Admin\Downloads\RedWare V3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6072

C:\Users\Admin\Downloads\RedWare V3.exe
"C:\Users\Admin\Downloads\RedWare V3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
6018c6faff2f5c5a66b11c31ea0e1fb8

SHA1
5f7d8d255510c1ac00d91d815b3de5b627135bfd

SHA256
946b38334fd2e02b1e28a57c62006ca8083c2025bf39de8875706db9f2d0de52

SHA512
44363565a004c66ee6440f181db8488bad0c7206c910c8c62cf42ca249a9505a28228a67425af837361041912b8cd41ebc685aee6474115a256241e4234f62bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
b15ca352a2f208a7f0fcce0996404cb7

SHA1
c4bbe66ab7d727e190e511b276b25a52d7d41df5

SHA256
21f7392ea9180d4bfaa71f853089c07c2d2023604274f4ad8790ec7308343959

SHA512
d00a1135f39eb765f53c55ec2e99683863c610404617e6c0fd41a1f4f7fffacb22ce22cc887ca4a70989491a643d764c2306c8a77302f5f98402278e3e466f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5888979fd032b9c5dea21a1c25bc062e

SHA1
6d93bb1151db6b547a6a9779c0d08769691b140e

SHA256
ec152317bcf555fb1c850b9aa5b129a31ee2f5081ca3cba5936376b48cd3a06d

SHA512
6f87f02c43e4ee00b6b16f82373f53fe47b1f855f59194366b732d7ebfa83fb7b7fa4093b69572b2bef6188f036463856b556cc0e59ac94eaf12c76900f24559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff5154a5c00173f8002871e6867bd93c

SHA1
136fb9bb4b7b1b9c122b4e924aa50610479a1b99

SHA256
6ded3e20ea8f8f7f58cae7fd0497fca0e4709225fa0de66a0ea4fd11a23c96fd

SHA512
ba4c5c89ea4715a9ee2b4d308ae6b064091810d7d020f2ba8d0404977d0f60fee8bb232bbadb8b13fd8f4878a61e89820072b99ffa4e071823bc573ac597ea74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
834c2ba513c1f0518e567d919d5e4a57

SHA1
dca2d325c7edeb86c44adae443cb04e3a78bc78e

SHA256
8b85239d10d5f180654cb21712492604e61b1582aa0a9a0025c71b40ea2c4fcb

SHA512
4e7cf0e32e00ab34a42089e11063752cd471fd45c15d85005be164c665ede51624c3e9cc278c557caffa7b23897f687ebc445e38dbede9de829ff3c0e3cfb13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b8095793700f572a0cdbf03941d9219b

SHA1
bb7e8cdb519b69b9b19955d0a2b8f9e375c80382

SHA256
7c04e904c804c399f553d97acd26b2784f9cc7ccab079da012e1b2fe32995fd8

SHA512
3792d563d189056220a068e5ac6ad3826c2c0a18f18d8f93d4fe374c75fc03027323fa0f602debb9b70d14b9f820c0a95ce2b2343f63a798b0cd6ed9dd572815

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 66608.crdownload

Filesize
72KB

MD5
b5892fe7454ad1df3f4dd9f4be747ebc

SHA1
6173c035aa615ccf246af9c1aa1d2ff342d4c425

SHA256
940847a761d375075649b5b6d476f28b06c2b10f1f161c3ecdabb7a59adb5712

SHA512
2651f1fad1f67e80dce10e8dee2cd475964f1ea4c527ad0923c249a9c2a9cfda651b4e8df8ccc245bebecdd6fd41536b64acf17184ca815bdf13d028a07bee1b

Download Submit
memory/5400-122-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

Filesize
96KB

Download