xworm | cf2daf2ee156bbaa5538861e4e985b048fc381aaa1b0e6b23e7d85c792f9e740

Resubmissions

28/03/2025, 17:21

250328-vxgm4a1kx8 10

28/03/2025, 17:18

250328-vvsmks1kw8 8

Analysis

max time kernel
159s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Logger.exe
Size

164KB
MD5

249060b5228607adb181a84d996aad8f
SHA1

947888adf4003acf955fde300e966b2124dc8315
SHA256

cf2daf2ee156bbaa5538861e4e985b048fc381aaa1b0e6b23e7d85c792f9e740
SHA512

5868765e1962f3d30529742125fa6864343c1d20a0d32a81f7c66dec00e9ad8e57f3849639cd354cba5636a978008c39a0b070f4ac8546a2d7ed298cbae9bfd6
SSDEEP

3072:yahKyd2n31o5GWp1icKAArDZz4N9GhbkrNEkOP2k:yahOQp0yN90QEb

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:6999

Attributes

Install_directory
%AppData%
install_file
Exec.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000002445c-1340.dat	family_xworm
behavioral1/memory/5292-1353-0x0000000000B20000-0x0000000000B36000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
208	4912	msedge.exe

Executes dropped EXE 3 IoCs

pid	Process
5292	dont runnnn.exe
2456	dont runnnn.exe
2352	ee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Logger.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
206	raw.githubusercontent.com
207	raw.githubusercontent.com
208	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
231	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1492810680\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1492810680\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1310488512\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_682060120\deny_etld1_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_682060120\deny_full_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_682060120\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1725461663\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1725461663\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_2212_204525185\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1725461663\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_682060120\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1725461663\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1492810680\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\lt\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1310488512\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_581182582\_locales\ca\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876562575474460"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3975168204-1612096350-4002976354-1000\{F2E321D5-174A-4983-BDD2-1A409B2D142D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5292	dont runnnn.exe
Token: SeDebugPrivilege	2456	dont runnnn.exe
Token: SeDebugPrivilege	2352	ee.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 3268	748	Logger.exe	86
PID 748 wrote to memory of 3268	748	Logger.exe	86
PID 4436 wrote to memory of 2252	4436	cmd.exe	90
PID 4436 wrote to memory of 2252	4436	cmd.exe	90
PID 2212 wrote to memory of 4708	2212	msedge.exe	98
PID 2212 wrote to memory of 4708	2212	msedge.exe	98
PID 2212 wrote to memory of 4912	2212	msedge.exe	99
PID 2212 wrote to memory of 4912	2212	msedge.exe	99
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 956	2212	msedge.exe	100
PID 2212 wrote to memory of 1464	2212	msedge.exe	101
PID 2212 wrote to memory of 1464	2212	msedge.exe	101
PID 2212 wrote to memory of 1464	2212	msedge.exe	101
PID 2212 wrote to memory of 1464	2212	msedge.exe	101
PID 2212 wrote to memory of 1464	2212	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\Logger.exe
"C:\Users\Admin\AppData\Local\Temp\Logger.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "Logger.bat"
  2⤵
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2ec,0x7ffad75cf208,0x7ffad75cf214,0x7ffad75cf220
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2248,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2572,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3484,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3504,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5612,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5492,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5392,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6264,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=5192,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6628,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6160,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=6816 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=4368,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6804,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  PID:2012
- C:\Users\Admin\Downloads\dont runnnn.exe
  "C:\Users\Admin\Downloads\dont runnnn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7272,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=7264 /prefetch:8
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6952,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=7364 /prefetch:8
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3560,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=7408 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5416,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3796,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6476,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6660,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=7392 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2156,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5540,i,15581553869064997935,632997120097301980,262144 --variations-seed-version --mojo-platform-channel-handle=7176 /prefetch:8
  2⤵
  PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4888

C:\Users\Admin\Downloads\dont runnnn.exe
"C:\Users\Admin\Downloads\dont runnnn.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:3668
- C:\Users\Admin\Downloads\ee.exe
  ee.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault8d7d3258hbb04h4582hb351h9606d22a7378
1⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault09f90d13h2d46h473ch8e27hd09651b3c8df
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1310488512\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1310488512\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1492810680\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1492810680\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2212_1725461663\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
65044109d1beb8ed8d59560642cbc519

SHA1
0084485b0aa26069232fab51ee603682e8edfd17

SHA256
a1e0b448218678b30356cbbe4092ea091435e7450822a9748361b6e8b198962d

SHA512
96dcc68fe92f98c4329a8335cfffdb0849a52562431045ccc42076bda0abf3842491303fb669246bfd04e64113688d3f90000a09571dd76ff84b52e34e45f9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bd

Filesize
18KB

MD5
89ee4d8818e8a732f16be7086b4bf894

SHA1
2cc00669ddc0f4e33c95a926089cea5c1f7b9371

SHA256
f6a0dfa58a63ca96a9c7e2e1244fcff6aea5d14348596d6b42cd750030481b82

SHA512
89cc7dfae78985f32e9c82521b46e6a66c22258ebe70063d05f5eb25f941b2fd52df6e1938b20fe6c2e166faa2306526fdf74b398b35483f87b556a052b34c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
b7af55560f676e46fc43fac11edd8d14

SHA1
a225dfe0ffa255043f7c0ca4387a691e2271066f

SHA256
c8bd1a6850f7f8dfb2e89c4e422d8d0b1fc3ff392b7e843968b0100446279362

SHA512
43561f762c833be78ed92c4a95b1528dc6608a46b8a339bead6a8ab904414c2c11e7c0d215ccc867a4b6a9e7ad92d0cf5febe02a702e8f091b4222c53750cc5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe582c4b.TMP

Filesize
3KB

MD5
f63c46d5a60e4ecb968342d380016bad

SHA1
9d8d0313746ba491e97ac453d731a68b47aa5ce4

SHA256
6aae19bbbb8bac04af7d5ae90a556304ab110d1157a7f77a404c0045e092aa73

SHA512
8a21b52d0bcb9e58253a9b6fdde41b9eaf4382d399635fbf6922d82f66c223dc0deb97b724cc8fe979c74c49522e73df0bed4f0161878c5aea97e1bd78fa5de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
70283e02c56dfb3b2e6f384ccf45cff0

SHA1
ceb7e573f7e2c2a5a57ff44b351f1cc652ce808f

SHA256
ae42082aa323fd2a09fc11ff38245aeb2d6bd85d69f399cd490c58ad55e09a3f

SHA512
65c7abedb7fb00151de129a6864798cf663a236a2292a32b34a74be03906d4f86d3dcdc81211dd2cfd969f73c9ff6a19684cb5b259a28f73ec4269700d1cb806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f2c643b5eaebebdb6aafa6b02cd277d1

SHA1
54fe71543efc561ec8a256c529cf9ab1786c92b5

SHA256
79088f71ac3ef881ae81574b05bc6b18c6160899d663396be1a2029b3b6a26af

SHA512
b219c013b293d1c03d0608c97f8003f0d12878c9ba36c9b385880e4920bbdb0141bec525711d4db498f0b3a13fa1fc0935dc42fcfc2dc083cff6ab5c46dd9d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
d324ee4ed59fa0a434c3a438556ca5f9

SHA1
4548bae05be83bd723fcc35fb5ca186ee5e657e4

SHA256
e33e408d8b70ce984eaa54fe140ce6f8158f000a4aa9f70ca102ce0230da4c1e

SHA512
fe945fa19bb1e8a4ab99973432515d9ba12d8d262aa8da87b8d121b2bce7d395ac708a8012eba61d64165cf82c3f60647f9365f5b6d0f6d1ecc8a74e3d2cae37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
b3c57dac888a32cc46c155eb087c63af

SHA1
11699caa1e87324d749e9bc963de737f159fb554

SHA256
bb47119f881d65ad355fece051329f3076c6295fd66d78b22ff51c344c55164b

SHA512
c83b9293d91406cd7da9e9ffb1da1d87b464139abfa0215353556e9cf85c0de5f1bc4696795d02aa5e74042e88e26f6edb62f99e97c0e9dd0e40f3d5a44b13aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
9c4a0517393088af7f28622d9ee9b8b9

SHA1
e39d149e22c75a1ff1f33113158bd4d51cf14b57

SHA256
5c5cc6078d81a77cf65b056f381bff7ea61ffd0a1b0f48ee18b54e49df261a56

SHA512
b25089a95a96ab992b8682bfb30fe8fdc992a49319b8eca942c6785d82697fb960013198ba7c09267d5820a553b6c3806f717aceab4aa4aa53c75851dcef2c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
756f12971204fab59216a0d5eda13c63

SHA1
384a58de32f5421541193ea322331b9ee0cc5169

SHA256
13c0c00010160125e33a0dc5bfceba731dab485dcf0f89f6b94f42de2e979dd5

SHA512
97f003ddc3b271c8878ea6232c324949c8aec221ab055c377ccc07340ceb29f7840b0348d541205ceff609459916ddfdea64bb47a84acfe41abce9fe99385df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0664cb19-ad22-4ed4-b2cd-7c7d2d8a1310\index-dir\the-real-index

Filesize
72B

MD5
b9f0dc4f7af4018ebbed92dae3e15464

SHA1
cb5f2d5d0f3519189a4f87e65313a0c55a6a3b8f

SHA256
5a86a711f49e88369600950c8c5fb13c9fa35d8dec0c198a76895deefae0b685

SHA512
ae19adb220e483b270a7bb36fbbb8001672abebc245724502063ca0e55e7e9b2091fd14aab44cd51a1acb1fb7225c002e819102fe8f82110200052d657e5168a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0664cb19-ad22-4ed4-b2cd-7c7d2d8a1310\index-dir\the-real-index~RFe57d476.TMP

Filesize
72B

MD5
907a7a7839235b41538e37fd06c583eb

SHA1
d7d2138fa1c989f6e44744d45965e01b61f9ac2f

SHA256
5254a39a83a454a82dcffa11f6a72bd2c57fa42c790cd71954bcb410327bd4ee

SHA512
2584a33dce59e0a1dfbecf36433338fdaf7c0d0d30fdd49343575ec4a87cfa48939b04d70802c85586298aab93402a27cd39a78408921bde43f033f2d8557fdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\36bcb78e-1727-48d0-8c4b-824ba5c68a1b\index-dir\the-real-index

Filesize
72B

MD5
05ea9c0c8858d9e555c0313a546e9151

SHA1
2f6bb8a0d7b609b60b400b5d2caf311b333a0bb4

SHA256
fb44dacd3601f5a4562a2818cbb36a164c6aa0c643274713693aed6b7dfbd707

SHA512
0c85cdd48e525f6f2e7d4471507faa6bc47376569988272ba0ad5611ae20655cfb7a8147a53307b9151fa2fc0530c6a9e94818d453ef186b4baacb05c88c54e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\36bcb78e-1727-48d0-8c4b-824ba5c68a1b\index-dir\the-real-index~RFe57d188.TMP

Filesize
48B

MD5
205a8aabe4d3f3311fe84bc12f1d52d1

SHA1
bff47db90a7683a3e71fec3a742a5aa4365a143e

SHA256
ad1bed4282f4e684d4af8b1789377c5e5e48c2963817cb23f9d5fcdc25cd2138

SHA512
257bb7bcf34d6f6f55402b12847fd1d06ffaa3b33200c11fb49b4de296fe11d8b71feda1d4f11e97d40384b1d32c089384c705f1088d30b808058c22b6ab2cdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b063b10c-aa74-40e9-8097-2e7a6b21975e\index-dir\the-real-index

Filesize
2KB

MD5
58df38b15eb64374c9d8178f1ca897bd

SHA1
41a84d80f2509b1a54cc938f2f65fc4538444def

SHA256
d398c04bcec8181df0b55609198118c4baa814d68b76ff643cec0a833f951e52

SHA512
6b6c7cfd335824b4224b3beee07bdd8b4e4460eaae311010c229f1340da39dd481f2868a35283495f6b75e69081ac3fec1623b25f5dcc2234a3833fae9ce15a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b063b10c-aa74-40e9-8097-2e7a6b21975e\index-dir\the-real-index~RFe57e3f7.TMP

Filesize
2KB

MD5
e6084e7bb88563b8de028bd0f5eaab1d

SHA1
ef962262e8bdf8d85e4ccbb484c2b4f58fdfd0c8

SHA256
75fa5bdcb71e32cc4cc6d13af76512a588d958b5d7326c0d6f57f6cd971f9211

SHA512
74d85725be7b9bb0bb65a3db4faba7bb9947b023fd28302e56302b8a634fefe9d2495a5df55ff42fb177332126dc87b875da196539c9e87375a2e9901e40d945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b90a9dce-b22a-4b5b-8760-65ac93bf0dcf\index-dir\the-real-index

Filesize
72B

MD5
ef890a832cd1680b625234e519d43ca6

SHA1
53adb2773f8d29574b09a383d51d64a68203b927

SHA256
bff2d01f8849f4cd610d953adb74901024e6ca017f67a8d9e023cc4f4b2134de

SHA512
d1c935b79d8bd25339e3580cf51f80f821e42bb48b02a2078eeb8b9272c93c2e74dd446e7742e1c6c9b30bb29f0f57630639a35e68007b82271471327d43bc31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
d2e7262a065fa564c36f897c94e8cf55

SHA1
d3ddaa8c824e1b66c68aae7be7c932bf141e4687

SHA256
bace4b914bb13156a1caed466a5c14b6ac82dff19df9e4cfdc9b63d3aa7a5cf1

SHA512
c418ecf519962b107c3c1da30b94eca32e1fb92f855f4ff5dbe2b340ca02910662287c30a3875527afc3cefac0f65dab24fae74d9ea9edeb51a4d9bf64b1236f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
b299f23a7bdb0d9312479b5f849bf295

SHA1
160e94f6d17c4465cfff3d3d5b72556bda62e0f0

SHA256
0822a49df7f546972fea9f1704587388407d694311e391401e3b5247f3dd961d

SHA512
6f9371fde0c29a371f175e4ca6d713393910733447e6ca215ff1b48d50a0f0ae34e5aa02d2d336d035059f031b8eba3313822a8982713019bda287fe59aa9e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ef5f18c6f363d6b8eae58714af1af5bf

SHA1
9367fde7a472405c2085ea604b23f2e6d992f2c9

SHA256
8936c549d03668ac7e20cf0fc2d76a0050dfca4652a34da36b666e5e7e299b24

SHA512
8fbc52a2397a1b324d1aeaf3a435a5b26a6fcfad2f830e6e4e0b8613f41c8a185384e561c9944803856bbdb234c456a8c93f2ba480349c5741234ef9d8bd8f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57df25.TMP

Filesize
72B

MD5
08a54d692228cfcd6c588e5c632b2458

SHA1
e0da72d140e6b04d4f95f335b9d2195674544385

SHA256
f850325539de5b0c3374c0d44ff3166b7efab7ff57d752ceff3f36015c15c924

SHA512
6bbcc7b620f3fd7641bda40060cc88d6de886ffb70e2d52e25c1b10694555df02b5cc89fc50376d5fc93b2cb15a628d8980724301c44b7fa95303c67a7306aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
3093810a79c8c363378cb5aa086e0718

SHA1
29da3c148cfabbcd27bc9d4a7c69002e07d9bcb8

SHA256
0c7999523c95c9236fcd6897c2e09cedad20c497f1495145c5c8cc8a8aeea94b

SHA512
14ca099846e6d487a48ea535eadbea2d26b6f690dfbb528665f049a1c12f17e8d559b1e774270674d7c32d6d2fc666500f4348981a17335540aaae0c9e9d85a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
b393ce659ba5ebf5a273d2ef66d64427

SHA1
db291bbef150665dc6e4c26c95d1e8d366f44fa8

SHA256
4ad61b3a7700571a21bac05658c3444b5baa6d65fbf4b36df16c1bd453de9987

SHA512
49afc3778fded1f25398135e92bdb60016ca55be9d4c6bb955e6f644643a1fa2c3ad04a743aca4619ea789ea588ef8252e7c6410876f1580dc596c823d58090e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
8119261ae793ef357e9651c94fe5472a

SHA1
9c18da8d1c5361b333cd5eebb95528bbdd0c8540

SHA256
b8ee80defb8f64f6fc92b21e715e9f42142352c4608e8b400d7ba9e4cbd778a6

SHA512
6b92670652d5086fe9b8f53add756e844cd87a590b4962e1b93cb46dac427d2667666acc7dd9694bb842dd670ea6ac102596153df93f626526c2686584192cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
7f6c35b9da4df4b8c3779a3d642f2968

SHA1
47b4ea0737465e13413b52d0f79e0d77e07b3a3f

SHA256
7990f8b8b603bd47e8062ba0c6a8dd33886d4ec80acdd4d41e646b9881c61681

SHA512
59616d5e9d5a2721802638eb7dd943ba1d205c0d1d576fea8978fa2084e7022b8197cca49d72d5337ad7da99f7c7d30e9de6a5fc19b7f8f81f9fa808777d96a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
e5075089d940fb924e7d4898b6421f2a

SHA1
d6c65ab91009b5bee21d99d9c44fc4ceb7f86d1d

SHA256
00a03ec274ac6d3ad2ec680a56596e37de9821dccb77edcd8d95e31af4e10759

SHA512
8c968ae5913885bf2523afd8cacd29b1d46de78eacdc7f46134c82e4c0ae77caedb9e6d8e59d29732218ef6668240e2ceae35d165b55e6d348d1a9c8fcf7d3e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
2969879f2db33373ef81ee550f59c581

SHA1
7eb7cb7f56e6b81bb3b06ec553244b13f9c0c689

SHA256
e304a925bb1345954b68c12ba10dfb2995887a3f8f16d56b975407faadfa2cbf

SHA512
f01e0a1d9c79aeeb72c5d16e92548c27a5039f67000d529619667bf0f47468d11ec59d1dcd4620ea9c9ee324818f9c14b8096f41cd0fb02caf5d1d18ab4ec97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
cda806104515e30c871b2eb2bef6b57e

SHA1
2c4a4e4f896edf0bb777622c580625e2182ed9c1

SHA256
6ebc5e6b0f82e5976622c025d82836bd4674388c08edb9d0aa986d1e900f7546

SHA512
1ef59171598e5391f9f10ee94fc2a7ac558bc78aa7d3e000c8077527c5f3d0e9dcf54b3a52f1b89bd4ee6ab7fc8d2b478d3497babf40f615ef9d58a64791f8f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
9e9abfcc0e52e318f287555eba0bf449

SHA1
6d652212ce1f6c43ca240b03bfd82825091c9e49

SHA256
ed178e1eeaccedc2609ae4e79361344c92a2d2a10cfcebac84109b80ebc9b6d2

SHA512
aee961726bb8efa7464d2744f919c50a0fabd5f3f4fc3788c29ffef2b2a9d67b0f366d08c7b2d9c50e2cc5ca3d44dca28e2924dc852e1ed30cd62c9bd3160975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
6d2fd603354db87e0abab6092cfd7ae9

SHA1
750e2691ba446a75c0d945ad5ce0d2c448594b59

SHA256
dd4eeafa5767e3dabd5e19b5782895f13ead868e361ec227928f0b1269b636b5

SHA512
78ff944e1800102a75f8453e84551e85959b71a8c1c0f45e187d59700ba24eba21dc70b6fb5d3a6eb6c53077b2c1eabfc622790ffea9bd3a71a2149c0aa8ef49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
230fad49a3114f736fde2ab7595a1bb9

SHA1
f7d693a3f67bc1fdd771cbee70e53c8d6140e1af

SHA256
cdd43e776cbcec5c14ff73e0303e9ce52c3efb50434be1a979e423dfbd8b6892

SHA512
ac8c2ab56ff8ab15bcbf39180c7a6683dbace40c45fe16604a10741b7b9b0d53e3636e69b479723bef9214418835234527db5714d15395dca80d76539496ece8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
dd7bc645ea5df8f74f24218c10749b95

SHA1
33b4bd16061c4e084a387b15a3b3d613772220d0

SHA256
08ecea0ae01b2933566de2e50bf4efaaf218a5bc708ba373010b7d4973fe7895

SHA512
3a31eed7a197290ffd72edf4ec9c594e9d0b931c2b9b296b04bb26dd69c6c851ef0c8ca56d9751325ced3c657aed163931ef9dcd32387edd854aaf2fe9393d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe57d6c8.TMP

Filesize
392B

MD5
cbbfef8679f04b3c0f53c90840bec3d8

SHA1
3b833b12cdf4e89f18737c2e173335660e610b2e

SHA256
c997ab4a7da017191538470f596e65fe0492f02aec28ef293f699473c4330f15

SHA512
6ccbbe5dc8716d244e583fdd9326453bbc0df53db5a31ba031714920146c2b1045bf9aad98089481602034de12ea7d9b0459062f43ef28a0a676f049c3295fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
3cfd92c97150df03ff08e1549f8cd404

SHA1
b6aa481553110b983eb10c877e940a5a23bc1913

SHA256
37c226617ead355804161edf1b9e65819851a6853b712d714eb72be55dd736f8

SHA512
13fcb23a8809424b38b25232971a657cc2414d56b9c54130403f5b04b6b420decae1de0e75dc687d4993831bc3235e5f226f80930bbac6db2869ba3d85c29fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Logger.bat

Filesize
920B

MD5
014efca3718fe34d627015b9f857d516

SHA1
2059c07f32cb2b718aa1752686972eb72b7cfc45

SHA256
fb7c75539943e5c9810bbd989070b36b9914b6584b6a8d9f7a68b32c6da0568a

SHA512
339e2d04df9f8525a61243b368b9a2591fee1830f5337c73b137d2fa778f4fd5bea0b61311bc2f05c2f4a7d0f5ba16090eb4a8a94d6d21ea55fa087cda96f694

Download Submit
C:\Users\Admin\Downloads\dont runnnn.exe

Filesize
63KB

MD5
dabcc99e28fd073b5f69ddc0d6c026d8

SHA1
01ae7a4ac96a2d50a19bcb673dd191a9cf3596c1

SHA256
211a7f4dd8f260b711509799918a5b493eb75e10f5f10a686a30109e198ffba4

SHA512
acc3a4f15d55e74fe0064a69b9f4700d56c0151dd6c1a830261233a9bd6a6724023055c6c667cf07c836bbf1cd707aec653509d30542967fab3f7f6598ba26b8

Download Submit
memory/5292-1353-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download