Analysis
-
max time kernel
112s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 10:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/folder/ZflXmB7b#pJtCDDPXU-sFsv-WfFcF2g
Resource
win10v2004-20240508-en
General
-
Target
https://mega.nz/folder/ZflXmB7b#pJtCDDPXU-sFsv-WfFcF2g
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Xworm V5.6.exeXworm V5.6.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Xworm V5.6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Xworm V5.6.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Xworm V5.6.exeXworm V5.6.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Xworm V5.6.exe -
Loads dropped DLL 2 IoCs
Processes:
Xworm V5.6.exeXworm V5.6.exepid process 4556 Xworm V5.6.exe 2040 Xworm V5.6.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Downloads\Xworm-V5.zip agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\6cfd30b3-8e17-443c-a5f6-48fbf06287fd\AgileDotNetRT64.dll themida behavioral1/memory/4556-272-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmp themida behavioral1/memory/4556-274-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmp themida behavioral1/memory/4556-302-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmp themida behavioral1/memory/4556-311-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmp themida behavioral1/memory/2040-314-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmp themida behavioral1/memory/2040-315-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmp themida behavioral1/memory/2040-319-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmp themida behavioral1/memory/4556-320-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmp themida behavioral1/memory/4556-321-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmp themida behavioral1/memory/4556-323-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Xworm V5.6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DefnotaRAT = "C:\\Users\\Admin\\AppData\\Roaming\\DefnotaRAT.exe" Xworm V5.6.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 210 ip-api.com -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeXworm V5.6.exepid process 3032 msedge.exe 3032 msedge.exe 2808 msedge.exe 2808 msedge.exe 3472 identity_helper.exe 3472 identity_helper.exe 4744 msedge.exe 4744 msedge.exe 4556 Xworm V5.6.exe 4556 Xworm V5.6.exe 4556 Xworm V5.6.exe 4556 Xworm V5.6.exe 4556 Xworm V5.6.exe 4556 Xworm V5.6.exe 4556 Xworm V5.6.exe 4556 Xworm V5.6.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Xworm V5.6.exeXworm V5.6.exedescription pid process Token: SeDebugPrivilege 4556 Xworm V5.6.exe Token: SeDebugPrivilege 4556 Xworm V5.6.exe Token: SeDebugPrivilege 2040 Xworm V5.6.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
Processes:
msedge.exepid process 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exepid process 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Xworm V5.6.exepid process 4556 Xworm V5.6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2808 wrote to memory of 2908 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 2908 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 948 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3032 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3032 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 4320 2808 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/ZflXmB7b#pJtCDDPXU-sFsv-WfFcF2g1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c04046f8,0x7ff8c0404708,0x7ff8c04047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5084 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1492,18120246873511342277,16569339806136458366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x470 0x4cc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Xworm-V5\Xworm-V5\Xworm-V5.6\Xworm-V5.6\Xworm V5.6.exe"C:\Users\Admin\Downloads\Xworm-V5\Xworm-V5\Xworm-V5.6\Xworm-V5.6\Xworm V5.6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Xworm-V5\Xworm-V5\Xworm-V5.6\Xworm-V5.6\Xworm V5.6.exe"C:\Users\Admin\Downloads\Xworm-V5\Xworm-V5\Xworm-V5.6\Xworm-V5.6\Xworm V5.6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026Filesize
17KB
MD5950eca48e414acbe2c3b5d046dcb8521
SHA11731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA51227e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD53137aaec7274813f23d11c40932f0dd6
SHA1e6af52b2112a1c3ec124c8727ce10ed26dab5f97
SHA256c6b085aa29f7e38035a68297dab6c23e0d55790d575433172da7c7c8d83a226e
SHA51298d7929223907b72263c81b8429d0e264cc2bb95ebb60d326199ca8ca48ffdbc05e30b9c2e966b2acf1ccef6349482056917e800e5d12d20d8df78ccdeff3205
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c1598f8153d5326b4430f585d5c4510d
SHA14717ef88abc9a5ebb17f02f0764144326a0d11e1
SHA2564a10ab33d2f64aeb2140012f0abaff29479466fc4480cf99777ffdffdb374270
SHA512686f2a4fa87ec35d89bae7d03ebe9dd8e2c618d356f061cdca42db4c23efb4020d4752c9fa0dd316a90bcfaf99af709da0fd47a8867e025e74bf325b2b32fdcc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e98838176ffc1a4e5219f46f904f64e7
SHA1edc7351780bd0e8bbbef3ef7d9786cd290bd8669
SHA2567a50b3c10e7b1ef410e58edde254c3fa8413224349aa26edced5a9eb734f04a1
SHA512e68e9c2b0c5bfac95bef6a0e1d52be4fe5b2ff42f3b80ae7a1dd561994c8697165fb9274a9de615441f3a5b5ed53f068723349673f7fa82306238c3d9a26a90e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5ee46ae8e634f91eac5b045a8fc990f22
SHA1f851af6d2a353b5832480b606e7a14bace97b67c
SHA2565e9e456dbaea4a134e0a484c508002878c8e55a1a396efb473356c754e869a95
SHA512df134e73551d19c07e33dad3dd1f5fdf143e5820cd5e35f9699112ed70a1d514279bebe3583e9f14dc400ba471d0c8e94af1ec18fd0a0eb93ec6b2c984a8bd5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59cbba9178d6160027c377912d42250db
SHA1a66d8e6ba991d8a69f57db65d789048d67859e90
SHA2565ccd4da693d7853a5da750f467601781c8c5f40d4a318932d4edad0c19aa7779
SHA512f7b9229f6b2e65680fbabc05b2df9d07df4918038795363f0923219c12f2ce15740f6acfdb98ab9376ad9c60de5ae6565b2bb811515b1c9d6d5465d0aaee437b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b8254b8bb193f54dd45a91f78ec15e39
SHA1c4a01b42653ea73e43f810e9294524b47f129479
SHA256d5bae0a2ee30ed997d65d2fbe3c256ff2792df2e173221ebd27f1c67f87ed5e9
SHA5126b97c44baeea0db2d70fb74894c574d2ae4db2cce08832c37480b570a9f1da2e5cd41258067d18003af9bb7401aee9785932ce7b508513ce5126073b713a6235
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5578f0688801c856a9eb060891c5d9afb
SHA10793927ebb4572f810c565381823fbbb75e2a8a2
SHA256db5dfc7fd23f15b9ec2de47bec2f2c80800d58380d9e5c4a5d35f785369b0e96
SHA512796adce5332e42e6dfd58a018e5dea649604987bd506adbc4c5570616be9f71c97c4a545eaede448636e58cf258c82f7331524643c675a51fe731293214005da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57df83.TMPFilesize
48B
MD5346b5fa26dc01ddee65252219247e3be
SHA13fff3c95dc18aad0b69f7196527f8c480a5a2cc9
SHA2563275563bf126c207c86d2c1c2752cd636b34dbe0867131fb2cae78a96f331568
SHA5126d4eacb0a3afb5affaae12c30b4979124d60d15114e831ebbfa7fa0f86c4238ee58763a67fb8fa32115e2516dde3562a3853981b43a8511f86e7e70e3e8affb9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52ae1e8e9a4691fa359b18554b8b96933
SHA18b89331d80daa734b88b5ab96bede2e57be159ee
SHA25663be45c3a0e9e426c6b1e6675d2ec517b5c036d145a0ef303d68ffab5ff3d41d
SHA5122655f95b15059c3e83ba58a107b96093641142abb86f9a9183a1c55da6c149822faaa5eb34168a4edba809e04ae84908437b81d183d1d2c13d001e5112cd82ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD562b9c22519cacc9a8d764f92b58a9ea9
SHA1cd9eb1cc595848db3947a05289fdf219f0024e0e
SHA25666a0cd5837701aba1347d1b0900a83802cb9e7cea00b85a44ae82a2771895b77
SHA512896c4956109ee87ffc8246dc97a6c35f2e63a093571bb952515c762497f45277216b213fe7edea3b6144af22ed230429248e81aa9ae111820032182d1f090d2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5921330043b5ccfbf58222a7ce8fa7f88
SHA1c4f98b38b980ac2632bd004dcbd901f246e652eb
SHA256578c9c6af67fce8b72eb1a91920e40451ffa8b1e1be632b35d9df26e89e87a94
SHA5127d21c484af0d17b59655b2848f35af3027dbe507150930a315c0b6d8fc7f9ca9fbe939025c3981681d26dab0295498ca6aa89a8fa858e5caae1fd45b6c6e8c83
-
C:\Users\Admin\AppData\Local\Temp\6cfd30b3-8e17-443c-a5f6-48fbf06287fd\AgileDotNetRT64.dllFilesize
2.9MB
MD59bb6ed08af544d3738e60200d2804180
SHA15a40b484ca56b1ce59add4ec283e21d60070be02
SHA25686d49f3894cc3de038abcde03803de8b6f239c237f34930ce5c41ab725c26cb7
SHA51263e6b90457c3e3e6e419e30fe57e35c66e08059611fbe4ffb60d28acd6ee8d9f0ccfa31d7b27e9af44ab13512490f3b7b7f5130df947c5de50a937dcee0a91a5
-
C:\Users\Admin\Downloads\Xworm-V5.zipFilesize
11.7MB
MD53a3bbacd79d78716bc67352fc7e83523
SHA16049c534aaadfd4da556c4c427f3b237f7a8fae3
SHA256ab560cf5949f93b0b8dc4fe6566e1750dfa34eeb575d67aee1430dd8c94d5441
SHA512751a18d1d38ed8bd0a970b4b60ef5c9e7ad7bc908506e50f808c6904f53772d3aed1f34d49dd544eb9e5ae3849b6fc2c705989dfd46ec059b62a458dae2758d4
-
\??\pipe\LOCAL\crashpad_2808_IDBGYZCEAQQJULPMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2040-319-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmpFilesize
7.7MB
-
memory/2040-316-0x00007FF8AB610000-0x00007FF8AB75E000-memory.dmpFilesize
1.3MB
-
memory/2040-315-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmpFilesize
7.7MB
-
memory/2040-314-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmpFilesize
7.7MB
-
memory/4556-277-0x00007FF8AB610000-0x00007FF8AB75E000-memory.dmpFilesize
1.3MB
-
memory/4556-305-0x000000001BE80000-0x000000001BE8C000-memory.dmpFilesize
48KB
-
memory/4556-311-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmpFilesize
7.7MB
-
memory/4556-302-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmpFilesize
7.7MB
-
memory/4556-263-0x0000000000C90000-0x00000000011CA000-memory.dmpFilesize
5.2MB
-
memory/4556-274-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmpFilesize
7.7MB
-
memory/4556-272-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmpFilesize
7.7MB
-
memory/4556-320-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmpFilesize
7.7MB
-
memory/4556-321-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmpFilesize
7.7MB
-
memory/4556-323-0x00007FF8AAE50000-0x00007FF8AB602000-memory.dmpFilesize
7.7MB