xworm | hxxps://cold2[.]gofile[.]io/download/web/a673e9fe-027c-4907-941f-c24137ab12dc/ARES%20Private%20RAT%20v2[.]5%20By%20Drcrypt0r[.]rar

Analysis

max time kernel
0s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cold2.gofile.io/download/web/a673e9fe-027c-4907-941f-c24137ab12dc/ARES%20Private%20RAT%20v2.5%20By%20Drcrypt0r.rar

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

should-nutritional.gl.at.ply.gg:22817

Mutex

q0vjMgzmZTmKaa3q

Attributes

Install_directory
%Temp%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\XClient.exe family_xworm
behavioral1/memory/3692-236-0x0000000000D40000-0x0000000000D68000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1740 powershell.exe
4508 powershell.exe
100 powershell.exe
2672 powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ip-api.com
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1612 4788 WerFault.exe ARES RAT.exe
1284 4352 WerFault.exe ARES RAT.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2032 schtasks.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\XClient.exe	family_xworm
behavioral1/memory/3692-236-0x0000000000D40000-0x0000000000D68000-memory.dmp	family_xworm

pid	process
1740	powershell.exe
4508	powershell.exe
100	powershell.exe
2672	powershell.exe

flow	ioc
42	ip-api.com

pid	pid_target	process	target process
1612	4788	WerFault.exe	ARES RAT.exe
1284	4352	WerFault.exe	ARES RAT.exe

pid	process
2032	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4884 wrote to memory of 2900	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 2900	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe
PID 4884 wrote to memory of 1668	4884	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cold2.gofile.io/download/web/a673e9fe-027c-4907-941f-c24137ab12dc/ARES%20Private%20RAT%20v2.5%20By%20Drcrypt0r.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad02946f8,0x7ffad0294708,0x7ffad0294718
2⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
2⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
2⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
2⤵
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
2⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
2⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4696 /prefetch:8
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
2⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
2⤵
PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
2⤵
PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
2⤵
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
2⤵
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
2⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
2⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
2⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
2⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2592 /prefetch:2
2⤵
PID:1528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5100

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap19368:130:7zEvent19423
1⤵
PID:3652

C:\Users\Admin\Downloads\ARES RAT2.exe
"C:\Users\Admin\Downloads\ARES RAT2.exe"
1⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe
"C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe"
2⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1180
3⤵
- Program crash
PID:1612

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
2⤵
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2672

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4788 -ip 4788
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
PID:5092

C:\Users\Admin\Downloads\ARES RAT2.exe
"C:\Users\Admin\Downloads\ARES RAT2.exe"
1⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe
"C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe"
2⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1152
3⤵
- Program crash
PID:1284

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
2⤵
PID:1864

C:\Users\Admin\Downloads\ARES RAT2.exe
"C:\Users\Admin\Downloads\ARES RAT2.exe"
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4352 -ip 4352
1⤵
PID:3384

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ARES RAT2.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
2500950d36d1a68fe9f1dc435179bcd4

SHA1
7a34ab3e4832461827e488fa1b44c1dcdc71422d

SHA256
934569d54a9fb35d333132b28be3b23ada305be15e808feadd6ef979a8845ed2

SHA512
68e2c10efc160a862a94e2b7e1dce8982aa59d5ad5736da9ea75956129eb22e4902ff82ed532c2aef97ef22e1f4c497d273fafaf9b90dc8d5a1785016fa4d864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
317B

MD5
ad6063ef6354374fd73093899fa71a32

SHA1
598411f480fb851193bf5d322c6825a453159ab9

SHA256
78c0fa8f5e8fa36ad6eafb6286f0eb4caf9457d54d230a4099767ee51c0e8ab6

SHA512
912ba2b07360117409ce1781c80de9a89531c84b7ff55d12f2a66b19dbd1775167a7530eb8807c57a74b1c822de9ab62179d009b6713d0015b29e1e586b7e0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
bf472e38f5715b0f9ca27a13a7ab6c6b

SHA1
fc95475f310f18227f5e2183b229319ef233a412

SHA256
a97f98b86292237b208cb1fb8a9d8c69be416fdfd3656874a49f9ac49d838d1f

SHA512
a4a256d9a2fbc054f7cdc8dfa66d9a911efb88170432955639910c886c5f16890d724313af3bb0ba0d863acd278eec4cf8af39fcb7841d1d4d7bdb85ed41aae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3262114e26225367cb1710d997b38d99

SHA1
5731be4a7ba7a1b6010275e9d30f049c4c6cd36a

SHA256
2ae84cf057e559a23bb9cbae77e9848ca87165e021f5d12ab2f2f1ca982999ff

SHA512
2a770fbda4c60bb571d0d055290644e8c9cec6a8a112ede0311f780d36f1150cbfa97245faa93e1de9213acdbe301429f0108140317e3bdfde462e15d28e4ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a0e8026e581569d7b4223532005f2c01

SHA1
a09192ef37b0aea5ba2b04af09e7150e785024fc

SHA256
d1574ae66a8b90bc184054e4f355ffb3ef56fa5a319407e4142bc7eee71b7a0b

SHA512
674fef3c2e7d2617c65facc73f2ddbc52c39c9f284bcf42dbdb3af0159d22d251ecd4cf52a891fb14b1ccfa6721041f4618f0b402df1985e3a4a4226fdf3df49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
96c1e64a13655dd579339e5daad2cf2e

SHA1
c9feadf77109ee5a9e3eb5462dc170d4ae0be47e

SHA256
2fcf96c38d4a21150b69b21dd1643bfd64819f5f506c5b84bda1bdfe6457120a

SHA512
2a63ff109c604149c4d17b91ed2a1e68827479ea19d88916d0a9872f8c790335866d0990ded2acbf249b18ab94d890def0acb447102af6d45fc5f58bcb8d3d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fd8288a8f5be43b70799968381ac2045

SHA1
6c8a21919486cb3ea8f650281503add122a5e71e

SHA256
7408e1cea3b4d43fb07b2d321a1b72b63a5f9e2ea7ff146ecde3c8d829350779

SHA512
a9d5e24d6e71d246a0739ec13105499823bc0771925c10156e7c7cf0bcb2a0794b9b5d535d64d4a6ab9f0cb2819d8bcab36567d1a774ca45309f8ea39fc901b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c28937317ffaecb0023533dc0069808d

SHA1
9f5175aeaf73db5ab967b57bd896a982a9c6e906

SHA256
f6cb138382b9333938304b47ca2fcab5d9fa5c3fa63665020872c49a5d7bd7a9

SHA512
2de2e86570c35021f4fecd1e9fec285d410d8e36fce3ef4d782ff8c7d43242f10de123dac7e1c0609c27f33e6b88c46d83bc47948ca0b0329ca0ba70a5105ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
04f1d68afbed6b13399edfae1e9b1472

SHA1
8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

SHA256
f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

SHA512
30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe
Filesize
139KB

MD5
7236c15c27e7e63a179e4fc935e2aaf7

SHA1
2eb5ac67a7942a2b7b9a64942b4c621367f61881

SHA256
e4f859e199ed7f9933f7da654947cf04ec6c91367d53f6f0fc31f8b1872ac9a0

SHA512
845b9a6abbc9e4d5fb2121a7f1ccac892557d7c2fa57752226264e268254483a0b4184e3f0398c0fc22a009b81b9e7cdf6071146ab18afd563eabb13dabfde7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w3decpp4.e2b.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_4884_ZVQWPDQFUANHXRHD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1740-243-0x0000027B751F0000-0x0000027B75212000-memory.dmp

Filesize
136KB

Download
memory/3692-236-0x0000000000D40000-0x0000000000D68000-memory.dmp

Filesize
160KB

Download
memory/4788-241-0x0000000008540000-0x000000000854A000-memory.dmp

Filesize
40KB

Download
memory/4788-242-0x0000000008660000-0x00000000086B6000-memory.dmp

Filesize
344KB

Download
memory/4788-240-0x00000000085C0000-0x0000000008652000-memory.dmp

Filesize
584KB

Download
memory/4788-239-0x0000000008B70000-0x0000000009114000-memory.dmp

Filesize
5.6MB

Download
memory/4788-238-0x0000000008470000-0x000000000850C000-memory.dmp

Filesize
624KB

Download
memory/4788-237-0x00000000006A0000-0x0000000003BA4000-memory.dmp

Filesize
53.0MB

Download
memory/4904-212-0x00000000005F0000-0x0000000003B5C000-memory.dmp

Filesize
53.4MB

Download