Analysis
-
max time kernel
0s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 19:32
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
xworm
5.0
should-nutritional.gl.at.ply.gg:22817
q0vjMgzmZTmKaa3q
-
Install_directory
%Temp%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XClient.exe family_xworm behavioral1/memory/3692-236-0x0000000000D40000-0x0000000000D68000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1740 powershell.exe 4508 powershell.exe 100 powershell.exe 2672 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 42 ip-api.com -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1612 4788 WerFault.exe ARES RAT.exe 1284 4352 WerFault.exe ARES RAT.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
msedge.exedescription pid process target process PID 4884 wrote to memory of 2900 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 2900 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1668 4884 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cold2.gofile.io/download/web/a673e9fe-027c-4907-941f-c24137ab12dc/ARES%20Private%20RAT%20v2.5%20By%20Drcrypt0r.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad02946f8,0x7ffad0294708,0x7ffad02947182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4696 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11866975317894293753,178485377331564276,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2592 /prefetch:22⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap19368:130:7zEvent194231⤵
-
C:\Users\Admin\Downloads\ARES RAT2.exe"C:\Users\Admin\Downloads\ARES RAT2.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe"C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 11803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4788 -ip 47881⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe1⤵
-
C:\Users\Admin\Downloads\ARES RAT2.exe"C:\Users\Admin\Downloads\ARES RAT2.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe"C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 11523⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
-
C:\Users\Admin\Downloads\ARES RAT2.exe"C:\Users\Admin\Downloads\ARES RAT2.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4352 -ip 43521⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ARES RAT2.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD52500950d36d1a68fe9f1dc435179bcd4
SHA17a34ab3e4832461827e488fa1b44c1dcdc71422d
SHA256934569d54a9fb35d333132b28be3b23ada305be15e808feadd6ef979a8845ed2
SHA51268e2c10efc160a862a94e2b7e1dce8982aa59d5ad5736da9ea75956129eb22e4902ff82ed532c2aef97ef22e1f4c497d273fafaf9b90dc8d5a1785016fa4d864
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
317B
MD5ad6063ef6354374fd73093899fa71a32
SHA1598411f480fb851193bf5d322c6825a453159ab9
SHA25678c0fa8f5e8fa36ad6eafb6286f0eb4caf9457d54d230a4099767ee51c0e8ab6
SHA512912ba2b07360117409ce1781c80de9a89531c84b7ff55d12f2a66b19dbd1775167a7530eb8807c57a74b1c822de9ab62179d009b6713d0015b29e1e586b7e0e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5bf472e38f5715b0f9ca27a13a7ab6c6b
SHA1fc95475f310f18227f5e2183b229319ef233a412
SHA256a97f98b86292237b208cb1fb8a9d8c69be416fdfd3656874a49f9ac49d838d1f
SHA512a4a256d9a2fbc054f7cdc8dfa66d9a911efb88170432955639910c886c5f16890d724313af3bb0ba0d863acd278eec4cf8af39fcb7841d1d4d7bdb85ed41aae1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53262114e26225367cb1710d997b38d99
SHA15731be4a7ba7a1b6010275e9d30f049c4c6cd36a
SHA2562ae84cf057e559a23bb9cbae77e9848ca87165e021f5d12ab2f2f1ca982999ff
SHA5122a770fbda4c60bb571d0d055290644e8c9cec6a8a112ede0311f780d36f1150cbfa97245faa93e1de9213acdbe301429f0108140317e3bdfde462e15d28e4ef9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a0e8026e581569d7b4223532005f2c01
SHA1a09192ef37b0aea5ba2b04af09e7150e785024fc
SHA256d1574ae66a8b90bc184054e4f355ffb3ef56fa5a319407e4142bc7eee71b7a0b
SHA512674fef3c2e7d2617c65facc73f2ddbc52c39c9f284bcf42dbdb3af0159d22d251ecd4cf52a891fb14b1ccfa6721041f4618f0b402df1985e3a4a4226fdf3df49
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD596c1e64a13655dd579339e5daad2cf2e
SHA1c9feadf77109ee5a9e3eb5462dc170d4ae0be47e
SHA2562fcf96c38d4a21150b69b21dd1643bfd64819f5f506c5b84bda1bdfe6457120a
SHA5122a63ff109c604149c4d17b91ed2a1e68827479ea19d88916d0a9872f8c790335866d0990ded2acbf249b18ab94d890def0acb447102af6d45fc5f58bcb8d3d26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5fd8288a8f5be43b70799968381ac2045
SHA16c8a21919486cb3ea8f650281503add122a5e71e
SHA2567408e1cea3b4d43fb07b2d321a1b72b63a5f9e2ea7ff146ecde3c8d829350779
SHA512a9d5e24d6e71d246a0739ec13105499823bc0771925c10156e7c7cf0bcb2a0794b9b5d535d64d4a6ab9f0cb2819d8bcab36567d1a774ca45309f8ea39fc901b5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c28937317ffaecb0023533dc0069808d
SHA19f5175aeaf73db5ab967b57bd896a982a9c6e906
SHA256f6cb138382b9333938304b47ca2fcab5d9fa5c3fa63665020872c49a5d7bd7a9
SHA5122de2e86570c35021f4fecd1e9fec285d410d8e36fce3ef4d782ff8c7d43242f10de123dac7e1c0609c27f33e6b88c46d83bc47948ca0b0329ca0ba70a5105ce4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD504f1d68afbed6b13399edfae1e9b1472
SHA18bfdcb687a995e4a63a8c32df2c66dc89f91a8b0
SHA256f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de
SHA51230c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75
-
C:\Users\Admin\AppData\Local\Temp\XClient.exeFilesize
139KB
MD57236c15c27e7e63a179e4fc935e2aaf7
SHA12eb5ac67a7942a2b7b9a64942b4c621367f61881
SHA256e4f859e199ed7f9933f7da654947cf04ec6c91367d53f6f0fc31f8b1872ac9a0
SHA512845b9a6abbc9e4d5fb2121a7f1ccac892557d7c2fa57752226264e268254483a0b4184e3f0398c0fc22a009b81b9e7cdf6071146ab18afd563eabb13dabfde7f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w3decpp4.e2b.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
\??\pipe\LOCAL\crashpad_4884_ZVQWPDQFUANHXRHDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1740-243-0x0000027B751F0000-0x0000027B75212000-memory.dmpFilesize
136KB
-
memory/3692-236-0x0000000000D40000-0x0000000000D68000-memory.dmpFilesize
160KB
-
memory/4788-241-0x0000000008540000-0x000000000854A000-memory.dmpFilesize
40KB
-
memory/4788-242-0x0000000008660000-0x00000000086B6000-memory.dmpFilesize
344KB
-
memory/4788-240-0x00000000085C0000-0x0000000008652000-memory.dmpFilesize
584KB
-
memory/4788-239-0x0000000008B70000-0x0000000009114000-memory.dmpFilesize
5.6MB
-
memory/4788-238-0x0000000008470000-0x000000000850C000-memory.dmpFilesize
624KB
-
memory/4788-237-0x00000000006A0000-0x0000000003BA4000-memory.dmpFilesize
53.0MB
-
memory/4904-212-0x00000000005F0000-0x0000000003B5C000-memory.dmpFilesize
53.4MB