Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
13-04-2024 16:03
General
-
Target
https://drive.google.com/file/d/1lXMp7IT8jIPJC94TnpCscPzFkJjO1vY_/view?usp=drive_link
Malware Config
Extracted
njrat
im523
HacKed
having-jackson.gl.at.ply.gg:56522
7c148ac38012fc3caa04b1bbe75feba0
-
reg_key
7c148ac38012fc3caa04b1bbe75feba0
-
splitter
|'|'|
Signatures
-
Detect Umbral payload 2 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Drops file in Drivers directory 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1lXMp7IT8jIPJC94TnpCscPzFkJjO1vY_/view?usp=drive_link1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3e6246f8,0x7ffe3e624708,0x7ffe3e6247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5300 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4035849879055140008,10500911241100963783,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 /prefetch:22⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WAWE(ROBLOX)\" -ad -an -ai#7zMap2837:86:7zEvent325681⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\WAWE(ROBLOX)\WaveTrial\Wawe.exe"C:\Users\Admin\Downloads\WAWE(ROBLOX)\WaveTrial\Wawe.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\WAWE(ROBLOX)\WaveTrial\Wawe.exe" "Wawe.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmp7692.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7692.tmp.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\tmp7692.tmp.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tmp7692.tmp.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\tmp7692.tmp.exe" && pause3⤵
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\tmp2801.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2801.tmp.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idxFilesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lockFilesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.valFilesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5120a75f233314ba1fe34e9d6c09f30b9
SHA1a9f92f2d3f111eaadd9bcf8fceb3c9553753539c
SHA256e04101215c3534dbc77c0b5df2e1d1ff74c277d2946f391f939c9a7948a22dd0
SHA5123c4eb93e425b50e8bcc1712f4cc2be11888a0273c3a619fc6bf72ccab876a427158f661bfc80d0c1e47ef4116febf76a3aaa31a60ec662eae0e51c7f1d3d89b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5bc2edd0741d97ae237e9f00bf3244144
SHA17c1e5d324f5c7137a3c4ec85146659f026c11782
SHA256dbce3287c7ae69ccbd1d780c39f3ffa3c98bd4609a939fff8ee9c99f14265041
SHA51200f505a0b4ea0df626175bf9d39a205f18f9754b62e4dba6fbb5b4a716b3539e7809723e1596bcfe1ba3041e22342e3a9cbaad88e84ce9c8c6531331bbc25093
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
408B
MD5dc0036ef4a2cec0fbc20e03660968937
SHA1888ff751beb87438da6986aed7da2b9fae2a716d
SHA256fa92a2e980ff239280ee1e017a93e0852184e5f56915fc5ffe11ce757174d53a
SHA512ca0c405408f4831936fb1c24d583bf63fdd9febe8cdc3f97bb3c38f8bb4166be39751245ee8326cab6e05cb1f097c3f6d7e69065ba84231b33ab278d27195e40
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD5b9470875ae0e64534c0a0c9819c20472
SHA1f417b481e5794dc0365f28714556a74c459d4bc9
SHA256af7252f57bb38782560af520368d84614d435c2fb937032ea1b2ae150d7a03d9
SHA512919b4ac4e920832375e94c8b5207baacb2f5b542f3f6ee26fce2b624af1f54ae88254e2934a850146470e6faa5ea352cd385c1b1a82648d297f83216ca798c41
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.logFilesize
95B
MD5e747f00bc750c8b5438d17c626546063
SHA142fdc138eb2e3f5b19b21426a0cf9aa08fc2578b
SHA256eb8ea32b91057259f2cb40d6f8fc63367a39685486fa045bd0d4cd57b4613b06
SHA51240ac77e5937d6a79f104bd309e7e6e5593bf3c03f02efdbda375df04a7cd26afa3a7f677e7184919e25673a53663bcf36364b5e277d499d97046837fccbdf4a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD51fd64596e233dbc03e44f722261c8355
SHA112bd48bba2650d8e4abb7f318e377bc3695c4f63
SHA25666a8d5de5ebcc2872f40169ffb698cb1de5269229daf2fed314b79cd69085822
SHA512040550953d24d489a200688e3e5ee272d2887bfdb103b78a98582bd6c232aaf218ccd820aaf2159cc1a21276c0249eecc99a9e424bacf663b816f065055a3992
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD5df21f53a5a474e5bf57fd88deb0d966a
SHA1961fbe5f62359dccfba308aafaaf810486ca3e01
SHA256406e6c2265cd79e67b6d8f4b9263182f5299de1d306a1cce1d5ecd28fbcca68d
SHA5124444ce94b48d9b2cfc8c46292c1a51effab76c451dc83809e46da89ecd4fc43ebb079025014d7cc2f5e8755c4d3c18fd9cdae26347b7c7d176afac367cf3cbc6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD533fd17965d6e8a7df4773789c4143c15
SHA162540baedde288dd166cd6203ba1fd526021cb54
SHA256ae125671e79b495abd8e08be1e1998123de5c8060c3482d1b90efad7a10dc368
SHA5128ff13b5e47387be2b6a12f5706a90cfb9b43fb781b97b42cac7d757cb4c4a8c283a6bcf60e13b8a1b29b5282c33724008aba36c73942acd6b169d1bca1907cf9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ddd4b86120e8e27f6ef550dbe7b1c740
SHA17c84968fc23ff769eee2f0524c1f6110fd9d921d
SHA256a3c51d526854c6732660bc267c38038c3428152fa114183d5bdb2bb01ab24808
SHA512d07d7a834108590ae26d28df05b563d8b91c9e6232923cd236ed7dfe057a08de66b0b2178707f0b2270d99e917279f55313ba4242c4d17d0a039de4ec1e0e10d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c811b713f032e1e94559dcd9641fc281
SHA12fc1f2e3c1ce4cb3ad317d6f13ee0135b3af04ce
SHA2560f70a90de7d13abf2c61b83f7a18fb25b2de58826e3729593c9e912075af3dce
SHA512a741296683c1a0b9593e61808dca956ebec943433a7682c97f4843c5bbd5c3a0061eaea61b3a021dd911338cd495a5cafa1049f057ba923fff8f0571f487318f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5bb2966a22220c4045bd7b3b402f5c424
SHA199feea1c4778f4960d7ae8db2fdeb6a72ff344e4
SHA2563d1200243caea5865db0a9177df0187d52ab2c81c7be001be3287162058fe0e0
SHA512c90c4012dfbf845928947c99a4cb0744097da6e6d9f8e23b9cdf7691f775c674d5a6f17dd377195651d61ed35e0fcbdc7c63b5cf7effc15394a4b9d615bfa2b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a1d96f268a9c1776c8944885a2698f14
SHA107a5e2cfb7283083ce8026745e4bf51c014f6153
SHA256f65b4e4f582e70956fff258cf83f1649fcaf223496e7400ed7c249b006bcd062
SHA512e9a84b29276a2c6e543f1d5b9beac6485875b77402d70a1cb7b1ddbdd609318686848f6c8fadf6e44aaeccc97279327ca8d318738e08353003adc877f1bc238c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD575c53e4aee35848cf573208419c33208
SHA15449af350e50f31d0b228358ecfc48c505d0d1f6
SHA256bfe83ff14de0b1e8920c7b4f06f615e17c56a65f15b3ccefc7ca803c476d7f17
SHA5125a7cda1ddfbb54c7961018fb4076402456739c504f29a93cff52a929c9c94f60fb02723095937f485edee7448098bff6209e88d2645fbaa580cb0dc27ceefa1c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5c9b6705519e1eef08f86c4ba5f4286f3
SHA16c6b179e452ecee2673a1d4fe128f1c06f70577f
SHA2560f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705
SHA5126d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a04fa55ccc3a400d64bd9e9c8fae7121
SHA194a6cc57112b3467914e50e0e229abe9f0aba757
SHA256bfd25686ddae9394f2060e05462bbb4b94cf576b258bdbe5ddb0b0638b19bc09
SHA512d86e9b3a0a6dd3ef17984137a6814f8aabeb930a72b4cd29d7a9a3995ce094d8fccdbe9399f38614148e4d15f729d91f91c0ce99d8ef6e16f5e65ec9e690bc89
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqs3qocc.3v4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp2801.tmp.exeFilesize
294KB
MD510fc8b2915c43aa16b6a2e2b4529adc5
SHA10c15286457963eb86d61d83642870a3473ef38fe
SHA256feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5
SHA512421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897
-
C:\Users\Admin\AppData\Local\Temp\tmp7692.tmp.exeFilesize
231KB
MD5211994ee8cb49643fd5204d606029e53
SHA11fb2d311f596e283b519606a233195b7ef2d78c3
SHA25601c07b796ebd9ccc2acc467ff44f9a4d7e33473d0b3c69e23b3b89608b8e59dc
SHA5120cf8ba8420e8f337b06b89a257a62563d86124ee4a30160f9815f244594159df44a957eca7cfd6a8443dd8dd371636d4972faa9cf1180fee9eafc87ddf2cf853
-
C:\Users\Admin\Downloads\WAWE(ROBLOX).rarFilesize
149.2MB
MD509c7f01096985bf09b2d4917e21ed146
SHA1306288966a26e745391892607aef7ee315e7ad5a
SHA256c0246d4f920c4f08fb821819c7aeb1c8b1fbcb83a53b2176e0911700cb0e4c0b
SHA5122a46a4fce5b758a085206ce1e1d08e30e1368ea5f58f47b3381064c016eb27e8fe8da9cca87834cc41b19a13bfbc1a1d7100238f4cdf106e897741cd4c9a11a6
-
C:\Users\Admin\Downloads\WAWE(ROBLOX)\WaveTrial\Wawe.exeFilesize
37KB
MD5ad8378c96a922dcfe813935d1eec9ae4
SHA10e7ee31880298190258f5282f6cc2797fccdc134
SHA2569a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98
SHA512d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f
-
C:\Users\Admin\Downloads\WAWE(ROBLOX)\WaveTrial\dist\client\assets\index-daab.jsFilesize
3.4MB
MD5a19bf5e804004e0397a4547f9a8568fe
SHA1daad35851be0986f1a99f5563976309c2f7fc800
SHA25666909b895c0b86eb1edaf95c0d728939a4986f01bf5112023bf52a6afc021155
SHA5122e98dedf48e2f16543ef28cdfad832f77a6250f6e71cadd2245e58aa4872a91934f390ad8552a1c59b035ead123904b95c31a1fb3d7ba3dbf49968b018755c5a
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b
-
\??\pipe\LOCAL\crashpad_608_MPGYUOIIAHGOMFCTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/436-963-0x00000186760C0000-0x00000186760C1000-memory.dmpFilesize
4KB
-
memory/436-954-0x00000186760C0000-0x00000186760C1000-memory.dmpFilesize
4KB
-
memory/436-962-0x00000186760C0000-0x00000186760C1000-memory.dmpFilesize
4KB
-
memory/436-966-0x00000186760C0000-0x00000186760C1000-memory.dmpFilesize
4KB
-
memory/436-964-0x00000186760C0000-0x00000186760C1000-memory.dmpFilesize
4KB
-
memory/436-961-0x00000186760C0000-0x00000186760C1000-memory.dmpFilesize
4KB
-
memory/436-956-0x00000186760C0000-0x00000186760C1000-memory.dmpFilesize
4KB
-
memory/436-955-0x00000186760C0000-0x00000186760C1000-memory.dmpFilesize
4KB
-
memory/436-965-0x00000186760C0000-0x00000186760C1000-memory.dmpFilesize
4KB
-
memory/972-879-0x000002BC9A6D0000-0x000002BC9A6E0000-memory.dmpFilesize
64KB
-
memory/972-880-0x000002BC9A6D0000-0x000002BC9A6E0000-memory.dmpFilesize
64KB
-
memory/972-878-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/972-904-0x000002BC9A6D0000-0x000002BC9A6E0000-memory.dmpFilesize
64KB
-
memory/972-906-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/3644-909-0x0000020C310E0000-0x0000020C310F0000-memory.dmpFilesize
64KB
-
memory/3644-923-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/3644-921-0x0000020C310E0000-0x0000020C310F0000-memory.dmpFilesize
64KB
-
memory/3644-919-0x0000020C310E0000-0x0000020C310F0000-memory.dmpFilesize
64KB
-
memory/3644-907-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/4100-814-0x0000022CF9790000-0x0000022CF9791000-memory.dmpFilesize
4KB
-
memory/4100-808-0x0000022CF9790000-0x0000022CF9791000-memory.dmpFilesize
4KB
-
memory/4100-809-0x0000022CF9790000-0x0000022CF9791000-memory.dmpFilesize
4KB
-
memory/4100-807-0x0000022CF9790000-0x0000022CF9791000-memory.dmpFilesize
4KB
-
memory/4100-813-0x0000022CF9790000-0x0000022CF9791000-memory.dmpFilesize
4KB
-
memory/4100-815-0x0000022CF9790000-0x0000022CF9791000-memory.dmpFilesize
4KB
-
memory/4100-816-0x0000022CF9790000-0x0000022CF9791000-memory.dmpFilesize
4KB
-
memory/4100-817-0x0000022CF9790000-0x0000022CF9791000-memory.dmpFilesize
4KB
-
memory/4100-818-0x0000022CF9790000-0x0000022CF9791000-memory.dmpFilesize
4KB
-
memory/4100-819-0x0000022CF9790000-0x0000022CF9791000-memory.dmpFilesize
4KB
-
memory/4700-867-0x000001D16ACE0000-0x000001D16ACF0000-memory.dmpFilesize
64KB
-
memory/4700-869-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/4700-855-0x000001D16ACE0000-0x000001D16ACF0000-memory.dmpFilesize
64KB
-
memory/4700-856-0x000001D16ACE0000-0x000001D16ACF0000-memory.dmpFilesize
64KB
-
memory/4700-854-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/5532-931-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/5532-946-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/5532-934-0x0000020E2EF80000-0x0000020E2EF90000-memory.dmpFilesize
64KB
-
memory/5532-933-0x0000020E2EF80000-0x0000020E2EF90000-memory.dmpFilesize
64KB
-
memory/5776-952-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/5776-927-0x000001EDEDFD0000-0x000001EDEDFE2000-memory.dmpFilesize
72KB
-
memory/5776-926-0x000001EDEDFA0000-0x000001EDEDFAA000-memory.dmpFilesize
40KB
-
memory/5776-932-0x000001EDEDE70000-0x000001EDEDE80000-memory.dmpFilesize
64KB
-
memory/5776-873-0x000001EDEE000000-0x000001EDEE076000-memory.dmpFilesize
472KB
-
memory/5776-908-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/5776-833-0x000001EDEB8B0000-0x000001EDEB8F0000-memory.dmpFilesize
256KB
-
memory/5776-874-0x000001EDEE080000-0x000001EDEE0D0000-memory.dmpFilesize
320KB
-
memory/5776-877-0x000001EDEDF80000-0x000001EDEDF9E000-memory.dmpFilesize
120KB
-
memory/5776-834-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/5776-835-0x000001EDEDE70000-0x000001EDEDE80000-memory.dmpFilesize
64KB
-
memory/5968-837-0x0000020225AE0000-0x0000020225AF0000-memory.dmpFilesize
64KB
-
memory/5968-838-0x0000020225AE0000-0x0000020225AF0000-memory.dmpFilesize
64KB
-
memory/5968-844-0x0000020225A00000-0x0000020225A22000-memory.dmpFilesize
136KB
-
memory/5968-836-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/5968-851-0x00007FFE29AF0000-0x00007FFE2A5B1000-memory.dmpFilesize
10.8MB
-
memory/6060-821-0x0000000001310000-0x0000000001320000-memory.dmpFilesize
64KB
-
memory/6060-853-0x0000000001310000-0x0000000001320000-memory.dmpFilesize
64KB
-
memory/6060-953-0x0000000001310000-0x0000000001320000-memory.dmpFilesize
64KB
-
memory/6060-820-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/6060-806-0x0000000001310000-0x0000000001320000-memory.dmpFilesize
64KB
-
memory/6060-773-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/6060-970-0x0000000001310000-0x0000000001320000-memory.dmpFilesize
64KB
-
memory/6060-772-0x0000000001310000-0x0000000001320000-memory.dmpFilesize
64KB
-
memory/6060-771-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/6060-990-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB