Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
25-05-2024 09:04
General
-
Target
holy moly this is a good executor gui.rbxm
-
Size
11KB
-
MD5
639065fa41416b84bba8221645b5d40b
-
SHA1
56965ae8ea0898412cbf69ef3d514b954caf4b4e
-
SHA256
6042353e1bf948080c9d90a74fe59735cbb93c1c2c302679f800d3096911c9a0
-
SHA512
994b8509b6bab739cda3417acd7edc6a60dc50850f610c30c73e14f70d3c576c750f9f6d9c2f59d260bab5abad3494cf69157c636385959895d3b0c1d9de9805
-
SSDEEP
96:VQIeF23/wF3bssf3QFzxx80ZvCNkS1Km3RKQlEK6m3JEP/P8E:VQIeQ8IsfiVxNRCNkS1KARrlEK6AeH8E
Malware Config
Extracted
xworm
5.0
127.0.0.1:7777
45.145.41.147:7777
5N4ZirqATbPp1e8c
-
Install_directory
%ProgramData%
-
install_file
WinBackup.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops startup file 10 IoCs
-
Executes dropped EXE 11 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\holy moly this is a good executor gui.rbxm"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9041046f8,0x7ff904104708,0x7ff9041047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5916 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6576 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinBackup.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinBackup.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinBackup" /tr "C:\ProgramData\WinBackup.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\qnxhux.exe"C:\Users\Admin\AppData\Local\Temp\qnxhux.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:22⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WinBackup.exeC:\ProgramData\WinBackup.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WinBackup.exeC:\ProgramData\WinBackup.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WinBackup.exeFilesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.logFilesize
522B
MD58334a471a4b492ece225b471b8ad2fc8
SHA11cb24640f32d23e8f7800bd0511b7b9c3011d992
SHA2565612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169
SHA51256ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OverwolfXclient.exe.logFilesize
617B
MD599e770c0d4043aa84ef3d3cbc7723c25
SHA119829c5c413fccba750a3357f938dfa94486acad
SHA25633c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5
SHA512ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WinBackup.exe.logFilesize
841B
MD50efd0cfcc86075d96e951890baf0fa87
SHA16e98c66d43aa3f01b2395048e754d69b7386b511
SHA256ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7
SHA5124e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
480B
MD529738c7aa22af5f708fdda6889064ad9
SHA19d3ac1bcd54772461d712f25c2e263fe4f1f5f5f
SHA25660137e8a9fec2e45fe226b09fe1fda596e94575a87af8dfbeca708dd283f61ee
SHA512a58066e33433d5f529afa0c06508692a2650f8b23581658b5a4b7952a5b883285ab8c38ea6580e6074ea98f4f78712d705de40759652425d56bd1aea5e1ba9f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5cd1ed9326d23fd7630cc21af61564423
SHA1bc427d8a9e2108eb9203b896f5ed01e050b862d4
SHA25629c89a3b2ef008d9b28f349df52842227815d0134866a8b08f4f7de3327f99a0
SHA512815988b8017fc55e6fc1d19d620c713ea9aca79a95b24f8d9bef50ff5b296368cf041980a66b528d8a28af8edb5c9aafb6ebc02bf2e99cd5c9d50eef1d293a1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5181d49404c3f9b12e8178059dcac6496
SHA1abb29305706ecc75371cba7a4eea2e7c8ead4fe6
SHA2569c9273f32b17bb12c9f2d5be9745d54226d70fc98f212d2d9c2c163f0038ee4a
SHA5122e065641f64fb5a93162cf110216d20a5e474069285b971069dc437a9fe9d21851cfa4a859c998a8eb6e4c1d3a8ea739ad0bfea09a0c97afa78cca0cc117b3a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5f1fd41fdfbf73422dbeb94da15246cc3
SHA12d00fad407d5235eaf69965e74f7428dca127a15
SHA25665ed2bfd4bbe23047d54b007de11d7344f38544fb3f362028433267e9f223e8b
SHA5121b59810a97e7611ebe503bd9711125e7c4920acfc036acce0538a28d92daddb3824481d46f5fd743cc8c64f66ec13a4f2d363f7706462446163bc3eea71b0795
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5da587b479027bdf1de019c0801ebfc46
SHA190c61613d5941a836143488da7de7d725ba6902f
SHA2561d5c448270e751d5e998b11f6fba649bc19cf96710ae466469ea15e9c5b03855
SHA512c9ee02a2588f8754f84b9dff9222dffd0f8f22086c5755aa7c56f7eb6d75c514b90db0e9246273aac6fb7595cdb81703a0c87707b8a5273c09e0f56c5783958d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f84aec8b839b901ca68acca1276090af
SHA1697669bf630bd7854b9dace239366bc5542b12d4
SHA25654976e4500ae444428120beef9107b200878fcbe0f9d285366a3ec0996461609
SHA512e8e16f2267f8e0e19b29e365e161bc88adb24871d69a9ae155e87187362c4c9bdb5649c8a1423499a2753649b9bd67374d0d591f2266ea681fa1d4a2245acef6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD53cce8bfdd822e65951edfc836e8c3a64
SHA1090ba4b6c61008a4fdde29a048a0244dea6f9129
SHA25628e5610984f1cf3e640b0c0d082eeeab1436e29e0729cb5459022e1b61bdbdef
SHA5121a3379c69f3e3cce934985001267cb6589865678359d6007c2ada4ca83f6c4983a594775eebbc00c798a72ae8577eb7c20a604237bbafb0ae2bcff9441416a84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD549190a9f8f75c357228769455bb87ea7
SHA156d7bb25adbeac25cc8fe20fc2c82fa2fb303ecc
SHA2564e8f85a04189f15a4cef963123a4ddf7dd0f8060f469464b2b42f16f683f856d
SHA51293fa941a6527c670e2ceca1ea05b88a91a6aeb6007beed37bda4b95cf6d5f09783e8a3c8dd86d6bf2e40c1d5a1e67937415aea628be040b30884f30a2b852caa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5866c4.TMPFilesize
707B
MD5f0344f88b31c507ec5a28d3f15a62ff5
SHA1a946989e1ef6a0b722276445899d77d9f301e485
SHA256ff8f96bbc67b8e014d76d0bfff83fe34365a4b1faf557bee6a62a2b40547f99f
SHA51261c31b2a55347245cfd24647d6987e6af97a74a94d441494f9176ec0e0f10c17ce8e7e1f18a2d8235e77f1d5c2c87abecc4c78f335baf98ceb4f7ffc96dca356
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5bf7a85e15f227665cbb8c5a738f8ed04
SHA12eaba7b8bde9eb1019cb51e62a7fff70f44d6f70
SHA256e233ec8a6d450c31976ed2fd91d1a9188b4e1541e21fa37062a6f0b68c9c81f7
SHA51239519a059a9bca286792bc531a33cd51edecd1610681a9ca557d6c518f48192832acb2173926335611d56aa3354ec0188e893b31248d9f9ed4ca492ff193ac09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5ec5a2d9ba50c7933ad71ea7fec2c0bbb
SHA19f7ce199da6c8a5c0585075bd7619d131548af87
SHA256b03ba8417993f2f036880c984b717e8356e70d655bca8128f72db30168b07002
SHA512b3ba6cddb9b31a6ff873efd0bf21b7e395125dc0eb239c2c2a74f12563bf2ca2cc027e57c02f40c7bc85f928cf68d540d71a428e16b42132551a7550ae06f488
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50adbc412ba3a7e3f3df1d7965a18ca71
SHA1195184a5d659396c20324519f17ab28d25a3b072
SHA25683f5920695c3f06a30f5ec9d95005282cc58a65d0cc37d9f0c2fca1fff77d48e
SHA512960aa2780167c85c4669b51dd846bf7eb5c02be819f307487102f72e8109b5999c2e1d9c8ec56ca9a782dcbbfc450b94cf2a4fe4df88c7028cd3f6bdadd23d3f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5c3b99dbdb0c28fef1fe85dcece45e138
SHA1f584e3a1d7b0dccdc86675d25bce5a785b861f33
SHA256ccf74b256bc2a7eb6e2e946abc3afe672fb385f430d623155878d75dc5eb0343
SHA512a24c036ecf5b4661f3b67033d4f8a864e793d7c1befc9cd062983f6370ed51f4c35b3f1bdc57b5a912bb957c225b9bc3c615581fe8959693a142d5464d4415c4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD52213e9e3b6dc4cf8ef8cbc997227da1d
SHA12bd47a8412a2a66c2e1de10a29f7153eb03cac6f
SHA2561afc327040c4d27f703271ab0afda54e0e2006ac7fa96eaf121276bc6b139105
SHA512a1e7bbd50dec9cbe1b33466c30f54f6fd326663e4daa93501805b6f4c681777438f9cbb4bf19095ac32637ffa6aa580d2a1e52da4ceabefbd7560a287f6c4c07
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD53da0de7b6317e397b14cd38240e249b1
SHA1524649ba004639a71768b1d202d9dd87087dca9f
SHA2561a5f4c9fe2c3cf76483c7af3d02ba0349cb71d2ccb544f86f6fc834aa55b00e6
SHA512d028640f5eb8217f952d3a8dd92e4b4ac3e335c6009034857d9a07f87ffd7ed53d682968b62329af89166cba4fa9504eca391601a3da84ef8296bcbdd376a11e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5glakrn.lt2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\qnxhux.exeFilesize
454KB
MD5a8cabdfd5be7c3e721f2e686354843d2
SHA1e5b9e756f26aa5c5ed2301bcb43cd43cd1acdc50
SHA25644da81cd17476b3a40d3aa30398540003eaa6218e337b6f16091b602bc94f4f3
SHA512d1920e16dc009e4d9164aad60f9671044d366c597e2cda93ad31a86d209b65e7ecddfcc8ade30b7bab7e27e10bca2be41f1a0aac247a98a0db0e74f8615d336f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnkFilesize
1KB
MD5794bdf7a5beb409b125a098070ca5a3c
SHA1267e50a85ec4b12ad30121e31fd64ad605d69566
SHA25614cfc6e9ed04029719dd71e65e946a37fdaa83f8f5ada89cff9e3bf1b9754dd5
SHA5125b58ed76aaedb3241d18351d3acc408b48480f01ffa929522b30dc461fe58543a8ab4b3a498ce236db7c7ee2df8d342b57592fb51d7ee28c77dbca728a07f31d
-
C:\Users\Admin\Downloads\Unconfirmed 117064.crdownloadFilesize
1.2MB
MD5c08106fd9c5999388d5e541743d45d5b
SHA1571f4333cd757db2870e2459724b545e43ffcc11
SHA2568d4e23ba1ce9eab2340bad5e14111dc565bbe8de53653375ac3806f448dcc0ac
SHA51265c2e544e88b63e8d1216731be75f0407784d620af1b2dfa649eb87e9e6408ffa43a3697a94c8d4cf6cc9f8dfc83a0a824397ac75bbdde9fe3440802117e8261
-
\??\pipe\LOCAL\crashpad_3808_NTFKGTCJQVTEKHKEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/872-174-0x0000000005960000-0x00000000059FC000-memory.dmpFilesize
624KB
-
memory/3520-175-0x00000000054B0000-0x0000000005A54000-memory.dmpFilesize
5.6MB
-
memory/3520-178-0x0000000005CA0000-0x0000000005D56000-memory.dmpFilesize
728KB
-
memory/3520-173-0x00000000004D0000-0x000000000060A000-memory.dmpFilesize
1.2MB
-
memory/4264-342-0x0000000006B30000-0x0000000006B3A000-memory.dmpFilesize
40KB
-
memory/4264-179-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4264-206-0x0000000005700000-0x0000000005766000-memory.dmpFilesize
408KB
-
memory/4264-341-0x0000000006B50000-0x0000000006BE2000-memory.dmpFilesize
584KB
-
memory/4648-434-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-435-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-425-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-429-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-424-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-433-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-423-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-432-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-430-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-431-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4848-225-0x000000006FB10000-0x000000006FB5C000-memory.dmpFilesize
304KB
-
memory/4848-208-0x0000000002CF0000-0x0000000002D26000-memory.dmpFilesize
216KB
-
memory/4848-238-0x0000000007940000-0x000000000795A000-memory.dmpFilesize
104KB
-
memory/4848-211-0x0000000005DF0000-0x0000000005E56000-memory.dmpFilesize
408KB
-
memory/4848-237-0x0000000007F90000-0x000000000860A000-memory.dmpFilesize
6.5MB
-
memory/4848-244-0x0000000007C80000-0x0000000007C9A000-memory.dmpFilesize
104KB
-
memory/4848-222-0x0000000006610000-0x000000000662E000-memory.dmpFilesize
120KB
-
memory/4848-236-0x0000000007610000-0x00000000076B3000-memory.dmpFilesize
652KB
-
memory/4848-224-0x0000000006BF0000-0x0000000006C22000-memory.dmpFilesize
200KB
-
memory/4848-221-0x0000000006040000-0x0000000006394000-memory.dmpFilesize
3.3MB
-
memory/4848-242-0x0000000007B70000-0x0000000007B7E000-memory.dmpFilesize
56KB
-
memory/4848-235-0x00000000075E0000-0x00000000075FE000-memory.dmpFilesize
120KB
-
memory/4848-243-0x0000000007B80000-0x0000000007B94000-memory.dmpFilesize
80KB
-
memory/4848-245-0x0000000007C60000-0x0000000007C68000-memory.dmpFilesize
32KB
-
memory/4848-210-0x0000000005550000-0x0000000005572000-memory.dmpFilesize
136KB
-
memory/4848-209-0x0000000005750000-0x0000000005D78000-memory.dmpFilesize
6.2MB
-
memory/4848-223-0x0000000006650000-0x000000000669C000-memory.dmpFilesize
304KB
-
memory/4848-239-0x00000000079B0000-0x00000000079BA000-memory.dmpFilesize
40KB
-
memory/4848-240-0x0000000007BC0000-0x0000000007C56000-memory.dmpFilesize
600KB
-
memory/4848-241-0x0000000007B40000-0x0000000007B51000-memory.dmpFilesize
68KB
-
memory/5412-268-0x000000006FB10000-0x000000006FB5C000-memory.dmpFilesize
304KB
-
memory/5412-255-0x0000000005AC0000-0x0000000005E14000-memory.dmpFilesize
3.3MB
-
memory/5468-369-0x0000000004AF0000-0x0000000004C4A000-memory.dmpFilesize
1.4MB
-
memory/5468-368-0x0000000004880000-0x000000000489A000-memory.dmpFilesize
104KB
-
memory/5468-367-0x00000000000C0000-0x0000000000100000-memory.dmpFilesize
256KB
-
memory/5672-301-0x0000000007AB0000-0x0000000007AC4000-memory.dmpFilesize
80KB
-
memory/5672-290-0x000000006FB10000-0x000000006FB5C000-memory.dmpFilesize
304KB
-
memory/5672-288-0x0000000006000000-0x0000000006354000-memory.dmpFilesize
3.3MB
-
memory/5904-400-0x0000000000C50000-0x0000000000CC8000-memory.dmpFilesize
480KB
-
memory/5988-326-0x000000006FB10000-0x000000006FB5C000-memory.dmpFilesize
304KB