Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 09:04
Static task
static1
Behavioral task
behavioral1
Sample
holy moly this is a good executor gui.rbxm
Resource
win10v2004-20240508-en
General
-
Target
holy moly this is a good executor gui.rbxm
-
Size
11KB
-
MD5
639065fa41416b84bba8221645b5d40b
-
SHA1
56965ae8ea0898412cbf69ef3d514b954caf4b4e
-
SHA256
6042353e1bf948080c9d90a74fe59735cbb93c1c2c302679f800d3096911c9a0
-
SHA512
994b8509b6bab739cda3417acd7edc6a60dc50850f610c30c73e14f70d3c576c750f9f6d9c2f59d260bab5abad3494cf69157c636385959895d3b0c1d9de9805
-
SSDEEP
96:VQIeF23/wF3bssf3QFzxx80ZvCNkS1Km3RKQlEK6m3JEP/P8E:VQIeQ8IsfiVxNRCNkS1KARrlEK6AeH8E
Malware Config
Extracted
xworm
5.0
127.0.0.1:7777
45.145.41.147:7777
5N4ZirqATbPp1e8c
-
Install_directory
%ProgramData%
-
install_file
WinBackup.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4264-179-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4848 powershell.exe 5412 powershell.exe 5672 powershell.exe 5988 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 10 IoCs
Processes:
OverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeMSBuild.exeOverwolfXclient.exeOverwolfXclient.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk OverwolfXclient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk OverwolfXclient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk OverwolfXclient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk OverwolfXclient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk OverwolfXclient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk OverwolfXclient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinBackup.lnk MSBuild.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinBackup.lnk MSBuild.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk OverwolfXclient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk OverwolfXclient.exe -
Executes dropped EXE 11 IoCs
Processes:
OverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeWinBackup.exeOverwolfXclient.exeOverwolfXclient.exeqnxhux.exeOverwolfXclient.exeOverwolfXclient.exeWinBackup.exepid process 872 OverwolfXclient.exe 3520 OverwolfXclient.exe 5888 OverwolfXclient.exe 5332 OverwolfXclient.exe 5468 WinBackup.exe 5592 OverwolfXclient.exe 5764 OverwolfXclient.exe 5904 qnxhux.exe 3612 OverwolfXclient.exe 620 OverwolfXclient.exe 5904 WinBackup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinBackup = "C:\\ProgramData\\WinBackup.exe" MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 98 ip-api.com -
Suspicious use of SetThreadContext 8 IoCs
Processes:
OverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exeOverwolfXclient.exedescription pid process target process PID 872 set thread context of 4264 872 OverwolfXclient.exe MSBuild.exe PID 3520 set thread context of 3052 3520 OverwolfXclient.exe MSBuild.exe PID 5888 set thread context of 5948 5888 OverwolfXclient.exe MSBuild.exe PID 5332 set thread context of 5392 5332 OverwolfXclient.exe MSBuild.exe PID 5592 set thread context of 5452 5592 OverwolfXclient.exe MSBuild.exe PID 5764 set thread context of 5868 5764 OverwolfXclient.exe MSBuild.exe PID 3612 set thread context of 5176 3612 OverwolfXclient.exe MSBuild.exe PID 620 set thread context of 5884 620 OverwolfXclient.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 117064.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeOverwolfXclient.exepowershell.exepowershell.exepowershell.exepowershell.exeMSBuild.exetaskmgr.exepid process 3620 msedge.exe 3620 msedge.exe 3808 msedge.exe 3808 msedge.exe 2872 identity_helper.exe 2872 identity_helper.exe 2504 msedge.exe 2504 msedge.exe 3520 OverwolfXclient.exe 3520 OverwolfXclient.exe 4848 powershell.exe 4848 powershell.exe 4848 powershell.exe 5412 powershell.exe 5412 powershell.exe 5412 powershell.exe 5672 powershell.exe 5672 powershell.exe 5672 powershell.exe 5988 powershell.exe 5988 powershell.exe 5988 powershell.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4648 taskmgr.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4648 taskmgr.exe 4648 taskmgr.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe 4264 MSBuild.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
OverwolfXclient.exeMSBuild.exeMSBuild.exepowershell.exepowershell.exepowershell.exeMSBuild.exepowershell.exeMSBuild.exeMSBuild.exeMSBuild.exetaskmgr.exeMSBuild.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3520 OverwolfXclient.exe Token: SeDebugPrivilege 4264 MSBuild.exe Token: SeDebugPrivilege 3052 MSBuild.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeDebugPrivilege 5412 powershell.exe Token: SeDebugPrivilege 5672 powershell.exe Token: SeDebugPrivilege 5948 MSBuild.exe Token: SeDebugPrivilege 5988 powershell.exe Token: SeDebugPrivilege 4264 MSBuild.exe Token: SeDebugPrivilege 5392 MSBuild.exe Token: SeDebugPrivilege 5452 MSBuild.exe Token: SeDebugPrivilege 5868 MSBuild.exe Token: SeDebugPrivilege 4648 taskmgr.exe Token: SeSystemProfilePrivilege 4648 taskmgr.exe Token: SeCreateGlobalPrivilege 4648 taskmgr.exe Token: SeDebugPrivilege 5176 MSBuild.exe Token: SeDebugPrivilege 5884 MSBuild.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe 4648 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OpenWith.exeMSBuild.exepid process 3480 OpenWith.exe 4264 MSBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3808 wrote to memory of 1052 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 1052 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 4040 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3620 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3620 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe PID 3808 wrote to memory of 3536 3808 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\holy moly this is a good executor gui.rbxm"1⤵
- Modifies registry class
PID:2880
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9041046f8,0x7ff904104708,0x7ff9041047182⤵PID:1052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:4040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵PID:3536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:4852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:3784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:12⤵PID:1028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵PID:856
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵PID:2896
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵PID:2888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵PID:4948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:4152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:4360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:2956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵PID:3296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵PID:1496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:4792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5916 /prefetch:82⤵PID:4564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:12⤵PID:1556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6576 /prefetch:82⤵PID:1032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinBackup.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinBackup.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5988 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinBackup" /tr "C:\ProgramData\WinBackup.exe"4⤵
- Creates scheduled task(s)
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\qnxhux.exe"C:\Users\Admin\AppData\Local\Temp\qnxhux.exe"4⤵
- Executes dropped EXE
PID:5904 -
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:4848
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,2933692277419634244,3235218903113399711,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:22⤵PID:6100
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1728
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2316
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5328
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5948
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5392
-
C:\ProgramData\WinBackup.exeC:\ProgramData\WinBackup.exe1⤵
- Executes dropped EXE
PID:5468
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5452
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5868
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4648
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5176
-
C:\Users\Admin\Downloads\OverwolfXclient.exe"C:\Users\Admin\Downloads\OverwolfXclient.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5884
-
C:\ProgramData\WinBackup.exeC:\ProgramData\WinBackup.exe1⤵
- Executes dropped EXE
PID:5904
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WinBackup.exeFilesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.logFilesize
522B
MD58334a471a4b492ece225b471b8ad2fc8
SHA11cb24640f32d23e8f7800bd0511b7b9c3011d992
SHA2565612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169
SHA51256ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OverwolfXclient.exe.logFilesize
617B
MD599e770c0d4043aa84ef3d3cbc7723c25
SHA119829c5c413fccba750a3357f938dfa94486acad
SHA25633c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5
SHA512ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WinBackup.exe.logFilesize
841B
MD50efd0cfcc86075d96e951890baf0fa87
SHA16e98c66d43aa3f01b2395048e754d69b7386b511
SHA256ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7
SHA5124e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
480B
MD529738c7aa22af5f708fdda6889064ad9
SHA19d3ac1bcd54772461d712f25c2e263fe4f1f5f5f
SHA25660137e8a9fec2e45fe226b09fe1fda596e94575a87af8dfbeca708dd283f61ee
SHA512a58066e33433d5f529afa0c06508692a2650f8b23581658b5a4b7952a5b883285ab8c38ea6580e6074ea98f4f78712d705de40759652425d56bd1aea5e1ba9f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5cd1ed9326d23fd7630cc21af61564423
SHA1bc427d8a9e2108eb9203b896f5ed01e050b862d4
SHA25629c89a3b2ef008d9b28f349df52842227815d0134866a8b08f4f7de3327f99a0
SHA512815988b8017fc55e6fc1d19d620c713ea9aca79a95b24f8d9bef50ff5b296368cf041980a66b528d8a28af8edb5c9aafb6ebc02bf2e99cd5c9d50eef1d293a1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5181d49404c3f9b12e8178059dcac6496
SHA1abb29305706ecc75371cba7a4eea2e7c8ead4fe6
SHA2569c9273f32b17bb12c9f2d5be9745d54226d70fc98f212d2d9c2c163f0038ee4a
SHA5122e065641f64fb5a93162cf110216d20a5e474069285b971069dc437a9fe9d21851cfa4a859c998a8eb6e4c1d3a8ea739ad0bfea09a0c97afa78cca0cc117b3a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5f1fd41fdfbf73422dbeb94da15246cc3
SHA12d00fad407d5235eaf69965e74f7428dca127a15
SHA25665ed2bfd4bbe23047d54b007de11d7344f38544fb3f362028433267e9f223e8b
SHA5121b59810a97e7611ebe503bd9711125e7c4920acfc036acce0538a28d92daddb3824481d46f5fd743cc8c64f66ec13a4f2d363f7706462446163bc3eea71b0795
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5da587b479027bdf1de019c0801ebfc46
SHA190c61613d5941a836143488da7de7d725ba6902f
SHA2561d5c448270e751d5e998b11f6fba649bc19cf96710ae466469ea15e9c5b03855
SHA512c9ee02a2588f8754f84b9dff9222dffd0f8f22086c5755aa7c56f7eb6d75c514b90db0e9246273aac6fb7595cdb81703a0c87707b8a5273c09e0f56c5783958d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f84aec8b839b901ca68acca1276090af
SHA1697669bf630bd7854b9dace239366bc5542b12d4
SHA25654976e4500ae444428120beef9107b200878fcbe0f9d285366a3ec0996461609
SHA512e8e16f2267f8e0e19b29e365e161bc88adb24871d69a9ae155e87187362c4c9bdb5649c8a1423499a2753649b9bd67374d0d591f2266ea681fa1d4a2245acef6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD53cce8bfdd822e65951edfc836e8c3a64
SHA1090ba4b6c61008a4fdde29a048a0244dea6f9129
SHA25628e5610984f1cf3e640b0c0d082eeeab1436e29e0729cb5459022e1b61bdbdef
SHA5121a3379c69f3e3cce934985001267cb6589865678359d6007c2ada4ca83f6c4983a594775eebbc00c798a72ae8577eb7c20a604237bbafb0ae2bcff9441416a84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD549190a9f8f75c357228769455bb87ea7
SHA156d7bb25adbeac25cc8fe20fc2c82fa2fb303ecc
SHA2564e8f85a04189f15a4cef963123a4ddf7dd0f8060f469464b2b42f16f683f856d
SHA51293fa941a6527c670e2ceca1ea05b88a91a6aeb6007beed37bda4b95cf6d5f09783e8a3c8dd86d6bf2e40c1d5a1e67937415aea628be040b30884f30a2b852caa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5866c4.TMPFilesize
707B
MD5f0344f88b31c507ec5a28d3f15a62ff5
SHA1a946989e1ef6a0b722276445899d77d9f301e485
SHA256ff8f96bbc67b8e014d76d0bfff83fe34365a4b1faf557bee6a62a2b40547f99f
SHA51261c31b2a55347245cfd24647d6987e6af97a74a94d441494f9176ec0e0f10c17ce8e7e1f18a2d8235e77f1d5c2c87abecc4c78f335baf98ceb4f7ffc96dca356
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5bf7a85e15f227665cbb8c5a738f8ed04
SHA12eaba7b8bde9eb1019cb51e62a7fff70f44d6f70
SHA256e233ec8a6d450c31976ed2fd91d1a9188b4e1541e21fa37062a6f0b68c9c81f7
SHA51239519a059a9bca286792bc531a33cd51edecd1610681a9ca557d6c518f48192832acb2173926335611d56aa3354ec0188e893b31248d9f9ed4ca492ff193ac09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5ec5a2d9ba50c7933ad71ea7fec2c0bbb
SHA19f7ce199da6c8a5c0585075bd7619d131548af87
SHA256b03ba8417993f2f036880c984b717e8356e70d655bca8128f72db30168b07002
SHA512b3ba6cddb9b31a6ff873efd0bf21b7e395125dc0eb239c2c2a74f12563bf2ca2cc027e57c02f40c7bc85f928cf68d540d71a428e16b42132551a7550ae06f488
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50adbc412ba3a7e3f3df1d7965a18ca71
SHA1195184a5d659396c20324519f17ab28d25a3b072
SHA25683f5920695c3f06a30f5ec9d95005282cc58a65d0cc37d9f0c2fca1fff77d48e
SHA512960aa2780167c85c4669b51dd846bf7eb5c02be819f307487102f72e8109b5999c2e1d9c8ec56ca9a782dcbbfc450b94cf2a4fe4df88c7028cd3f6bdadd23d3f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5c3b99dbdb0c28fef1fe85dcece45e138
SHA1f584e3a1d7b0dccdc86675d25bce5a785b861f33
SHA256ccf74b256bc2a7eb6e2e946abc3afe672fb385f430d623155878d75dc5eb0343
SHA512a24c036ecf5b4661f3b67033d4f8a864e793d7c1befc9cd062983f6370ed51f4c35b3f1bdc57b5a912bb957c225b9bc3c615581fe8959693a142d5464d4415c4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD52213e9e3b6dc4cf8ef8cbc997227da1d
SHA12bd47a8412a2a66c2e1de10a29f7153eb03cac6f
SHA2561afc327040c4d27f703271ab0afda54e0e2006ac7fa96eaf121276bc6b139105
SHA512a1e7bbd50dec9cbe1b33466c30f54f6fd326663e4daa93501805b6f4c681777438f9cbb4bf19095ac32637ffa6aa580d2a1e52da4ceabefbd7560a287f6c4c07
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD53da0de7b6317e397b14cd38240e249b1
SHA1524649ba004639a71768b1d202d9dd87087dca9f
SHA2561a5f4c9fe2c3cf76483c7af3d02ba0349cb71d2ccb544f86f6fc834aa55b00e6
SHA512d028640f5eb8217f952d3a8dd92e4b4ac3e335c6009034857d9a07f87ffd7ed53d682968b62329af89166cba4fa9504eca391601a3da84ef8296bcbdd376a11e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5glakrn.lt2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\qnxhux.exeFilesize
454KB
MD5a8cabdfd5be7c3e721f2e686354843d2
SHA1e5b9e756f26aa5c5ed2301bcb43cd43cd1acdc50
SHA25644da81cd17476b3a40d3aa30398540003eaa6218e337b6f16091b602bc94f4f3
SHA512d1920e16dc009e4d9164aad60f9671044d366c597e2cda93ad31a86d209b65e7ecddfcc8ade30b7bab7e27e10bca2be41f1a0aac247a98a0db0e74f8615d336f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnkFilesize
1KB
MD5794bdf7a5beb409b125a098070ca5a3c
SHA1267e50a85ec4b12ad30121e31fd64ad605d69566
SHA25614cfc6e9ed04029719dd71e65e946a37fdaa83f8f5ada89cff9e3bf1b9754dd5
SHA5125b58ed76aaedb3241d18351d3acc408b48480f01ffa929522b30dc461fe58543a8ab4b3a498ce236db7c7ee2df8d342b57592fb51d7ee28c77dbca728a07f31d
-
C:\Users\Admin\Downloads\Unconfirmed 117064.crdownloadFilesize
1.2MB
MD5c08106fd9c5999388d5e541743d45d5b
SHA1571f4333cd757db2870e2459724b545e43ffcc11
SHA2568d4e23ba1ce9eab2340bad5e14111dc565bbe8de53653375ac3806f448dcc0ac
SHA51265c2e544e88b63e8d1216731be75f0407784d620af1b2dfa649eb87e9e6408ffa43a3697a94c8d4cf6cc9f8dfc83a0a824397ac75bbdde9fe3440802117e8261
-
\??\pipe\LOCAL\crashpad_3808_NTFKGTCJQVTEKHKEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/872-174-0x0000000005960000-0x00000000059FC000-memory.dmpFilesize
624KB
-
memory/3520-175-0x00000000054B0000-0x0000000005A54000-memory.dmpFilesize
5.6MB
-
memory/3520-178-0x0000000005CA0000-0x0000000005D56000-memory.dmpFilesize
728KB
-
memory/3520-173-0x00000000004D0000-0x000000000060A000-memory.dmpFilesize
1.2MB
-
memory/4264-342-0x0000000006B30000-0x0000000006B3A000-memory.dmpFilesize
40KB
-
memory/4264-179-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4264-206-0x0000000005700000-0x0000000005766000-memory.dmpFilesize
408KB
-
memory/4264-341-0x0000000006B50000-0x0000000006BE2000-memory.dmpFilesize
584KB
-
memory/4648-434-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-435-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-425-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-429-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-424-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-433-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-423-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-432-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-430-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4648-431-0x00000203DE340000-0x00000203DE341000-memory.dmpFilesize
4KB
-
memory/4848-225-0x000000006FB10000-0x000000006FB5C000-memory.dmpFilesize
304KB
-
memory/4848-208-0x0000000002CF0000-0x0000000002D26000-memory.dmpFilesize
216KB
-
memory/4848-238-0x0000000007940000-0x000000000795A000-memory.dmpFilesize
104KB
-
memory/4848-211-0x0000000005DF0000-0x0000000005E56000-memory.dmpFilesize
408KB
-
memory/4848-237-0x0000000007F90000-0x000000000860A000-memory.dmpFilesize
6.5MB
-
memory/4848-244-0x0000000007C80000-0x0000000007C9A000-memory.dmpFilesize
104KB
-
memory/4848-222-0x0000000006610000-0x000000000662E000-memory.dmpFilesize
120KB
-
memory/4848-236-0x0000000007610000-0x00000000076B3000-memory.dmpFilesize
652KB
-
memory/4848-224-0x0000000006BF0000-0x0000000006C22000-memory.dmpFilesize
200KB
-
memory/4848-221-0x0000000006040000-0x0000000006394000-memory.dmpFilesize
3.3MB
-
memory/4848-242-0x0000000007B70000-0x0000000007B7E000-memory.dmpFilesize
56KB
-
memory/4848-235-0x00000000075E0000-0x00000000075FE000-memory.dmpFilesize
120KB
-
memory/4848-243-0x0000000007B80000-0x0000000007B94000-memory.dmpFilesize
80KB
-
memory/4848-245-0x0000000007C60000-0x0000000007C68000-memory.dmpFilesize
32KB
-
memory/4848-210-0x0000000005550000-0x0000000005572000-memory.dmpFilesize
136KB
-
memory/4848-209-0x0000000005750000-0x0000000005D78000-memory.dmpFilesize
6.2MB
-
memory/4848-223-0x0000000006650000-0x000000000669C000-memory.dmpFilesize
304KB
-
memory/4848-239-0x00000000079B0000-0x00000000079BA000-memory.dmpFilesize
40KB
-
memory/4848-240-0x0000000007BC0000-0x0000000007C56000-memory.dmpFilesize
600KB
-
memory/4848-241-0x0000000007B40000-0x0000000007B51000-memory.dmpFilesize
68KB
-
memory/5412-268-0x000000006FB10000-0x000000006FB5C000-memory.dmpFilesize
304KB
-
memory/5412-255-0x0000000005AC0000-0x0000000005E14000-memory.dmpFilesize
3.3MB
-
memory/5468-369-0x0000000004AF0000-0x0000000004C4A000-memory.dmpFilesize
1.4MB
-
memory/5468-368-0x0000000004880000-0x000000000489A000-memory.dmpFilesize
104KB
-
memory/5468-367-0x00000000000C0000-0x0000000000100000-memory.dmpFilesize
256KB
-
memory/5672-301-0x0000000007AB0000-0x0000000007AC4000-memory.dmpFilesize
80KB
-
memory/5672-290-0x000000006FB10000-0x000000006FB5C000-memory.dmpFilesize
304KB
-
memory/5672-288-0x0000000006000000-0x0000000006354000-memory.dmpFilesize
3.3MB
-
memory/5904-400-0x0000000000C50000-0x0000000000CC8000-memory.dmpFilesize
480KB
-
memory/5988-326-0x000000006FB10000-0x000000006FB5C000-memory.dmpFilesize
304KB