Analysis

  • max time kernel
    594s
  • max time network
    600s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-05-2024 12:18

General

  • Target

    Expensive crack.exe

  • Size

    71KB

  • MD5

    b6be101304256001f7f455da58f1219b

  • SHA1

    31b64e6ccd125396c24ab3703ba6db9c7897e97c

  • SHA256

    bb8ddb19c329e2c75a5cf67a9598bd4fa1b30e2b1e88bb192b230f3a67b3afc5

  • SHA512

    f5a33ba8cdbff2510d10e1fd89a009ff893ed4e59a2a2199edf41ee26b547293578536f14ff967118e1e06eb70ff7680a3962b2b78ab5683d2caead87c43d0f0

  • SSDEEP

    1536:bsTOggb2YELN6udXd+6qYhN4Mo0bUhcHJSZ1H6M/y7eDfKkzHOPmJ5:ATr+MZH5dbHUM9bmcwhK7e+kOeJ5

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    Runtime Broker.exe

  • pastebin_url

    https://pastebin.com/raw/kYPYyCCf

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 63 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe
    "C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Expensive crack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive crack.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1576
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=gjhyj&clid=2411726&lr=213
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb7e3f3cb8,0x7ffb7e3f3cc8,0x7ffb7e3f3cd8
        3⤵
          PID:4340
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
          3⤵
            PID:3484
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1864
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
            3⤵
              PID:4352
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
              3⤵
                PID:4412
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                3⤵
                  PID:4588
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4940 /prefetch:8
                  3⤵
                    PID:1560
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4952 /prefetch:8
                    3⤵
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2424
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
                    3⤵
                      PID:1460
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
                      3⤵
                        PID:1848
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
                        3⤵
                          PID:4784
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
                          3⤵
                            PID:4048
                          • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3064
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3884
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
                            3⤵
                              PID:3388
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,10290621847839433512,11319669512175470378,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6056 /prefetch:2
                              3⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:984
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=gjhyj&clid=2411726&lr=213
                            2⤵
                              PID:1288
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb7e3f3cb8,0x7ffb7e3f3cc8,0x7ffb7e3f3cd8
                                3⤵
                                  PID:4264
                              • C:\Windows\System32\schtasks.exe
                                "C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
                                2⤵
                                  PID:4924
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF70D.tmp.bat""
                                  2⤵
                                    PID:3684
                                    • C:\Windows\system32\timeout.exe
                                      timeout 3
                                      3⤵
                                      • Delays execution with timeout.exe
                                      PID:3112
                                • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
                                  "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2808
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:5040
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2372
                                    • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
                                      "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:984
                                    • C:\Windows\system32\sihost.exe
                                      sihost.exe
                                      1⤵
                                      • Suspicious use of FindShellTrayWindow
                                      PID:3004
                                      • C:\Windows\explorer.exe
                                        explorer.exe /LOADSAVEDWINDOWS
                                        2⤵
                                        • Modifies Installed Components in the registry
                                        • Enumerates connected drives
                                        • Checks SCSI registry key(s)
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        • Suspicious use of SetWindowsHookEx
                                        PID:1144
                                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                      1⤵
                                      • Enumerates system info in registry
                                      • Modifies Internet Explorer settings
                                      • Modifies data under HKEY_USERS
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1524
                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                      1⤵
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1556

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

                                      Filesize

                                      654B

                                      MD5

                                      2cbbb74b7da1f720b48ed31085cbd5b8

                                      SHA1

                                      79caa9a3ea8abe1b9c4326c3633da64a5f724964

                                      SHA256

                                      e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                                      SHA512

                                      ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                      Filesize

                                      2KB

                                      MD5

                                      627073ee3ca9676911bee35548eff2b8

                                      SHA1

                                      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                      SHA256

                                      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                      SHA512

                                      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      704d4cabea796e63d81497ab24b05379

                                      SHA1

                                      b4d01216a6985559bd4b6d193ed1ec0f93b15ff8

                                      SHA256

                                      3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26

                                      SHA512

                                      0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      de47c3995ae35661b0c60c1f1d30f0ab

                                      SHA1

                                      6634569b803dc681dc068de3a3794053fa68c0ca

                                      SHA256

                                      4d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7

                                      SHA512

                                      852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      1KB

                                      MD5

                                      957ec3e4a27af099fbf2a579622f1868

                                      SHA1

                                      e7e923fb03d51ce35646f3ce12245bf65ae3678a

                                      SHA256

                                      c2239342a9ec4241d367e854d4399b616272927cab4f405821db98d907399db0

                                      SHA512

                                      0186126f42d8ec68adb3af8c195a77289ce8096e5fcc03cd21e0324e03b0e8945e429859a6d5085da87f7cd934781e558df9e4312827f20e5f49bbe43ba150bf

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      1KB

                                      MD5

                                      7ad5fbf1693e60aac1e9890947b69d3e

                                      SHA1

                                      baeddb26fac6723accd28931548098ede27113a4

                                      SHA256

                                      41915ddbd976c92284b430cdf7fe9d13cbbd3cc1795fae9e9427004a591b148a

                                      SHA512

                                      2be94ce100db3b2477bb78a1c7abcc8ab94fb577a3e6a5c4db200e248eff183044c768474eb765a236d8583761f4ebc08aa9cf4c00af059300754691cfffa46a

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      46295cac801e5d4857d09837238a6394

                                      SHA1

                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                      SHA256

                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                      SHA512

                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      540B

                                      MD5

                                      d7c9c50c397a17e2b956be8145b69ddf

                                      SHA1

                                      95d11fe45b72f276e308e748ad9a692d467f0e5e

                                      SHA256

                                      c10ce7d19ff6e2a65d813655361047bf74619a86cc4c4e5ac541f836271d8884

                                      SHA512

                                      7fdab5be23cf86892d3e8aa373efa1a4cf440fc65abb654f640dc2cd919b5b9b4dc183a9693beb4ce0680b502b5d19f4634dbb2ddfc8143078d93c08c41a28be

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      3c4f28688f24e2995ca619341839f47d

                                      SHA1

                                      511bbb36051a3c1d1aadf86e387ffc72e69b09c7

                                      SHA256

                                      3a81f9b63c63e06de8b480a7e009ac853cf395328bfc9c9d5f0bd158554a4ccf

                                      SHA512

                                      0e79ce5bf2e3bf7b072d08e43020596c03337a7effb3decdc4a51729d47a032ba06a6a9c91a7c94889bb577bbad4ef8d2fcd03faf09eea1855c3cb63c74a775c

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      f0367cee2c5df7dda6368f025c2bdd2a

                                      SHA1

                                      20d8a776a938c653541131e7a191264759fa59c6

                                      SHA256

                                      874580e23f3bfe1e403734a27f5d15c76506cb8cdc220e534aee5d1c0a49777f

                                      SHA512

                                      bcc2902f0dcfdc74b0b964cae7855bc6939ef8c1e6e716f42e5dfa58748dcac28c39289fe7ace852b6e2981da151c033225ff49d2acf4a7d8f75ebdfffc38f76

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      671645e5c56951435eb042d10f726744

                                      SHA1

                                      3a1cfe674702a7718f2c8e4d24063324242c7cde

                                      SHA256

                                      0f506affc2b706722dc426f24df3b7e007c9f447a07cb235da1fac7c141e4733

                                      SHA512

                                      b041dc6165f648c24c5cdc98c950cc98b838c5f49b6c9495b3f682cc9dc73b69871fe41227f5f1d6ab30e8b3e44d8ec5d2df96eba959a8f6a22a267fd0e9a87f

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      206702161f94c5cd39fadd03f4014d98

                                      SHA1

                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                      SHA256

                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                      SHA512

                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

                                      Filesize

                                      41B

                                      MD5

                                      5af87dfd673ba2115e2fcf5cfdb727ab

                                      SHA1

                                      d5b5bbf396dc291274584ef71f444f420b6056f1

                                      SHA256

                                      f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                      SHA512

                                      de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      0a3bb0845d68d3adee044b06a5a2d2cb

                                      SHA1

                                      e6d0159c4006a48ad2415b52e0f5ef53994b9b05

                                      SHA256

                                      9bb3213c436817b0e66445a0baea3f5114217ac33cd831595dec06209332d97c

                                      SHA512

                                      73f104e294e4a12f75926674a4bdc0b158d16811a084fa19271a90b0fb6dc5fdbfad9c6a671abb725903c5666ec7d561e8960e434173bcb0abcfeafff04dee55

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      cbb780bd7004a425bd1da01924c34f15

                                      SHA1

                                      a214a282245f97e37aafcf88ce9fbeb77f39eef6

                                      SHA256

                                      1700d54af03cfeff07a7d4c297342623969f5e68f413ff4fccbf52496e767ade

                                      SHA512

                                      6720b882cd826f95c08a926de93dcdff8d5b24348a1910835ce1a342c1bfedf46b12fe1909a4ca8de65a00fd6df21236d6141b5d6b7a2a825ec01b5dde736508

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                                      Filesize

                                      14KB

                                      MD5

                                      14fb7a30b23d946e0e20e9ad721f7a3a

                                      SHA1

                                      fe41411398b00f96d6b5a70585381b1e8ecbe2c8

                                      SHA256

                                      4793d837ef11e138a998a328623447dd35ab27559f4bfa613450b792d76c82dc

                                      SHA512

                                      d3f9b06b0ed3f53add9807bca9d8313457a2b0048180fede74c5b4430113378242d28711418370cf7dc1cda4d526d4b6b6fc2785a11b547ba3bf78cbafd676b8

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      944B

                                      MD5

                                      19396991a3bd267956d45c02cb66f8a9

                                      SHA1

                                      e2f3e40a57945b343134e59348a24e97ca8175d4

                                      SHA256

                                      c9d741d5062fb37860d00c479989faf6a5c9655798398f1509ec0ec55c539387

                                      SHA512

                                      a915dbe2d7b39eb6a47310091d6bcc4e050239e3297b0167688fa82584d49572873d118a9bee4ca7f99824496e796b45ea7c993ac80a6ddd9bea086aaf5527dc

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      944B

                                      MD5

                                      4093e5ab3812960039eba1a814c2ffb0

                                      SHA1

                                      b5e4a98a80be72fccd3cc910e93113d2febef298

                                      SHA256

                                      c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c

                                      SHA512

                                      f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      944B

                                      MD5

                                      80b42fe4c6cf64624e6c31e5d7f2d3b3

                                      SHA1

                                      1f93e7dd83b86cb900810b7e3e43797868bf7d93

                                      SHA256

                                      ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d

                                      SHA512

                                      83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

                                    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\AL78FYEB\microsoftwindows.client[1].xml

                                      Filesize

                                      96B

                                      MD5

                                      eb28299673ba61ac34b4f703db2a3cca

                                      SHA1

                                      32945ab789fc13b8e440651e6b32e96a60ff94cf

                                      SHA256

                                      15a167311db53c67d5d370e6b9e0e135136909a4155fdf16f8ca15f86b519f19

                                      SHA512

                                      73846ffab4c137897c08b03e372ca7c93cf17e7365ce59c2f2c8cb98c1915de15527d147ee0ed007970d56fb61b9ec47dfbfddf022bdac286e6a0a39dac1c587

                                    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\AL78FYEB\microsoftwindows.client[1].xml

                                      Filesize

                                      4KB

                                      MD5

                                      4c39063505a734126a8d5699e541fec0

                                      SHA1

                                      5be07b8ae98e11808a7189f1011f0fec2ebad587

                                      SHA256

                                      bb18ef144b8f0f6c3bfabfa4aade4ab8ed157b043adc6e2335a2d0ee45532bfa

                                      SHA512

                                      2be395d9c4e2356dbc4de956ea5e4ff47a7510c183b16d2a1f3515b6ef6503fef5219261997e196548173b11125f7dfcda48aaa4656d05034482b2d376b62fb2

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njg0kjuq.bhk.ps1

                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    • C:\Users\Admin\AppData\Local\Temp\tmpF70D.tmp.bat

                                      Filesize

                                      167B

                                      MD5

                                      efcb7f8efe4e0c3bea6fe1c47c536292

                                      SHA1

                                      083a19ed35b8935b84c87a05a41773589d12ad46

                                      SHA256

                                      0fffc06b942b5f73e67de5e4755f30a7843b06349f800929c5273238e2d4263a

                                      SHA512

                                      2b6364b2000638c20fc4b4b854d968229c8f8337be12cd7355a26bce1701bd6f0ed72414ced0d9e53bced8e532893012cde216f740905e67626669d9081e04b7

                                    • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe

                                      Filesize

                                      71KB

                                      MD5

                                      b6be101304256001f7f455da58f1219b

                                      SHA1

                                      31b64e6ccd125396c24ab3703ba6db9c7897e97c

                                      SHA256

                                      bb8ddb19c329e2c75a5cf67a9598bd4fa1b30e2b1e88bb192b230f3a67b3afc5

                                      SHA512

                                      f5a33ba8cdbff2510d10e1fd89a009ff893ed4e59a2a2199edf41ee26b547293578536f14ff967118e1e06eb70ff7680a3962b2b78ab5683d2caead87c43d0f0

                                    • memory/1524-643-0x000001897A200000-0x000001897A220000-memory.dmp

                                      Filesize

                                      128KB

                                    • memory/1524-677-0x000001897A080000-0x000001897A0A0000-memory.dmp

                                      Filesize

                                      128KB

                                    • memory/1524-544-0x0000018977050000-0x0000018977070000-memory.dmp

                                      Filesize

                                      128KB

                                    • memory/1524-542-0x0000018976F90000-0x0000018976FB0000-memory.dmp

                                      Filesize

                                      128KB

                                    • memory/1524-502-0x0000018975A00000-0x0000018975B00000-memory.dmp

                                      Filesize

                                      1024KB

                                    • memory/1524-524-0x0000018977110000-0x0000018977210000-memory.dmp

                                      Filesize

                                      1024KB

                                    • memory/1524-506-0x0000018976710000-0x0000018976730000-memory.dmp

                                      Filesize

                                      128KB

                                    • memory/1524-678-0x0000018978100000-0x0000018978120000-memory.dmp

                                      Filesize

                                      128KB

                                    • memory/1524-476-0x0000018964300000-0x0000018964400000-memory.dmp

                                      Filesize

                                      1024KB

                                    • memory/1524-503-0x0000018976480000-0x0000018976580000-memory.dmp

                                      Filesize

                                      1024KB

                                    • memory/3312-2-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/3312-442-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/3312-1-0x0000000000760000-0x0000000000778000-memory.dmp

                                      Filesize

                                      96KB

                                    • memory/3312-0-0x00007FFB83433000-0x00007FFB83435000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3312-58-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/3396-3-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/3396-4-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/3396-5-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/3396-8-0x000002D4FC470000-0x000002D4FC492000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/3396-15-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/3396-19-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/3396-18-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp

                                      Filesize

                                      10.8MB