Analysis Overview
SHA256
12f2da4d791bd7654bb4e89d48cef58c07e2b804be1c6f79ee3d68e9e9566906
Threat Level: Known bad
The file playit-0.9.4-signed.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Drops startup file
A potential corporate email address has been identified in the URL: [email protected]
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Unsigned PE
Browser Information Discovery
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:52
Reported
2024-11-09 22:54
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
A potential corporate email address has been identified in the URL: [email protected]
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe
"C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe"
C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
"C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playit.gg/claim/afa678ea99
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbbc846f8,0x7ffdbbc84708,0x7ffdbbc84718
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.playit.cloud | udp |
| US | 104.21.61.101:443 | api.playit.cloud | tcp |
| US | 8.8.8.8:53 | 101.61.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | playit.gg | udp |
| US | 104.26.5.160:443 | playit.gg | tcp |
| US | 8.8.8.8:53 | 160.5.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 147.185.221.23:24311 | tcp | |
| US | 8.8.8.8:53 | 23.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.23:24311 | tcp | |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 104.17.246.203:443 | unpkg.com | tcp |
| US | 8.8.8.8:53 | 203.246.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 104.21.61.101:443 | api.playit.cloud | tcp |
| US | 8.8.8.8:53 | control.playit.gg | udp |
| DE | 209.25.141.1:5523 | control.playit.gg | udp |
| US | 104.21.61.101:443 | api.playit.cloud | tcp |
| US | 8.8.8.8:53 | 1.141.25.209.in-addr.arpa | udp |
| US | 209.25.141.2:5512 | udp | |
| US | 8.8.8.8:53 | 2.141.25.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/460-0-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp
memory/460-1-0x00000000001D0000-0x0000000000652000-memory.dmp
memory/460-2-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
| MD5 | da0750733bf36c61222eefaba4805dcb |
| SHA1 | 304e90d123300e646b768f1f358e59ba506b7dce |
| SHA256 | c9ff8f05cdde137cb0e1e386184a42d4889988c4cfd235fd3340fe545f5e06ac |
| SHA512 | f9a8e89f294257f785388e237a6da1f363f8d78af7c9b473d67261b99526224eb84598eacbba17f01a9f2eb2f6fea0740f7e37df92891df8fa39a33820287454 |
C:\Users\Admin\AppData\Local\Temp\XClient.exe
| MD5 | f2a9ba24fda65a5e298a37965de4258f |
| SHA1 | 5c91e7c89233c45933ac106cd4d1110d293c9206 |
| SHA256 | 6ea59e69f350e9f0311dfc3d58fcc3ebd22f2401b3047f454a518e73a12569dd |
| SHA512 | e53b4e702ba04350d3c5f4c3780394b53360100b67f9856831a49235d1561cb864616823be3308911629416a5e69d88f2c3fdff8907547a9d821714e1eb94386 |
memory/460-22-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
memory/4760-25-0x0000000000140000-0x0000000000154000-memory.dmp
memory/4760-24-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 61cef8e38cd95bf003f5fdd1dc37dae1 |
| SHA1 | 11f2f79ecb349344c143eea9a0fed41891a3467f |
| SHA256 | ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e |
| SHA512 | 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d |
\??\pipe\LOCAL\crashpad_1536_FRADGOFSSJXTAJQG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0a9dc42e4013fc47438e96d24beb8eff |
| SHA1 | 806ab26d7eae031a58484188a7eb1adab06457fc |
| SHA256 | 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151 |
| SHA512 | 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkh3jqww.mk3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4436-58-0x00000152CEE30000-0x00000152CEE52000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c5555025959bd08a6b3df2df5b3251c6 |
| SHA1 | 83d798f528ed238b22f5072bb575b1898ee8d08c |
| SHA256 | e09cdf0d3b8df597564acad9ff9634a182d4dfa59d9ed69aef49f792d6b0e819 |
| SHA512 | 0b813e6d5ddde97b535682c483e6a05d5bc5fe4f32ace9e90ec1fa6b79468b3e8db26b64855fad142138e8524ce011acab2b75a44ae90699dc3ad20e8e4c23da |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0093819c829dd30c13746f256efba97f |
| SHA1 | f095cbb1d10a54a91d7d341c4098d44973d3ec50 |
| SHA256 | 5f936c252c9ed7d08d4a73b86230d9877173b44c36544f0b24eae3eb38617401 |
| SHA512 | 72aac852de41473494d2263aa44dbabfb1f318f8a21ebdfe080c4a98b9288db07e9641a935d9a640b5e879f28a0560cae53bd4191ac94d315b87746e57e69af2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/2220-138-0x0000000000400000-0x0000000000C1E000-memory.dmp
memory/4760-139-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
memory/4760-140-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4ee5c446464ba841a74e0df9baa36ee1 |
| SHA1 | 26d55aa45edcf75e9251c278db40d5740a5abfcc |
| SHA256 | 59f1810437dbf17b68697e4a4f0cf153cf68b8d8724c40e6d7ce536788e28600 |
| SHA512 | c293bfa78344e1a9fa096c1ff151db7e381655ca04a6d8d9ec414861d73393a1c4ed4eb99195b4597ecb81b9257d13584a821150f08673c016cb1ed291d1a43d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 003c3cb1dc3587456c2328e2d561c73a |
| SHA1 | 814e1cd2def7af947916c992797872e068c75373 |
| SHA256 | 2a96f52ae19d80142e0fbbb7582bb9e983856e08d938e35a195b8b6fde62943a |
| SHA512 | f1eb6a8aed8088d1d856201351378af96804b740f524ca97bc6c548e5dd6151feb3c5c0f2dc233f986c6c5144780da03337aa857433f6c7ba2fd6f6b090f9f11 |
memory/2220-166-0x0000000000400000-0x0000000000C1E000-memory.dmp
memory/4760-167-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
memory/4760-168-0x000000001AF00000-0x000000001AF0A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 47c76e4c64fa4ab0eaf643c6105dff0f |
| SHA1 | 7bf0495a9350100c1d013104ebb9ab6920bc9ae6 |
| SHA256 | c264bb7112cab8048b1e65890373b7f7202acc2cc7f6d3a6594a24ac2a0daacf |
| SHA512 | 2211ffb86e4bdbb203c584ff78e33396eef0eb646412d33e6a5bb2ba22955850ebb6a066ae2a9e6e606fff7bd12320b8dccc13ed212c576163dade66ce019c8f |
memory/2220-190-0x0000000000400000-0x0000000000C1E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 373b8bdb239f9f35a62b94efbdba3e5c |
| SHA1 | d2d2384ae2b07bebf781dc5c9a3a2f2b75283079 |
| SHA256 | f1a84849df47d0b655a025cf599e57b4d4480a9b42c59cf9ba1f5defd3bb0b9b |
| SHA512 | 73471892727772524be4f326ec6d9ab0c22315f03119082c9ede11b0245f7d21074ac9ff89995e41766e9a8225a879fa13b7ec20529adcc60cbe89ecf31ff26d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58463b.TMP
| MD5 | 04f16371413932acd1fea67c14ec6419 |
| SHA1 | 1e3f89593214c56ed3480e4ca0b2c35e40f42476 |
| SHA256 | 6d6aac74d1db75c4f248f222c11f49308a3cc862aa5e08dfd0c85481c57bb06b |
| SHA512 | cca1b6567cbfc523dbddc036fb5f101501f6dd83c4984ac49df16daba20ad5d7c2fa6aa9c8fb91316e6d83a2a859a8866a9d8ad62ea6364f4642a8e778913027 |
memory/2220-218-0x0000000000400000-0x0000000000C1E000-memory.dmp
memory/2220-226-0x0000000000400000-0x0000000000C1E000-memory.dmp
memory/2220-240-0x0000000000400000-0x0000000000C1E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 025ff6b5594d3dec01c039c9e177cf53 |
| SHA1 | 7b3506995910cc2af07a4d16004d8893d7fc6218 |
| SHA256 | e8463a7a795800b447e55203b2fc9b0b8a5715fa0ec5100d8eedfcb05f52dc82 |
| SHA512 | 653f0dd287886252d8e0126b95bf2233f307349b55e47cb7dbc564ba776b3d93f78b995e2a3525b955c775c17355ecddc97a89dc0744ba76ad14108c88afb03e |
memory/2220-257-0x0000000000400000-0x0000000000C1E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 93d754e59002ba6b2e9d21dd5a205d22 |
| SHA1 | bf22fbc3122404aa874499e49a24d2900185a2a6 |
| SHA256 | 9708a8e1923e5ef86d3e9c5e49f6b5f64fe756ecd122d9751867fa169f7320e5 |
| SHA512 | 655fc61b80316672765469c75fd28a3172ce35a81f1d3ab6dcad03a5d745144e003700aa6defcd1f618847583a04d223550d580bd3dbd5b2347df5ebe8253767 |
memory/2220-283-0x0000000000400000-0x0000000000C1E000-memory.dmp
memory/2220-285-0x0000000000400000-0x0000000000C1E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/2220-294-0x0000000000400000-0x0000000000C1E000-memory.dmp
memory/2220-298-0x0000000000400000-0x0000000000C1E000-memory.dmp
memory/2220-301-0x0000000000400000-0x0000000000C1E000-memory.dmp
memory/2220-305-0x0000000000400000-0x0000000000C1E000-memory.dmp
memory/2220-310-0x0000000000400000-0x0000000000C1E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a864a2fba852251c26fa741d3274a786 |
| SHA1 | f619535cda237e2434a4d87f7e64c3254975edb0 |
| SHA256 | 559b6555424499dfbb0ce7e966f3499d37d9f43e21f524d4818cc7cb234ec790 |
| SHA512 | cc3d035137ea799d9a76316a54a55f5c6c12ea19946a0a8e29311dfe61ef49871eabae2d044205c7b184f6039544968aa72eca86c311ec0f264ed0c650a32574 |