Analysis
-
max time kernel
272s -
max time network
274s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 09:17
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win11-20240611-en
Errors
General
-
Target
XClient.exe
-
Size
40KB
-
MD5
a2abffd7525046355e99e8673c3701fe
-
SHA1
6e1aaff66b5aac7a1c3df969b36da6141a95a4f9
-
SHA256
ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e
-
SHA512
96b3b3750d9abaa627780eccb74dd870bb84ad1fb928233844054b2d24306f6f937f0762619d0b0209a8744aabbe278c773539fb8791987606427d8bfa767d22
-
SSDEEP
768:olc+DXf6pUAbfsW09Uf929NiTnFPw9in6rOphHuUF8M:oW+upUADfnuNYFY9in6rOpxf8M
Malware Config
Extracted
xworm
5.0
amount-acceptance.gl.at.ply.gg:7420
k2N8rf6LqCqdtF6c
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1832-1-0x00000000006E0000-0x00000000006F0000-memory.dmp family_xworm C:\ProgramData\svhost.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1420 powershell.exe 3420 powershell.exe 2060 powershell.exe 2840 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe -
Executes dropped EXE 4 IoCs
Processes:
svhost.exesvhost.exesvhost.exesvhost.exepid process 4520 svhost.exe 5908 svhost.exe 5776 svhost.exe 5112 svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" XClient.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Telegram.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Telegram.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
XClient.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier XClient.exe -
Enumerates system info in registry 2 TTPs 13 IoCs
Processes:
msedge.exeTelegram.exeXClient.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XClient.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion XClient.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "111" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 18 IoCs
Processes:
Telegram.exemsedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\shell\open\command Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Telegram\\Telegram.exe\" -- \"%1\"" Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\ = "URL:Telegram Link" Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\Telegram\\Telegram.exe,1\"" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\shell\open Telegram.exe Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg Telegram.exe Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\DefaultIcon Telegram.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-952492217-3293592999-1071733403-1000\{5F27D797-D571-4704-B161-B7A7F1B26398} msedge.exe Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\shell\open\command Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\URL Protocol Telegram.exe Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\shell\open Telegram.exe Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\DefaultIcon Telegram.exe Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\shell Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Telegram\\Telegram.exe\" -- \"%1\"" Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\Telegram\\Telegram.exe,1\"" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\shell Telegram.exe Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg Telegram.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Telegram.exepid process 6124 Telegram.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 1420 powershell.exe 1420 powershell.exe 3420 powershell.exe 3420 powershell.exe 2060 powershell.exe 2060 powershell.exe 2840 powershell.exe 2840 powershell.exe 2760 msedge.exe 2760 msedge.exe 4668 msedge.exe 4668 msedge.exe 5052 msedge.exe 5052 msedge.exe 4564 identity_helper.exe 4564 identity_helper.exe 4824 msedge.exe 4824 msedge.exe 2548 msedge.exe 2548 msedge.exe 5244 msedge.exe 5244 msedge.exe 5244 msedge.exe 5244 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
Processes:
msedge.exepid process 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exesvhost.exeshutdown.exedescription pid process Token: SeDebugPrivilege 1832 XClient.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 3420 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 1832 XClient.exe Token: SeDebugPrivilege 4520 svhost.exe Token: SeDebugPrivilege 5908 svhost.exe Token: SeDebugPrivilege 5776 svhost.exe Token: SeDebugPrivilege 5112 svhost.exe Token: SeShutdownPrivilege 1648 shutdown.exe Token: SeRemoteShutdownPrivilege 1648 shutdown.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
Processes:
msedge.exeTelegram.exepid process 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 6124 Telegram.exe 6124 Telegram.exe 6124 Telegram.exe 6124 Telegram.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
msedge.exeTelegram.exepid process 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 2760 msedge.exe 6124 Telegram.exe 6124 Telegram.exe 6124 Telegram.exe 6124 Telegram.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Telegram.exeLogonUI.exepid process 6124 Telegram.exe 6124 Telegram.exe 4924 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XClient.exemsedge.exedescription pid process target process PID 1832 wrote to memory of 1420 1832 XClient.exe powershell.exe PID 1832 wrote to memory of 1420 1832 XClient.exe powershell.exe PID 1832 wrote to memory of 3420 1832 XClient.exe powershell.exe PID 1832 wrote to memory of 3420 1832 XClient.exe powershell.exe PID 1832 wrote to memory of 2060 1832 XClient.exe powershell.exe PID 1832 wrote to memory of 2060 1832 XClient.exe powershell.exe PID 1832 wrote to memory of 2840 1832 XClient.exe powershell.exe PID 1832 wrote to memory of 2840 1832 XClient.exe powershell.exe PID 1832 wrote to memory of 2004 1832 XClient.exe schtasks.exe PID 1832 wrote to memory of 2004 1832 XClient.exe schtasks.exe PID 2760 wrote to memory of 2840 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 2840 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3832 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 4668 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 4668 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3568 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3568 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3568 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3568 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3568 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3568 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3568 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3568 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3568 2760 msedge.exe msedge.exe PID 2760 wrote to memory of 3568 2760 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /s /t 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffa08353cb8,0x7ffa08353cc8,0x7ffa08353cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5696 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5700 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6800 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Telegram\Telegram.exe"C:\Users\Admin\Downloads\Telegram\Telegram.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa389c055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
40KB
MD5a2abffd7525046355e99e8673c3701fe
SHA16e1aaff66b5aac7a1c3df969b36da6141a95a4f9
SHA256ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e
SHA51296b3b3750d9abaa627780eccb74dd870bb84ad1fb928233844054b2d24306f6f937f0762619d0b0209a8744aabbe278c773539fb8791987606427d8bfa767d22
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD598792f2d1b3d638630fa601df6823aed
SHA1ee50e507b28f67314752754cce5b2fd3fe739241
SHA2563f63c900813de99733f162952bb27d374ba2e07d7751965b4de4a557cb4478ce
SHA512b06c3057f15b00d4d04ac35943e9c2fd44031a72043b79131b0c6a7617ad9c4f2480633bd78ba8d3be61899b5182d2cab6889c0a82e17e9b8a363efed4b69f4b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.logFilesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD546bfadfc09e91238fe82de0fe30d91d2
SHA15da9d92d08803a52c63c1b96c6027e603e5fc3ef
SHA25699733b0f1fec41252c1cf23c4a77b60aa371815f1c4c6fca5b0f81e81edf0f1d
SHA512594994c4261e410c895b7f9b83562cd35eff449acb8fe1c124939a9e6c6fb8153516aff2445719fb73e8ba9df98c425ab30f247aa30571fc4d9cf2979f7582ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56c9e5afa53a396c5663f22632a417d09
SHA1d0ab4eae378aafc7dfbf87e22a3113a642f0633a
SHA25650ded1ff4676a285d97aca12244287f807e5c9dc5d258a63fb22a248557fb9b1
SHA512543d694c98ef09020792e911313b31da77233a39d7de4d7ebe320bbd82b6c830f86983bbd5642b6c546b50de90e1644b80e2fb8400dd95800ec7c44bc17947e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004Filesize
41KB
MD5b15016a51bd29539b8dcbb0ce3c70a1b
SHA14eab6d31dea4a783aae6cabe29babe070bd6f6f0
SHA256e72c68736ce86ec9e3785a89f0d547b4993d5a2522a33104eeb7954eff7f488a
SHA5121c74e4d2895651b9ab86158396bcce27a04acfb5655a32a28c37ee0ebd66cd044c3c895db7e14acc41a93db55463310425c188a7c503f0308ce894cf93df219f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
67KB
MD59e3f75f0eac6a6d237054f7b98301754
SHA180a6cb454163c3c11449e3988ad04d6ad6d2b432
SHA25633a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf
SHA5125cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
1.2MB
MD5620dd00003f691e6bda9ff44e1fc313f
SHA1aaf106bb2767308c1056dee17ab2e92b9374fb00
SHA256eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586
SHA5123e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5b984f65da7fe37c3215b7c61071d3d1a
SHA13cb407bd7b59845ec7104656ba36b61452d771a6
SHA256dd898d0b98db7c43e49d2093bd50bc56b13b615ad97f8774a11ebadf7b2769e6
SHA512e449d94547dc45686e86491ef9001447c41d643158e01e99dae9ac1bb881a4bd62eb4ddcfe11feb8bc83e5751e6454e74b37e214d1d4d3a6c3edd067e83f89d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5a6de053ff6d458b21cb700cfce2188a4
SHA178f33342b4528c38b3f30bf86a5c35402dbd7e6b
SHA256ebafbe2367d781495d71a65f4be31528e46cccd17f80ef3bc41a0e52fc036b10
SHA512c96320534532500ef50584cdb2dde6580112e32e530ed1842d25f01c55e7814d8f8373612406e397c71eb7e9aed805dfc9bf5b68b76abc624d2cbe71632a09c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5fa3c24cb899c74bdcdf1417e373840b5
SHA1391464240e3e3e3a6e00ab5f367c67fd75cabb06
SHA2564451bdceb91292368b10f2a4ce403c3fcf9b523778e47adfac69b988eadff87f
SHA512c1701d6911643c9d0fdb5d1d15bdc514176ab4ebb5fe5495fbc49b364e975c7134be52449cb7d8afbda6253de53296e91934a33e51bc9dc6942cdab9010fdfd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e2dc8e649e4daed002fe293e708aa6a8
SHA17e30aa39003b669fbb538030ad437a6106db4cc6
SHA256147cf5b1400108de4884e9cec0ccd68bc8ae7bc633d1ce619ab7d000ffb0b891
SHA512ee7961c7812ca0fa656ec5ef44b85384a69b33117d105f722febe165e9ac26378981a752ef98bed11457d88cfd0b947aaa3df7b1c882abd3afef862874afccc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5fc3351a3816a28c8eebb9a6a6d3f3d09
SHA1ce5d19a61bd7a8fe387a14d7cd58c250a47cfdd7
SHA256aa5a12ec18b84273aada25efd39e1752bd7db4155a0059f42a924ea8047e2e35
SHA51265b02bb2ec95cf41ce9532f1006f9954b62956e4800cf58779204de30fe77a8ba4309d7e7aa2eb1ce19d67592be7cf609c431b2a46060b1e0b91275515ed3a3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f117d06cb4aab99f8b681a6ccc17d2c6
SHA109e4b61f28d9ca95a8ad6a0c5a7e334630b02695
SHA2565111140425311aded0efe4658e7061aff08a0c0f793577e948340d46213671e6
SHA512b348e428839652f6b35f61e0bc4de41630c3b04b3265301c5a281ed6b8e40f8c2001a1f58d13085b99d1b7e5f20fd3bf3f350ce56b3750ca0ca4a82e261909b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD541a7a29e0335cd8781ea125f1509ea24
SHA182ff48ed5e4ad037ffd3a3b0237574c23db85a3e
SHA256885c0be1bf9c76caf2f5e73bb51ec3caeda35b18f9469cad764a52a51ccc6c55
SHA5129ba1bd9d1a3855a465b84da2c81d1c53034f96f7a27fe4bfb9a1605422eace1b17d67a722960bc726c61929e36e7d2bae33b71dcd54dd534a1dabca9f32df686
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
25KB
MD5cd6050d3a6e28fcc0a9df3e9f978f892
SHA17895b95d23de6bd2576f4a429ab578ce73f5cf6d
SHA25689c9102fa54294c738a0a4ea65cb93f59033074669fcda7e59d09cdb552f9b0c
SHA51202f866882c952386719a340be79817e79d22e1c040d8b7e13d52e511b4c1ac721731e0e039623027c0938d28dad36ecf6d6a7f969667bfd29884d24204a014cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD578d1122f61459c8468beb793082db77a
SHA1aca1d1d21113b6a179182cc5a8c04ef84aec64c8
SHA256ef6b23de87c4a90e4b702ea90cb27ccfb67c2f666560f0d95937c1e03f73bf56
SHA512dc28d20027aa9a007fbe4b860ec3f38951b2a23527417923adf92197a67df789de1b94a2fbff7f16aed1dc3e8037d1bd82c05863afbc77e376b5d8a30dcd427c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5315c49cc1678b2a8cacbb04d57bcdcc6
SHA1461c4ec8eca02350d163940a2e0178f9d14b305f
SHA25611f03f4fde08509b6c518e25009c330cadec544fb645aee1c328eeb6a3854a5e
SHA5121e23d8681ec21d2e00e3bd7fcd9d8b633f28cd3cf6ebdb6b6583e25450e1d4d13da75534013a80eb16966f9f32edf0949a579c89cb9a9542abee84b608eb5f3f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5890b2.TMPFilesize
1KB
MD500a0a8e5dc275c02825c52ee16536013
SHA1739151dbd4cb2632ba90100bc94ce8346b8d794b
SHA2569408a5d58ed015845aefc927a3a0dc2a6741f884b4773d99d248933f35b4b011
SHA512f87a7311a5395168ee2d649ce3a7568e513f2c87a0d2d3c69646c477c7eeb1bb130c5a3193a560e0b639186ccbc203b6ec62c3926e2fbf6660d1895f889bc61b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5d5f3606fed855e0ddaa907333d52f978
SHA11a90bad6b08e81fd96f3ed38beb40b3113b1a7d5
SHA256c55ceddc69faa7f4b26a0ace06c54cbfa418090f689150188b9a41d7ed2435e2
SHA51250ea78bec288da1ea9e8e92e14ac4a07616620fde755b9b1966ebb5a9c7a5337f1d9082fb0c7f70d6453d44f87793640c2b96a6d111d9e0cd8aec634ef819136
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5aa187aa4e965e85421bb72f7883f6630
SHA1ff05216c766d61f39833e1d1b53f8738f01379a7
SHA256d9b53b8c7b9545190dc06e735fa2b40b9397787a6503c1adf72fda3131413079
SHA51260716147c8fbfafeba1c3f1336ea31ffcf55f61520299f0b01be04793973fd7392c34764aac3e90db7d5f86841b73fcedc3c07f79f110e334278a55539976e7f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e32254d2b1dd8b4a4f75b90944cfdb78
SHA1257aa296e80fff5787cdbe43d7b33f9c91fb8832
SHA25676f2227c2d1c799e39b5017826d83a2bfc300489f7eb2b265fa04a0234f0037a
SHA512f2b73d43db93085dcab6b365413c150cb979dc00d76866ebcc69ea9fcf82bb126da82ccc1ca4a2d164239f1c01aea37b18306f916c9db4c48b8b65bd14ddd9ad
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5856900844f6f1c326c89d0bcfb2f0c28
SHA11caad440d46fa8c0cbed4822b4be2bbdddba97c2
SHA256ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32
SHA512ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlhb4135.4ku.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_2760_RVOAAUZMZXPSISNFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1420-11-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmpFilesize
10.8MB
-
memory/1420-10-0x000001B6DF400000-0x000001B6DF422000-memory.dmpFilesize
136KB
-
memory/1420-19-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmpFilesize
10.8MB
-
memory/1420-18-0x000001B6DF470000-0x000001B6DF5BF000-memory.dmpFilesize
1.3MB
-
memory/1420-15-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmpFilesize
10.8MB
-
memory/1420-14-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmpFilesize
10.8MB
-
memory/1420-13-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmpFilesize
10.8MB
-
memory/1420-12-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmpFilesize
10.8MB
-
memory/1832-62-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmpFilesize
10.8MB
-
memory/1832-58-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmpFilesize
10.8MB
-
memory/1832-61-0x000000001B410000-0x000000001B41C000-memory.dmpFilesize
48KB
-
memory/1832-60-0x000000001CE60000-0x000000001D388000-memory.dmpFilesize
5.2MB
-
memory/1832-59-0x000000001BD60000-0x000000001BD6C000-memory.dmpFilesize
48KB
-
memory/1832-637-0x000000001C7A0000-0x000000001C850000-memory.dmpFilesize
704KB
-
memory/1832-0-0x00007FFA0D273000-0x00007FFA0D275000-memory.dmpFilesize
8KB
-
memory/1832-1-0x00000000006E0000-0x00000000006F0000-memory.dmpFilesize
64KB
-
memory/1832-773-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmpFilesize
10.8MB
-
memory/2060-42-0x000001D35B140000-0x000001D35B28F000-memory.dmpFilesize
1.3MB
-
memory/2840-53-0x000001C35A190000-0x000001C35A2DF000-memory.dmpFilesize
1.3MB
-
memory/3420-31-0x0000021DFAFC0000-0x0000021DFB10F000-memory.dmpFilesize
1.3MB