Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 11:30
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
56KB
-
MD5
8ce0fbc6a03e34c4a6e0f526df77607e
-
SHA1
37c79d70a2f9f5f79d1194a0e9b2c5763f4f14b4
-
SHA256
4a6979fd1860a2876e587fefc9a838c1b9c54625ea927260a6b628d6972f4e7f
-
SHA512
be6c8b31f5ec044353b6228af243d17f2470b5a536fc4c353c90e149354e8ff60f2e5edef51e28dbec47a093c8dac777cdd7d4c826f08e732f5632aff6c8ba6b
-
SSDEEP
768:gkjmsmfXz+TkuL3GPSw7xSuSop7TlbUSEYOANAL61bdO9h4ostF:gKmsmve3GPSUBtpdbUXYiL6bO9K
Malware Config
Extracted
xworm
127.0.0.1:24978
second-represent.gl.at.ply.gg:24978
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3292-1-0x0000000000940000-0x0000000000954000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 5000 powershell.exe 4792 powershell.exe 4356 powershell.exe 1668 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643071140581850" chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1832 vlc.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exechrome.exemsedge.exemsedge.exemsedge.exepid process 4792 powershell.exe 4792 powershell.exe 4356 powershell.exe 4356 powershell.exe 1668 powershell.exe 1668 powershell.exe 5000 powershell.exe 5000 powershell.exe 464 chrome.exe 464 chrome.exe 2384 msedge.exe 2384 msedge.exe 5340 msedge.exe 5340 msedge.exe 6028 msedge.exe 6028 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 1832 vlc.exe -
Suspicious behavior: LoadsDriver 10 IoCs
Processes:
pid 4 4 4 4 4 664 4 4 4 4 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
chrome.exemsedge.exepid process 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exefirefox.exedescription pid process Token: SeDebugPrivilege 3292 XClient.exe Token: SeDebugPrivilege 4792 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 3292 XClient.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeDebugPrivilege 5872 firefox.exe Token: SeDebugPrivilege 5872 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exemsedge.exefirefox.exevlc.exepid process 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 5872 firefox.exe 5872 firefox.exe 5872 firefox.exe 5872 firefox.exe 1832 vlc.exe 1832 vlc.exe 1832 vlc.exe 1832 vlc.exe 1832 vlc.exe 1832 vlc.exe 1832 vlc.exe -
Suspicious use of SendNotifyMessage 58 IoCs
Processes:
chrome.exemsedge.exefirefox.exevlc.exepid process 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 6028 msedge.exe 5872 firefox.exe 5872 firefox.exe 5872 firefox.exe 1832 vlc.exe 1832 vlc.exe 1832 vlc.exe 1832 vlc.exe 1832 vlc.exe 1832 vlc.exe 1832 vlc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
firefox.exevlc.exepid process 5872 firefox.exe 1832 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XClient.exechrome.exedescription pid process target process PID 3292 wrote to memory of 4792 3292 XClient.exe powershell.exe PID 3292 wrote to memory of 4792 3292 XClient.exe powershell.exe PID 3292 wrote to memory of 4356 3292 XClient.exe powershell.exe PID 3292 wrote to memory of 4356 3292 XClient.exe powershell.exe PID 3292 wrote to memory of 1668 3292 XClient.exe powershell.exe PID 3292 wrote to memory of 1668 3292 XClient.exe powershell.exe PID 3292 wrote to memory of 5000 3292 XClient.exe powershell.exe PID 3292 wrote to memory of 5000 3292 XClient.exe powershell.exe PID 464 wrote to memory of 3888 464 chrome.exe chrome.exe PID 464 wrote to memory of 3888 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 2380 464 chrome.exe chrome.exe PID 464 wrote to memory of 4024 464 chrome.exe chrome.exe PID 464 wrote to memory of 4024 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe PID 464 wrote to memory of 412 464 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff93f0ab58,0x7fff93f0ab68,0x7fff93f0ab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7c494ae48,0x7ff7c494ae58,0x7ff7c494ae683⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4964 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5036 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4756 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4e00c059h943bh45a3ha78fha98389280c281⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff938546f8,0x7fff93854708,0x7fff938547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,11655611526482981639,1812132934780704134,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,11655611526482981639,1812132934780704134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,11655611526482981639,1812132934780704134,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch -contentTile -url 0 https://word.office.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff938546f8,0x7fff93854708,0x7fff938547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.0.951831163\1176126428" -parentBuildID 20230214051806 -prefsHandle 1780 -prefMapHandle 1772 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b2d0916-1c38-4b92-9c4f-2489e135af60} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 1868 1b65700e058 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.1.2112315610\488125247" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17f0e59b-61b8-41d9-b60c-55792b5a7fcf} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 2452 1b64a285358 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.2.2018651387\1163855934" -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3016 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1220 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {823b154c-6e6d-4d11-8468-4eef73bc92b3} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 2912 1b6598f4258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.3.1247988039\854034135" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1220 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {539b3aec-cd86-454f-bc9f-faf413b6fa94} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 3700 1b64a276258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.4.1895831511\889123005" -childID 3 -isForBrowser -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1220 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54c8270c-7ae8-4c2c-a136-f2cc1ce03d0e} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 4920 1b65dd6e758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.5.1073859770\771849417" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5084 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1220 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3085a8d9-fcb2-42f3-acb9-bc11dbd7106f} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 4964 1b65dd6f658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.6.1757250339\1392733380" -childID 5 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1220 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ff85431-f05f-44f6-95f0-75489a9b0df8} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 5276 1b65dd6ed58 tab3⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CloseWait.DVR-MS"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
811B
MD56b3e8269cae5cfab0c294411aa0aa798
SHA1603e4931799407b6038fe2badd0a1d3cb2452216
SHA2561de7fad961ee7fee151ec6848bc15ca4a0820353a4290e997cbffaaac3c6b3c5
SHA51254e21b9c045c601145d7e8133c03aecbaff7f6ad918d7afc6f14b596d335d86022415d9601f87355d8d0eaaff7f422ab00e077469d1c0a15f9082e742f20f266
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5f8d5daca5f6417e1e2a5362ab226060d
SHA17dca1681be52c5d6a0d144f28271809add7bb8e9
SHA256db452094bd507a462a2c3dc93e4085ade4c27d76889ad440a636445b7d625306
SHA512b8bbf78fa81ad3011df3c9fe28d1d028fad67533c187f4f3f3a5cfa89568ad3692a5ee65bce38dbff1122a710d3e69add2c10eef03489bd0dca27cedb1d64466
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
257KB
MD5daa59d13248b1bdadcd28d33de1217e1
SHA10602836f418c57d4422309fca7a87ff35eef9472
SHA2565762ac9bf62dc4c8efb5547ce517a2d69e7c445fe655b5e024764398c1d75ef2
SHA512029d934649b9c437c1b54d5bf2761016381588932f3b484c8cd9fe1f6954971435bce74d163b0b09e3fd51856eb2c257197c33919fcfc3c10409b28d2390607b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
257KB
MD5dd59103793a2b715a06dc390ad01fa34
SHA1e88a5a7a70132efa2479e2a2a554c94eec440bd5
SHA25613f1205d1efb398b544e5615ac988da18ac2d3c7bc93f0840bab87968e191e4a
SHA51256890172af94abd384c96bf0fdb954d79620a25b8ee7e1f9bd32250b3d43e30117cb48e1c097a84c20e363f57e325d2284a60dcede37037993c9460693e5a996
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
257KB
MD511cfa3532d8e94744fe183bb5f19c72f
SHA1d871d0d1f908caa67023458c6cd747aa2d3f7d97
SHA256e0f21ccb5ac649e1ccf54c4e9e427eda9f533264eee74ff5cb29bf621cdd9dea
SHA5129bb0f24e6bb625eabe439720302c8373a2d4e70514baf160d96a205591fe4bf823ac590d38f15c0213ccd82a734af748890d6945bf99d36eebe58a26e123f8cd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f50a091b253172037dd77531196b8e6a
SHA17b7f973390d1ca3ab838fbadd952031b92cf2f2c
SHA256518fbb4abc9695517fc23bc4e93b866318f41deef16b265c3d3d11e3a4855225
SHA5120f650bbaa413b1a4bed72de2420104e9d032e47bd3a06e8a7c9b93d24ff1770d1dd9775d09931410da99e6c77ec5c5f0982dec6fcbd77d4939f413aeee447856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\84aefb38-8539-4473-bbeb-fa0a73973e74.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c9f5fde729a11497338fbb81f105cc94
SHA14d6d864dac4ba46ec109aeea2e724e5e53d29571
SHA2560d81d136997cf0b5e7688adcb3794ec6fd66d339e79b8132e5c9ce473607c1b0
SHA51211810105c6f450826c93c41932a84b618378e194b0ebfc87e0eaef2fad34e61865f2ebf9aceea655db95a68c01115c235b5bb86e3a9e274550c6b0b22b7f28ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52c67792be209d393fd9d5fc857b5f913
SHA1f360db739807723b862dc9e2c91f7513943dd3ca
SHA256eaa2e15c927b13466e88091ebd47463969f07725b4b3ee0b2738c0c3d761948a
SHA512ad9106620713e0807ba6282da1b329dafdcb904306894ac0c5fc4d6bc029a8e0f4b8c6c3e6bb619e9580f695bfc140e58bdbb32fa70b0fe1b7a19c944a4dbfbf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD5723af4c51f5952e2e320322538fdbca5
SHA16bc1df2931c34e2b4a9ddb836919c36cade072df
SHA2562f0be5b1f9d260b0c2648d4f569dbf8e1a0955379597ddb4dc30930ac78017ea
SHA512c5e5807d1481eb0798adf45d7602f39ef7f376deb4ef27ccb84eb25e37fa2c38ce1ac2ab5d45a6c10364ad7b999526b097849b585d4bd7d891b7c540af2b8e84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
323B
MD50e24d058861848742447c7d5c74ebc25
SHA1efca6664675619f528eef9da58468e7b812f9b66
SHA2566d0e40e55c33b5d185328b2b84eea8ae4a5a96c474d8ddd4fae310783bc02b99
SHA5127e7d7dde9cfc6753776520be18498238c65830641e782d46a4a1a285b698ba7352a166cb978f52340d8f7e44648cbd5f4f1c5d79d964503750e5639b87a4ec75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5c58aa4e9228d3501404b043c0ef9d253
SHA1ac1a834ff82b55f718d9853be67335d01ed9833e
SHA256a502fa92307e715ea336eb26e655340e7c41946740ac360696ad4f56ce1e7988
SHA512eedb314a2b9ad5edf1a8b866a4b62b7066668582f963c661db808a46064786ec810bb71d04c409ee2c7f7102540cc7cb99c7d578ce85209ff7e68c4915190179
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5bd8d1d64910905f912cb31364d4a58e4
SHA103e59cc7074b74c69c2773a86ad4e0fa46db5527
SHA256ddf44f92a64b9f6929ebc7dbab6d15b7c33215f5e0fcd7b47fe1dd02d576b985
SHA512b636d6048c5da5bfcd4ae6d27bf285ccd806af6de8f884c2376e84738de4e6e1c427d0dcf45c3bf78fc6ac712cc5bab063078f35d913d5ba0573dc27cb7e7fda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmpFilesize
27KB
MD50cffff6e312deaa9d3794f6eb1576bcc
SHA1df81d8e28278e02a4906abe22165f15ff92aa2b1
SHA256baa330739342960ad4f04c486985b4356c5c23c781e01e6eea99fcc380e73acc
SHA512e137b475ad3c59a0ecf94a034a8cfcfd7f6e083627399354ad06e8969f899457b90d888f1dc50a4d1b8e3f74bfc243ed49f0f8bfc0a8ddf977767051b5df27c8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_koyg0kuv.wc5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.jsFilesize
7KB
MD5c96ca87911b8e5ace200a43682409749
SHA1a0068dc99674224303f249c8656c559c1a67502c
SHA256a78678131a671bc6cf15a036841cf159e9852a1ff6ecabe8a01b6f5ece576970
SHA512ca9c3f9a15d8b98c6dd7e24e2a54a1c5a63a4991eccf870219a62c864063f3365c7c51d52942bc8da1341c772f81096858b14879100781ca7531dd81a7e9a4ff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4Filesize
903B
MD52a92dae6837b02aa37c3a70b82a05877
SHA16b713a81e5dc8832fa5a82c1ea011cf04d71a901
SHA256a10a382a3f8fd67fedf881dafc640de25a0a6afa12f64ef5ea3b6ab366d60a0d
SHA512cef45341c1228331ee646e61df8797a940c72e9421e03cb684756579e37bfc52d1ee36e8b51df504d6f12822992948183b96d020ef50fd7e80da2c4fa453f47b
-
\??\pipe\crashpad_464_MLLNYHXAQFBZAQZOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3292-0-0x00007FFF98773000-0x00007FFF98775000-memory.dmpFilesize
8KB
-
memory/3292-2-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/3292-54-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/3292-1-0x0000000000940000-0x0000000000954000-memory.dmpFilesize
80KB
-
memory/4792-8-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/4792-18-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/4792-13-0x0000024A0E5B0000-0x0000024A0E5D2000-memory.dmpFilesize
136KB
-
memory/4792-14-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/4792-15-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB