Analysis
-
max time kernel
1795s -
max time network
1800s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 21:13
Behavioral task
behavioral1
Sample
sv.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
sv.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
sv.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
sv.exe
Resource
win11-20240508-en
General
-
Target
sv.exe
-
Size
63KB
-
MD5
c095a62b525e62244cad230e696028cf
-
SHA1
67232c186d3efe248b540f1f2fe3382770b5074a
-
SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
-
SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
SSDEEP
1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Extracted
xworm
5.0
amount-acceptance.gl.at.ply.gg:7420
k2N8rf6LqCqdtF6c
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral4/memory/2972-1-0x0000000000EE0000-0x0000000000EF6000-memory.dmp family_xworm C:\ProgramData\svhost.exe family_xworm C:\Users\Admin\AppData\Local\Temp\pmxncw.exe family_xworm behavioral4/memory/4844-203-0x0000000000CB0000-0x0000000000CC0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2288 powershell.exe 2140 powershell.exe 4852 powershell.exe 4272 powershell.exe 1412 powershell.exe 2044 powershell.exe 3304 powershell.exe 2132 powershell.exe -
Drops startup file 3 IoCs
Processes:
sv.exepmxncw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk pmxncw.exe -
Executes dropped EXE 31 IoCs
Processes:
svhost.exesvhost.exesvhost.exesvhost.exepmxncw.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exepid process 3148 svhost.exe 2844 svhost.exe 1664 svhost.exe 3840 svhost.exe 4844 pmxncw.exe 3808 svhost.exe 2216 svhost.exe 3904 svhost.exe 3976 svhost.exe 2804 svhost.exe 1404 svhost.exe 2316 svhost.exe 2876 svhost.exe 900 svhost.exe 1624 svhost.exe 1924 svhost.exe 2796 svhost.exe 4372 svhost.exe 2252 svhost.exe 4636 svhost.exe 4300 svhost.exe 768 svhost.exe 860 svhost.exe 3264 svhost.exe 4092 svhost.exe 5024 svhost.exe 4616 svhost.exe 1180 svhost.exe 1392 svhost.exe 564 svhost.exe 1496 svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
sv.exepmxncw.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" pmxncw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2840 schtasks.exe 2624 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2044 powershell.exe 2044 powershell.exe 3304 powershell.exe 3304 powershell.exe 2132 powershell.exe 2132 powershell.exe 2288 powershell.exe 2288 powershell.exe 1444 msedge.exe 1444 msedge.exe 1840 msedge.exe 1840 msedge.exe 3876 msedge.exe 3876 msedge.exe 2796 identity_helper.exe 2796 identity_helper.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 2140 powershell.exe 2140 powershell.exe 4852 powershell.exe 4852 powershell.exe 4272 powershell.exe 4272 powershell.exe 1412 powershell.exe 1412 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
sv.exepmxncw.exepid process 2972 sv.exe 4844 pmxncw.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exeAUDIODG.EXEsvhost.exesvhost.exesvhost.exepmxncw.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exedescription pid process Token: SeDebugPrivilege 2972 sv.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 3304 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 2972 sv.exe Token: SeDebugPrivilege 3148 svhost.exe Token: 33 4280 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4280 AUDIODG.EXE Token: SeDebugPrivilege 2844 svhost.exe Token: SeDebugPrivilege 1664 svhost.exe Token: SeDebugPrivilege 3840 svhost.exe Token: SeDebugPrivilege 4844 pmxncw.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 4852 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 4844 pmxncw.exe Token: SeDebugPrivilege 3808 svhost.exe Token: SeDebugPrivilege 2216 svhost.exe Token: SeDebugPrivilege 3904 svhost.exe Token: SeDebugPrivilege 3976 svhost.exe Token: SeDebugPrivilege 2804 svhost.exe Token: SeDebugPrivilege 1404 svhost.exe Token: SeDebugPrivilege 2316 svhost.exe Token: SeDebugPrivilege 2876 svhost.exe Token: SeDebugPrivilege 900 svhost.exe Token: SeDebugPrivilege 1624 svhost.exe Token: SeDebugPrivilege 1924 svhost.exe Token: SeDebugPrivilege 2796 svhost.exe Token: SeDebugPrivilege 4372 svhost.exe Token: SeDebugPrivilege 2252 svhost.exe Token: SeDebugPrivilege 4636 svhost.exe Token: SeDebugPrivilege 4300 svhost.exe Token: SeDebugPrivilege 768 svhost.exe Token: SeDebugPrivilege 860 svhost.exe Token: SeDebugPrivilege 3264 svhost.exe Token: SeDebugPrivilege 4092 svhost.exe Token: SeDebugPrivilege 5024 svhost.exe Token: SeDebugPrivilege 4616 svhost.exe Token: SeDebugPrivilege 1180 svhost.exe Token: SeDebugPrivilege 1392 svhost.exe Token: SeDebugPrivilege 564 svhost.exe Token: SeDebugPrivilege 1496 svhost.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
sv.exemsedge.exedescription pid process target process PID 2972 wrote to memory of 2044 2972 sv.exe powershell.exe PID 2972 wrote to memory of 2044 2972 sv.exe powershell.exe PID 2972 wrote to memory of 3304 2972 sv.exe powershell.exe PID 2972 wrote to memory of 3304 2972 sv.exe powershell.exe PID 2972 wrote to memory of 2132 2972 sv.exe powershell.exe PID 2972 wrote to memory of 2132 2972 sv.exe powershell.exe PID 2972 wrote to memory of 2288 2972 sv.exe powershell.exe PID 2972 wrote to memory of 2288 2972 sv.exe powershell.exe PID 2972 wrote to memory of 2840 2972 sv.exe schtasks.exe PID 2972 wrote to memory of 2840 2972 sv.exe schtasks.exe PID 2972 wrote to memory of 1840 2972 sv.exe msedge.exe PID 2972 wrote to memory of 1840 2972 sv.exe msedge.exe PID 1840 wrote to memory of 1884 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1884 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1696 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1444 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 1444 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 2448 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 2448 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 2448 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 2448 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 2448 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 2448 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 2448 1840 msedge.exe msedge.exe PID 1840 wrote to memory of 2448 1840 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sv.exe"C:\Users\Admin\AppData\Local\Temp\sv.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\auqmjx.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8323f3cb8,0x7ff8323f3cc8,0x7ff8323f3cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4692 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:13⤵
-
C:\Users\Admin\AppData\Local\Temp\pmxncw.exe"C:\Users\Admin\AppData\Local\Temp\pmxncw.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pmxncw.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pmxncw.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://exmple.com/2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8323f3cb8,0x7ff8323f3cc8,0x7ff8323f3cd83⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
63KB
MD5c095a62b525e62244cad230e696028cf
SHA167232c186d3efe248b540f1f2fe3382770b5074a
SHA256a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA5125ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.logFilesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\30786ba6-6adc-442f-8e63-5a26ac2dd56e.tmpFilesize
10KB
MD5be8b94936345a953deda9db090e00687
SHA1e62c9cc9b9cfe03a34a7370176970b62b1377ac2
SHA2561142a5d97697a793715565acf67160424334d67b5d2d90a9a1c468f49bf8b727
SHA512f6749eef31d598c72bdc434368787933493b26d5f065cad7597190b4f1b51e2b4f0d085a5bbb005ddb95a6540f33a4fc1da1bd908be6c95235f22adb6ab8c41c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c1c7e2f451eb3836d23007799bc21d5f
SHA111a25f6055210aa7f99d77346b0d4f1dc123ce79
SHA256429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800
SHA5122ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56876cbd342d4d6b236f44f52c50f780f
SHA1a215cf6a499bfb67a3266d211844ec4c82128d83
SHA256ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e
SHA512dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5cd71bad4f6de79d4860699870d0f4f1f
SHA110335ea26d09637ad9607b2fe877f49f75cd5285
SHA2566cc338e3cdb6ce33dec53b7c327a225591b52df2ce00bb123747283efe5b7a38
SHA512cd44d6c5edcfd8362f94ee454e516fc10f4677174be5b03023dc302026940c1dd31bb3616ffc8410396d27014552341e4f2e687f0d3f504ba3bec7e1684a9aa4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
185B
MD5efa3b79297b792ddfa72609e2389407a
SHA17c959b0d9c508607119d7c112fe81939169c8ccb
SHA25604371cb7276a5868761433e311d805f97da580075fc9bf1a66f0a9d8ac9a4017
SHA5121f08b7ea9823ae979382586db83b05c0d0dc5cb565b3946fb8134c0dfaaf61fdf80d6c666ceca6522964ac446d2a2e798e1f0eaff3dd2ab5cae88a793db20eaf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD521fcd7317a754c5e572ed29bc67faa5c
SHA119bfa5b811105840cbce03a39b6593a572cde063
SHA25600bb8646d41fa9ebac6714f69a5f279158ae9262085d56344a8defa0e277221b
SHA512795a237b8ef6dcb986ead6f4908b3e33d5fb4b5376969321cbc79397eca78b5182ed557d5c15d430fd2acaeed3e3c54cac0a57528294700268c59650694a8c99
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5785ebdb4de99306ae733c0b15f6f400d
SHA137d3cd12d74056bc3ed5fbbd0e55038021958cbf
SHA256d24246a0dc100dd2bf40c625b80bf5aabf8b6c77069c4eef80937d6ee93d823b
SHA51257aa34d3183a4ab4db1c4d8507a4ee614807ffe1e39ad071885805af73aa5c8ff0ed6a970db254135541cece2955886fe5cfd07f8c9442e41da5c56984e137c7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c07f705c0678158d88994563f456f8ae
SHA17754e061795ec5c58ed540a173be426e86a5be70
SHA256fd69ae4e0d0a045604a01dafe81e0852657ea74b2f8ad64c49b7cea0964a8778
SHA5129ebcbe285f24b1efac5a79ec3c912ed774943a74fce735c4689b8608b419492d07e787e304843385ae3b907e4d7a9baf12129e431d787364803862ce3f85b75d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f10f417989d6e3250a605fd5108dcd1d
SHA14edb2d745b47632b74f533987f7316dbf927b377
SHA25675aaecc28155ce286752b58884ed6cfbe6a8e1737c912f3e4b8570032abdcce6
SHA5128d64dd3d80bc4c4a2382562c5a99d229d7c3d9ac64ebd85010888632aaee3f455d95c2e270a656080793fca810f25ab6f3cb510f98365f1406c4fc3f0c58e8e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f3e1ab3dde980fb216b716b2b21ae0f4
SHA1122f188be2a09bd2d095a15c75a40206a94e3adf
SHA256fefa63da0812ee9c6beb0a8343eee10176c9133ec41e65dd69dea140332502db
SHA51251d9feb8f36eb7d42ff8fa2abd4ab4a7e58efd7aeadb53ea9e35d88a01bf2b36af777be58efaef5bb97589e91c4b70a3ede90c8360bd11fc29abf060b7359758
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c6e2f64a92af0c53a0bfb84185154e28
SHA1d26043732cab043ec73f7beb6270e6c8aee2f509
SHA25626aa3360e05db13a4b230294814bce9a50909f04d80d16e6bbbbb46386406125
SHA512bad364eed937ad6c79394e338d06d52f8a0bec69df776b90e71eff3413e6eab80235648cce789c02d1b3697260c99fde4836a0b939c64efcb10ef99b128aec8b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD57a13a20b939735c2865e2c59b30425ae
SHA101fc79c4f26e880dab3f1274418c9f40fbc8cf1a
SHA256ef8aebcd5776d6eab6115cb754991a7067b84ae70c4d5567233bfa2e14240d16
SHA5129295b5e8079da7bd3190d882a368c79c953814061f87d0cb9011f213bfd150867d215af3f2d25918bc7360d3eff7d381d31060228554db0aa1602a8cd460cf06
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534e3230cb2131270db1af79fb3d57752
SHA121434dd7cf3c4624226b89f404fd7982825f8ac6
SHA2560f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39
SHA5123756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD54ae54c3a00d1d664f74bfd4f70c85332
SHA167f3ed7aaea35153326c1f907c0334feef08484c
SHA2561e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c
SHA512b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5311174334b8e31fc10d28c4575e92688
SHA1e2b2b2100f0445b4d37cd16f82d3cfcca3abf335
SHA256793aa8f317799c4ad031a7ba58960643c29f03a24b2baba577cc1ccdcbe46a76
SHA512e7ddc1cf4443564bee7f00a66f2e533d1d89f6ab9434ea75ae7aeec4e8aa56ba40d27c81e472c92724fc892a7726232280274397d3506d95275af41337fc0135
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD54914eb0b2ff51bfa48484b5cc8454218
SHA16a7c3e36ce53b42497884d4c4a3bda438dd4374b
SHA2567e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e
SHA51283ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qn1hfvg0.rd5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\auqmjx.htmlFilesize
2.3MB
MD5c82b72def4f77d30ce92dcc76a933165
SHA1aa4f5a1a3819f9962f5f886135fc777c7007a343
SHA256e5060ca95740fe722582e8f719d1bb559dcb169b8d71b45b8353134b0c85cb4c
SHA512fc087a0297b0983a2145fa581702f3fae9326f93ed59eaaa6136cbdd71583f5f6f93ec4e416929f21ee48a8d402c07c33035d412fe36ab8bcf8718e72985a4e1
-
C:\Users\Admin\AppData\Local\Temp\pmxncw.exeFilesize
40KB
MD5a2abffd7525046355e99e8673c3701fe
SHA16e1aaff66b5aac7a1c3df969b36da6141a95a4f9
SHA256ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e
SHA51296b3b3750d9abaa627780eccb74dd870bb84ad1fb928233844054b2d24306f6f937f0762619d0b0209a8744aabbe278c773539fb8791987606427d8bfa767d22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnkFilesize
665B
MD5579debbda322a4d07d53855ed99d14d8
SHA1d432b31dbb38f7ed4a598b26f09c4f8e2897afef
SHA25661333af191b5961d1e0cd0ba1865d23bff65c6231379b095ced0c37249b9e33e
SHA512a11a604d623ad1f407e5e1c0bc0572cc914c4b96c78d8ed31d98f002c17744cd908eed8f82091c66dd598c195976b811914e19882c94ad7c08655049517b042b
-
\??\pipe\LOCAL\crashpad_1840_MXQFBJBPRBZYUXUDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2044-15-0x00007FF836C70000-0x00007FF837732000-memory.dmpFilesize
10.8MB
-
memory/2044-16-0x00007FF836C70000-0x00007FF837732000-memory.dmpFilesize
10.8MB
-
memory/2044-12-0x00007FF836C70000-0x00007FF837732000-memory.dmpFilesize
10.8MB
-
memory/2044-11-0x00007FF836C70000-0x00007FF837732000-memory.dmpFilesize
10.8MB
-
memory/2044-2-0x0000025E3A9F0000-0x0000025E3AA12000-memory.dmpFilesize
136KB
-
memory/2972-56-0x00007FF836C70000-0x00007FF837732000-memory.dmpFilesize
10.8MB
-
memory/2972-52-0x00007FF836C70000-0x00007FF837732000-memory.dmpFilesize
10.8MB
-
memory/2972-1-0x0000000000EE0000-0x0000000000EF6000-memory.dmpFilesize
88KB
-
memory/2972-0-0x00007FF836C73000-0x00007FF836C75000-memory.dmpFilesize
8KB
-
memory/4844-203-0x0000000000CB0000-0x0000000000CC0000-memory.dmpFilesize
64KB