xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
1795s
max time network
1800s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Extracted

Family

xworm

Version

5.0

amount-acceptance.gl.at.ply.gg:7420

Mutex

k2N8rf6LqCqdtF6c

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2972-1-0x0000000000EE0000-0x0000000000EF6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\pmxncw.exe	family_xworm
behavioral4/memory/4844-203-0x0000000000CB0000-0x0000000000CC0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2288 powershell.exe
2140 powershell.exe
4852 powershell.exe
4272 powershell.exe
1412 powershell.exe
2044 powershell.exe
3304 powershell.exe
2132 powershell.exe

pid	process
2288	powershell.exe
2140	powershell.exe
4852	powershell.exe
4272	powershell.exe
1412	powershell.exe
2044	powershell.exe
3304	powershell.exe
2132	powershell.exe

Drops startup file 3 IoCs

Processes:

sv.exepmxncw.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	pmxncw.exe

Executes dropped EXE 31 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exepmxncw.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid	process
3148	svhost.exe
2844	svhost.exe
1664	svhost.exe
3840	svhost.exe
4844	pmxncw.exe
3808	svhost.exe
2216	svhost.exe
3904	svhost.exe
3976	svhost.exe
2804	svhost.exe
1404	svhost.exe
2316	svhost.exe
2876	svhost.exe
900	svhost.exe
1624	svhost.exe
1924	svhost.exe
2796	svhost.exe
4372	svhost.exe
2252	svhost.exe
4636	svhost.exe
4300	svhost.exe
768	svhost.exe
860	svhost.exe
3264	svhost.exe
4092	svhost.exe
5024	svhost.exe
4616	svhost.exe
1180	svhost.exe
1392	svhost.exe
564	svhost.exe
1496	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sv.exepmxncw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	pmxncw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2840 schtasks.exe
2624 schtasks.exe

pid	process
2840	schtasks.exe
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2044	powershell.exe
2044	powershell.exe
3304	powershell.exe
3304	powershell.exe
2132	powershell.exe
2132	powershell.exe
2288	powershell.exe
2288	powershell.exe
1444	msedge.exe
1444	msedge.exe
1840	msedge.exe
1840	msedge.exe
3876	msedge.exe
3876	msedge.exe
2796	identity_helper.exe
2796	identity_helper.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
2140	powershell.exe
2140	powershell.exe
4852	powershell.exe
4852	powershell.exe
4272	powershell.exe
4272	powershell.exe
1412	powershell.exe
1412	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

sv.exepmxncw.exe

pid process

2972 sv.exe
4844 pmxncw.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe

pid	process
2972	sv.exe
4844	pmxncw.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exeAUDIODG.EXEsvhost.exesvhost.exesvhost.exepmxncw.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	2972	sv.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2972	sv.exe
Token: SeDebugPrivilege	3148	svhost.exe
Token: 33	4280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4280	AUDIODG.EXE
Token: SeDebugPrivilege	2844	svhost.exe
Token: SeDebugPrivilege	1664	svhost.exe
Token: SeDebugPrivilege	3840	svhost.exe
Token: SeDebugPrivilege	4844	pmxncw.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	4844	pmxncw.exe
Token: SeDebugPrivilege	3808	svhost.exe
Token: SeDebugPrivilege	2216	svhost.exe
Token: SeDebugPrivilege	3904	svhost.exe
Token: SeDebugPrivilege	3976	svhost.exe
Token: SeDebugPrivilege	2804	svhost.exe
Token: SeDebugPrivilege	1404	svhost.exe
Token: SeDebugPrivilege	2316	svhost.exe
Token: SeDebugPrivilege	2876	svhost.exe
Token: SeDebugPrivilege	900	svhost.exe
Token: SeDebugPrivilege	1624	svhost.exe
Token: SeDebugPrivilege	1924	svhost.exe
Token: SeDebugPrivilege	2796	svhost.exe
Token: SeDebugPrivilege	4372	svhost.exe
Token: SeDebugPrivilege	2252	svhost.exe
Token: SeDebugPrivilege	4636	svhost.exe
Token: SeDebugPrivilege	4300	svhost.exe
Token: SeDebugPrivilege	768	svhost.exe
Token: SeDebugPrivilege	860	svhost.exe
Token: SeDebugPrivilege	3264	svhost.exe
Token: SeDebugPrivilege	4092	svhost.exe
Token: SeDebugPrivilege	5024	svhost.exe
Token: SeDebugPrivilege	4616	svhost.exe
Token: SeDebugPrivilege	1180	svhost.exe
Token: SeDebugPrivilege	1392	svhost.exe
Token: SeDebugPrivilege	564	svhost.exe
Token: SeDebugPrivilege	1496	svhost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid process

1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe
1840 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exemsedge.exe

description	pid	process	target process
PID 2972 wrote to memory of 2044	2972	sv.exe	powershell.exe
PID 2972 wrote to memory of 2044	2972	sv.exe	powershell.exe
PID 2972 wrote to memory of 3304	2972	sv.exe	powershell.exe
PID 2972 wrote to memory of 3304	2972	sv.exe	powershell.exe
PID 2972 wrote to memory of 2132	2972	sv.exe	powershell.exe
PID 2972 wrote to memory of 2132	2972	sv.exe	powershell.exe
PID 2972 wrote to memory of 2288	2972	sv.exe	powershell.exe
PID 2972 wrote to memory of 2288	2972	sv.exe	powershell.exe
PID 2972 wrote to memory of 2840	2972	sv.exe	schtasks.exe
PID 2972 wrote to memory of 2840	2972	sv.exe	schtasks.exe
PID 2972 wrote to memory of 1840	2972	sv.exe	msedge.exe
PID 2972 wrote to memory of 1840	2972	sv.exe	msedge.exe
PID 1840 wrote to memory of 1884	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1884	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1696	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1444	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 1444	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 2448	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 2448	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 2448	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 2448	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 2448	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 2448	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 2448	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 2448	1840	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\auqmjx.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8323f3cb8,0x7ff8323f3cc8,0x7ff8323f3cd8
3⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
3⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
3⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
3⤵
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
3⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4692 /prefetch:8
3⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
3⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
3⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
3⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
3⤵
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11037288288965580832,5162385674034098707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
3⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\pmxncw.exe
"C:\Users\Admin\AppData\Local\Temp\pmxncw.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pmxncw.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pmxncw.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://exmple.com/
2⤵
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8323f3cb8,0x7ff8323f3cc8,0x7ff8323f3cd8
3⤵
PID:2544

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\30786ba6-6adc-442f-8e63-5a26ac2dd56e.tmp
Filesize
10KB

MD5
be8b94936345a953deda9db090e00687

SHA1
e62c9cc9b9cfe03a34a7370176970b62b1377ac2

SHA256
1142a5d97697a793715565acf67160424334d67b5d2d90a9a1c468f49bf8b727

SHA512
f6749eef31d598c72bdc434368787933493b26d5f065cad7597190b4f1b51e2b4f0d085a5bbb005ddb95a6540f33a4fc1da1bd908be6c95235f22adb6ab8c41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c1c7e2f451eb3836d23007799bc21d5f

SHA1
11a25f6055210aa7f99d77346b0d4f1dc123ce79

SHA256
429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

SHA512
2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6876cbd342d4d6b236f44f52c50f780f

SHA1
a215cf6a499bfb67a3266d211844ec4c82128d83

SHA256
ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

SHA512
dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
cd71bad4f6de79d4860699870d0f4f1f

SHA1
10335ea26d09637ad9607b2fe877f49f75cd5285

SHA256
6cc338e3cdb6ce33dec53b7c327a225591b52df2ce00bb123747283efe5b7a38

SHA512
cd44d6c5edcfd8362f94ee454e516fc10f4677174be5b03023dc302026940c1dd31bb3616ffc8410396d27014552341e4f2e687f0d3f504ba3bec7e1684a9aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
185B

MD5
efa3b79297b792ddfa72609e2389407a

SHA1
7c959b0d9c508607119d7c112fe81939169c8ccb

SHA256
04371cb7276a5868761433e311d805f97da580075fc9bf1a66f0a9d8ac9a4017

SHA512
1f08b7ea9823ae979382586db83b05c0d0dc5cb565b3946fb8134c0dfaaf61fdf80d6c666ceca6522964ac446d2a2e798e1f0eaff3dd2ab5cae88a793db20eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
21fcd7317a754c5e572ed29bc67faa5c

SHA1
19bfa5b811105840cbce03a39b6593a572cde063

SHA256
00bb8646d41fa9ebac6714f69a5f279158ae9262085d56344a8defa0e277221b

SHA512
795a237b8ef6dcb986ead6f4908b3e33d5fb4b5376969321cbc79397eca78b5182ed557d5c15d430fd2acaeed3e3c54cac0a57528294700268c59650694a8c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
785ebdb4de99306ae733c0b15f6f400d

SHA1
37d3cd12d74056bc3ed5fbbd0e55038021958cbf

SHA256
d24246a0dc100dd2bf40c625b80bf5aabf8b6c77069c4eef80937d6ee93d823b

SHA512
57aa34d3183a4ab4db1c4d8507a4ee614807ffe1e39ad071885805af73aa5c8ff0ed6a970db254135541cece2955886fe5cfd07f8c9442e41da5c56984e137c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c07f705c0678158d88994563f456f8ae

SHA1
7754e061795ec5c58ed540a173be426e86a5be70

SHA256
fd69ae4e0d0a045604a01dafe81e0852657ea74b2f8ad64c49b7cea0964a8778

SHA512
9ebcbe285f24b1efac5a79ec3c912ed774943a74fce735c4689b8608b419492d07e787e304843385ae3b907e4d7a9baf12129e431d787364803862ce3f85b75d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f10f417989d6e3250a605fd5108dcd1d

SHA1
4edb2d745b47632b74f533987f7316dbf927b377

SHA256
75aaecc28155ce286752b58884ed6cfbe6a8e1737c912f3e4b8570032abdcce6

SHA512
8d64dd3d80bc4c4a2382562c5a99d229d7c3d9ac64ebd85010888632aaee3f455d95c2e270a656080793fca810f25ab6f3cb510f98365f1406c4fc3f0c58e8e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f3e1ab3dde980fb216b716b2b21ae0f4

SHA1
122f188be2a09bd2d095a15c75a40206a94e3adf

SHA256
fefa63da0812ee9c6beb0a8343eee10176c9133ec41e65dd69dea140332502db

SHA512
51d9feb8f36eb7d42ff8fa2abd4ab4a7e58efd7aeadb53ea9e35d88a01bf2b36af777be58efaef5bb97589e91c4b70a3ede90c8360bd11fc29abf060b7359758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c6e2f64a92af0c53a0bfb84185154e28

SHA1
d26043732cab043ec73f7beb6270e6c8aee2f509

SHA256
26aa3360e05db13a4b230294814bce9a50909f04d80d16e6bbbbb46386406125

SHA512
bad364eed937ad6c79394e338d06d52f8a0bec69df776b90e71eff3413e6eab80235648cce789c02d1b3697260c99fde4836a0b939c64efcb10ef99b128aec8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7a13a20b939735c2865e2c59b30425ae

SHA1
01fc79c4f26e880dab3f1274418c9f40fbc8cf1a

SHA256
ef8aebcd5776d6eab6115cb754991a7067b84ae70c4d5567233bfa2e14240d16

SHA512
9295b5e8079da7bd3190d882a368c79c953814061f87d0cb9011f213bfd150867d215af3f2d25918bc7360d3eff7d381d31060228554db0aa1602a8cd460cf06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
34e3230cb2131270db1af79fb3d57752

SHA1
21434dd7cf3c4624226b89f404fd7982825f8ac6

SHA256
0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39

SHA512
3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4ae54c3a00d1d664f74bfd4f70c85332

SHA1
67f3ed7aaea35153326c1f907c0334feef08484c

SHA256
1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c

SHA512
b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
311174334b8e31fc10d28c4575e92688

SHA1
e2b2b2100f0445b4d37cd16f82d3cfcca3abf335

SHA256
793aa8f317799c4ad031a7ba58960643c29f03a24b2baba577cc1ccdcbe46a76

SHA512
e7ddc1cf4443564bee7f00a66f2e533d1d89f6ab9434ea75ae7aeec4e8aa56ba40d27c81e472c92724fc892a7726232280274397d3506d95275af41337fc0135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qn1hfvg0.rd5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\auqmjx.html
Filesize
2.3MB

MD5
c82b72def4f77d30ce92dcc76a933165

SHA1
aa4f5a1a3819f9962f5f886135fc777c7007a343

SHA256
e5060ca95740fe722582e8f719d1bb559dcb169b8d71b45b8353134b0c85cb4c

SHA512
fc087a0297b0983a2145fa581702f3fae9326f93ed59eaaa6136cbdd71583f5f6f93ec4e416929f21ee48a8d402c07c33035d412fe36ab8bcf8718e72985a4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmxncw.exe
Filesize
40KB

MD5
a2abffd7525046355e99e8673c3701fe

SHA1
6e1aaff66b5aac7a1c3df969b36da6141a95a4f9

SHA256
ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e

SHA512
96b3b3750d9abaa627780eccb74dd870bb84ad1fb928233844054b2d24306f6f937f0762619d0b0209a8744aabbe278c773539fb8791987606427d8bfa767d22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk
Filesize
665B

MD5
579debbda322a4d07d53855ed99d14d8

SHA1
d432b31dbb38f7ed4a598b26f09c4f8e2897afef

SHA256
61333af191b5961d1e0cd0ba1865d23bff65c6231379b095ced0c37249b9e33e

SHA512
a11a604d623ad1f407e5e1c0bc0572cc914c4b96c78d8ed31d98f002c17744cd908eed8f82091c66dd598c195976b811914e19882c94ad7c08655049517b042b

Download Submit
\??\pipe\LOCAL\crashpad_1840_MXQFBJBPRBZYUXUD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2044-15-0x00007FF836C70000-0x00007FF837732000-memory.dmp

Filesize
10.8MB

Download
memory/2044-16-0x00007FF836C70000-0x00007FF837732000-memory.dmp

Filesize
10.8MB

Download
memory/2044-12-0x00007FF836C70000-0x00007FF837732000-memory.dmp

Filesize
10.8MB

Download
memory/2044-11-0x00007FF836C70000-0x00007FF837732000-memory.dmp

Filesize
10.8MB

Download
memory/2044-2-0x0000025E3A9F0000-0x0000025E3AA12000-memory.dmp

Filesize
136KB

Download
memory/2972-56-0x00007FF836C70000-0x00007FF837732000-memory.dmp

Filesize
10.8MB

Download
memory/2972-52-0x00007FF836C70000-0x00007FF837732000-memory.dmp

Filesize
10.8MB

Download
memory/2972-1-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

Filesize
88KB

Download
memory/2972-0-0x00007FF836C73000-0x00007FF836C75000-memory.dmp

Filesize
8KB

Download
memory/4844-203-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download