xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
1800s
max time network
1176s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral5/memory/4324-1-0x00000000003B0000-0x00000000003C6000-memory.dmp family_xworm
C:\ProgramData\svhost.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1056 powershell.exe
4912 powershell.exe
2400 powershell.exe
1548 powershell.exe

resource	yara_rule
behavioral5/memory/4324-1-0x00000000003B0000-0x00000000003C6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm

pid	process
1056	powershell.exe
4912	powershell.exe
2400	powershell.exe
1548	powershell.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 6 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid process

5000 svhost.exe
3420 svhost.exe
1852 svhost.exe
1776 svhost.exe
1980 svhost.exe
5060 svhost.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5000	svhost.exe
3420	svhost.exe
1852	svhost.exe
1776	svhost.exe
1980	svhost.exe
5060	svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "191"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip:Zone.Identifier msedge.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3316 schtasks.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip:Zone.Identifier	msedge.exe

pid	process
3316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
2400	powershell.exe
2400	powershell.exe
1548	powershell.exe
1548	powershell.exe
1056	powershell.exe
1056	powershell.exe
4912	powershell.exe
4912	powershell.exe
3724	msedge.exe
3724	msedge.exe
5108	msedge.exe
5108	msedge.exe
1140	msedge.exe
1140	msedge.exe
4080	identity_helper.exe
4080	identity_helper.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
4204	msedge.exe
4204	msedge.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
4472
4072
4964
3416
4452
1608
3888
784
4492
3260
904
1244
996
3556
4596
4544
752
4636
1396
1004
2872
1108
2800
3456
1200
3840
3968
2888
2636
1124
896
2240
3128
3676
3288
5088
4428
3604
1048
5040
3688
4048
1804
1372
4032
4312
2400
4212
4084
5096
3192
1748
4960
4876
436
4928
1012
4332
1016
4824
3332
1636
5112
912

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	4324	sv.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	4324	sv.exe
Token: SeDebugPrivilege	5000	svhost.exe
Token: SeDebugPrivilege	3420	svhost.exe
Token: SeDebugPrivilege	1852	svhost.exe
Token: SeDebugPrivilege	1776	svhost.exe
Token: SeDebugPrivilege	1980	svhost.exe
Token: SeDebugPrivilege	5060	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid process

5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3112 LogonUI.exe

pid	process
3112	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exemsedge.exe

description	pid	process	target process
PID 4324 wrote to memory of 2400	4324	sv.exe	powershell.exe
PID 4324 wrote to memory of 2400	4324	sv.exe	powershell.exe
PID 4324 wrote to memory of 1548	4324	sv.exe	powershell.exe
PID 4324 wrote to memory of 1548	4324	sv.exe	powershell.exe
PID 4324 wrote to memory of 1056	4324	sv.exe	powershell.exe
PID 4324 wrote to memory of 1056	4324	sv.exe	powershell.exe
PID 4324 wrote to memory of 4912	4324	sv.exe	powershell.exe
PID 4324 wrote to memory of 4912	4324	sv.exe	powershell.exe
PID 4324 wrote to memory of 3316	4324	sv.exe	schtasks.exe
PID 4324 wrote to memory of 3316	4324	sv.exe	schtasks.exe
PID 5108 wrote to memory of 3148	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3148	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2916	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3724	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3724	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2416	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2416	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2416	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2416	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2416	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2416	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2416	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2416	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2416	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2416	5108	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe -L
2⤵
PID:4936

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe056c3cb8,0x7ffe056c3cc8,0x7ffe056c3cd8
2⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
2⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
2⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
2⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
2⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
2⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
2⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
2⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
2⤵
PID:568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
2⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
2⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
2⤵
PID:944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
2⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
2⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
2⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3320 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
2⤵
PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1304

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8294f1821fd3419c0a42b389d19ecfc6

SHA1
cd4982751377c2904a1d3c58e801fa013ea27533

SHA256
92a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a

SHA512
372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
390187670cb1e0eb022f4f7735263e82

SHA1
ea1401ccf6bf54e688a0dc9e6946eae7353b26f1

SHA256
3e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947

SHA512
602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
41KB

MD5
b15016a51bd29539b8dcbb0ce3c70a1b

SHA1
4eab6d31dea4a783aae6cabe29babe070bd6f6f0

SHA256
e72c68736ce86ec9e3785a89f0d547b4993d5a2522a33104eeb7954eff7f488a

SHA512
1c74e4d2895651b9ab86158396bcce27a04acfb5655a32a28c37ee0ebd66cd044c3c895db7e14acc41a93db55463310425c188a7c503f0308ce894cf93df219f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
54450f2b998517282e177e3f4a521768

SHA1
36aaa9c737a914301087b9f96bbf8676634e1b6b

SHA256
5e2c5e62c92c2c9a4834c5af55357f726cb740e02f7a3722b58d59b86b7e6e59

SHA512
e6fe1169664ff6fc1f96409144e76e0ba3a086401779e4ddfe97ab87e82b52a1a59cf0338000aa65e9cbc7022e34af4657417d23307add55ba0a5dfed734e98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
620B

MD5
bcf9f6ceae711788b0e296553bf05408

SHA1
198e42c66afe471fdc9bdc6a7ab1d48d09c36dfa

SHA256
e76b06aecc10eb6898bda194f17afc58494ba1c23a839d335253b81b479cbe1a

SHA512
b04ee139d035645c80e03781b707935cf2a6536937d6fa841b8f27b341d36a262f52faf84a3c7ec13331c85f88c06f43f9e36d154cf38e26883f092d44c30e35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5ee6468735b49cdb951e1ca9a75db1f3

SHA1
2ce060230df4cf330d1f2f13c7a0ed929a7593a1

SHA256
a99aad0b1027dc64ac6a65b866833ea9c3438381699c34086c228cab24e6e8a9

SHA512
b83ec217b04254fa4788a2b96552132028907598f37bbccce61079c2dd6f87b706a025d6ef968c203b6b1ecf9345ad70b3431be50fa2395603ff449388624030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e1dec082496a7bb6c302a61def992602

SHA1
8b4642cd3c6de3ae7e9f9f7e1a761b6034187314

SHA256
c81301ce64c21b15594d64068f79eab7afdb2a4e8c54dc5b73400584b1e00ce0

SHA512
5af532bc122b45178995b01fa3c3152364c4d78035251ebc2a6150ce2ffbade9ee6690df6c483ade6e5bb0229f3b2277e9a52f7eab48b762c8de14796ad0c6ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c253b415fa836aa0d0baa4ce8a9d41ed

SHA1
641ed43b0ab7cb36254fef925b81017f2a6a48fc

SHA256
48a5a4261ce4ceeceb42129f80fdd626b0538f6f3d97dc132ad6b015a3be5115

SHA512
7bc02a285b0374199a9fb3d8ae101524f851b6391be278cdca05178cebc3d7aa881e8a4b5eea0d1b7d979f329ac9878a18bb863c28db079711a02db2f4213d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
98ea8361a6aa41b90453aa005fa4e4ec

SHA1
64796527745a0c30de885097c7f0eb8b65061842

SHA256
b65cf63e188b64a56828b936686df22eda4eb490e804359a2663c224d733aeb6

SHA512
8ddaa81683bfbd09e2f0fec8168e98a1a00aac8964bba3856047e4faadbd6f65f607169422f0f049119c79cba8e32d45bcc7855e5138e151ace063911186f9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
09190ccf73d75965379f6dc011dff999

SHA1
8d6c00a649568ed747c7d443160105726352662b

SHA256
236b51f21302976a2ad669f4457d849bdeebe38bb6cd2d1c652c0d419360ce50

SHA512
49bbfca74fd3d728539af6f25bc887c88239a72a6720f9e086613e11cdaacd5d396a72a3c68c58c3ab90383fb9bb32e59847723e8fa25c7ee34e6f71e6ce91bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
7d6ed65b27c8865b5abe770132eae58b

SHA1
a4c343efeddca8e05b5b2dee6074b7ad8c468e88

SHA256
6c42260f4279a64c24c240c6579edd776343e1af4376f01e2c2bc0ee986e4f80

SHA512
de6f231b27d949e435acdd222d03a679d803a5ed978bf8120101f9661fbaaebd6eb10a017a29f8f4e72922605ca19ab14c15d948adf8cbfc811312259bcd1921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
fe53be328db98bda90530baad431676e

SHA1
a73466b04efee54c4b6ba90c21560037c08d4497

SHA256
887cce2ebd588fda871444d32b91a926dbce0486d8fae85441c4e49226038035

SHA512
941342a8e41407d8df821c9860ac6b6dd9b6b063c3c9b428da3f20b452ba73b04a0a40b7f6899b88049815b23226d1840e5199f9ba049445e7f99564b9168136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a69f6.TMP
Filesize
201B

MD5
1d095a20cd6164a8fbdd79aa119e7a2c

SHA1
7bc5dabc07e5969e9f3df7c482cfa24b19a6ce76

SHA256
6d92a44b8dfc3f9ab882586c4aaf1f6c0c233c2dcc3d37c04163a52788e856ab

SHA512
4a787f752307e434ed639580ff48a141eb6e86542bcc9ebc40f50b878cd9d70116de387db56e74217e3506a73364334a0437dbab99678be94034f5edfc4b779f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
55beda4796f427be92820e9c0eca9a5d

SHA1
63a005149554321591a8d0fd07a4ebda6550eba2

SHA256
a275a41b873bcdbd53a40eaaf58c55f9a4273085c40bff3a12fd741369c32d48

SHA512
3b73bdda389000ac4c1fe8accd78f23226160a79ecd4b18878a188a926125fa24eb5ac83870052853e5b0a95bba3e9fb7735a241a12a23be4aa82cf54920d690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
11efc912c677a9265e2271c0f39591b0

SHA1
08ae6cc8c65971170098439256ce2d079365f484

SHA256
81f4c0c5a54ee67659e60c6f3c75de4fa688669523fddd3c188cb725dbf5365b

SHA512
c2b143b328bf714cfd30649ccba199b7fd3d59abd36171fe637d3d14c3d1ab71c9b21078aca52d91684a555fd8853d19cf2f282d8573a412669860ce00f092ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e1406e40bc90234838ab278843448a11

SHA1
7e056692cfcf53a92ba8582a5fc0d2a418ef0c81

SHA256
fdc53165753f599dd5a22b0bd229f8e4c63e73dc47aece0b475c79a7255b1d10

SHA512
8ada81e44b16bfca0141dfe52a0b63e3cc7827b8dc45bfea87f834ffb759eeac87426c722b75fd76a447ab5efb69e0053b9fb34bd42d40b413a48f702eb70ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohdhzbts.sac.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_5108_RMYJUNJRYSHCTUXD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2400-15-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmp

Filesize
10.8MB

Download
memory/2400-18-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmp

Filesize
10.8MB

Download
memory/2400-14-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmp

Filesize
10.8MB

Download
memory/2400-13-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmp

Filesize
10.8MB

Download
memory/2400-12-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmp

Filesize
10.8MB

Download
memory/2400-11-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmp

Filesize
10.8MB

Download
memory/2400-10-0x000001D9F90C0000-0x000001D9F90E2000-memory.dmp

Filesize
136KB

Download
memory/4324-0-0x00007FFE1AF73000-0x00007FFE1AF75000-memory.dmp

Filesize
8KB

Download
memory/4324-54-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmp

Filesize
10.8MB

Download
memory/4324-1-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/4324-55-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmp

Filesize
10.8MB

Download
memory/4324-457-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmp

Filesize
10.8MB

Download