Analysis
-
max time kernel
1800s -
max time network
1176s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 09:10
Behavioral task
behavioral1
Sample
sv.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
sv.exe
Resource
win7-20231129-en
Behavioral task
behavioral3
Sample
sv.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
sv.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
sv.exe
Resource
win11-20240508-en
General
-
Target
sv.exe
-
Size
63KB
-
MD5
c095a62b525e62244cad230e696028cf
-
SHA1
67232c186d3efe248b540f1f2fe3382770b5074a
-
SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
-
SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
SSDEEP
1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral5/memory/4324-1-0x00000000003B0000-0x00000000003C6000-memory.dmp family_xworm C:\ProgramData\svhost.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1056 powershell.exe 4912 powershell.exe 2400 powershell.exe 1548 powershell.exe -
Drops startup file 2 IoCs
Processes:
sv.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe -
Executes dropped EXE 6 IoCs
Processes:
svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exepid process 5000 svhost.exe 3420 svhost.exe 1852 svhost.exe 1776 svhost.exe 1980 svhost.exe 5060 svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "191" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 2400 powershell.exe 2400 powershell.exe 1548 powershell.exe 1548 powershell.exe 1056 powershell.exe 1056 powershell.exe 4912 powershell.exe 4912 powershell.exe 3724 msedge.exe 3724 msedge.exe 5108 msedge.exe 5108 msedge.exe 1140 msedge.exe 1140 msedge.exe 4080 identity_helper.exe 4080 identity_helper.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 4204 msedge.exe 4204 msedge.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid process 4472 4072 4964 3416 4452 1608 3888 784 4492 3260 904 1244 996 3556 4596 4544 752 4636 1396 1004 2872 1108 2800 3456 1200 3840 3968 2888 2636 1124 896 2240 3128 3676 3288 5088 4428 3604 1048 5040 3688 4048 1804 1372 4032 4312 2400 4212 4084 5096 3192 1748 4960 4876 436 4928 1012 4332 1016 4824 3332 1636 5112 912 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
Processes:
msedge.exepid process 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exedescription pid process Token: SeDebugPrivilege 4324 sv.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 1056 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 4324 sv.exe Token: SeDebugPrivilege 5000 svhost.exe Token: SeDebugPrivilege 3420 svhost.exe Token: SeDebugPrivilege 1852 svhost.exe Token: SeDebugPrivilege 1776 svhost.exe Token: SeDebugPrivilege 1980 svhost.exe Token: SeDebugPrivilege 5060 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 3112 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
sv.exemsedge.exedescription pid process target process PID 4324 wrote to memory of 2400 4324 sv.exe powershell.exe PID 4324 wrote to memory of 2400 4324 sv.exe powershell.exe PID 4324 wrote to memory of 1548 4324 sv.exe powershell.exe PID 4324 wrote to memory of 1548 4324 sv.exe powershell.exe PID 4324 wrote to memory of 1056 4324 sv.exe powershell.exe PID 4324 wrote to memory of 1056 4324 sv.exe powershell.exe PID 4324 wrote to memory of 4912 4324 sv.exe powershell.exe PID 4324 wrote to memory of 4912 4324 sv.exe powershell.exe PID 4324 wrote to memory of 3316 4324 sv.exe schtasks.exe PID 4324 wrote to memory of 3316 4324 sv.exe schtasks.exe PID 5108 wrote to memory of 3148 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 3148 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2916 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 3724 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 3724 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2416 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2416 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2416 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2416 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2416 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2416 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2416 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2416 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2416 5108 msedge.exe msedge.exe PID 5108 wrote to memory of 2416 5108 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sv.exe"C:\Users\Admin\AppData\Local\Temp\sv.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe -L2⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe056c3cb8,0x7ffe056c3cc8,0x7ffe056c3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3320 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2339000906443795388,10439920577805937167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a2a855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
63KB
MD5c095a62b525e62244cad230e696028cf
SHA167232c186d3efe248b540f1f2fe3382770b5074a
SHA256a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA5125ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.logFilesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58294f1821fd3419c0a42b389d19ecfc6
SHA1cd4982751377c2904a1d3c58e801fa013ea27533
SHA25692a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a
SHA512372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5390187670cb1e0eb022f4f7735263e82
SHA1ea1401ccf6bf54e688a0dc9e6946eae7353b26f1
SHA2563e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947
SHA512602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
41KB
MD5b15016a51bd29539b8dcbb0ce3c70a1b
SHA14eab6d31dea4a783aae6cabe29babe070bd6f6f0
SHA256e72c68736ce86ec9e3785a89f0d547b4993d5a2522a33104eeb7954eff7f488a
SHA5121c74e4d2895651b9ab86158396bcce27a04acfb5655a32a28c37ee0ebd66cd044c3c895db7e14acc41a93db55463310425c188a7c503f0308ce894cf93df219f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD554450f2b998517282e177e3f4a521768
SHA136aaa9c737a914301087b9f96bbf8676634e1b6b
SHA2565e2c5e62c92c2c9a4834c5af55357f726cb740e02f7a3722b58d59b86b7e6e59
SHA512e6fe1169664ff6fc1f96409144e76e0ba3a086401779e4ddfe97ab87e82b52a1a59cf0338000aa65e9cbc7022e34af4657417d23307add55ba0a5dfed734e98b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
620B
MD5bcf9f6ceae711788b0e296553bf05408
SHA1198e42c66afe471fdc9bdc6a7ab1d48d09c36dfa
SHA256e76b06aecc10eb6898bda194f17afc58494ba1c23a839d335253b81b479cbe1a
SHA512b04ee139d035645c80e03781b707935cf2a6536937d6fa841b8f27b341d36a262f52faf84a3c7ec13331c85f88c06f43f9e36d154cf38e26883f092d44c30e35
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55ee6468735b49cdb951e1ca9a75db1f3
SHA12ce060230df4cf330d1f2f13c7a0ed929a7593a1
SHA256a99aad0b1027dc64ac6a65b866833ea9c3438381699c34086c228cab24e6e8a9
SHA512b83ec217b04254fa4788a2b96552132028907598f37bbccce61079c2dd6f87b706a025d6ef968c203b6b1ecf9345ad70b3431be50fa2395603ff449388624030
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e1dec082496a7bb6c302a61def992602
SHA18b4642cd3c6de3ae7e9f9f7e1a761b6034187314
SHA256c81301ce64c21b15594d64068f79eab7afdb2a4e8c54dc5b73400584b1e00ce0
SHA5125af532bc122b45178995b01fa3c3152364c4d78035251ebc2a6150ce2ffbade9ee6690df6c483ade6e5bb0229f3b2277e9a52f7eab48b762c8de14796ad0c6ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c253b415fa836aa0d0baa4ce8a9d41ed
SHA1641ed43b0ab7cb36254fef925b81017f2a6a48fc
SHA25648a5a4261ce4ceeceb42129f80fdd626b0538f6f3d97dc132ad6b015a3be5115
SHA5127bc02a285b0374199a9fb3d8ae101524f851b6391be278cdca05178cebc3d7aa881e8a4b5eea0d1b7d979f329ac9878a18bb863c28db079711a02db2f4213d04
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD598ea8361a6aa41b90453aa005fa4e4ec
SHA164796527745a0c30de885097c7f0eb8b65061842
SHA256b65cf63e188b64a56828b936686df22eda4eb490e804359a2663c224d733aeb6
SHA5128ddaa81683bfbd09e2f0fec8168e98a1a00aac8964bba3856047e4faadbd6f65f607169422f0f049119c79cba8e32d45bcc7855e5138e151ace063911186f9d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD509190ccf73d75965379f6dc011dff999
SHA18d6c00a649568ed747c7d443160105726352662b
SHA256236b51f21302976a2ad669f4457d849bdeebe38bb6cd2d1c652c0d419360ce50
SHA51249bbfca74fd3d728539af6f25bc887c88239a72a6720f9e086613e11cdaacd5d396a72a3c68c58c3ab90383fb9bb32e59847723e8fa25c7ee34e6f71e6ce91bb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
538B
MD57d6ed65b27c8865b5abe770132eae58b
SHA1a4c343efeddca8e05b5b2dee6074b7ad8c468e88
SHA2566c42260f4279a64c24c240c6579edd776343e1af4376f01e2c2bc0ee986e4f80
SHA512de6f231b27d949e435acdd222d03a679d803a5ed978bf8120101f9661fbaaebd6eb10a017a29f8f4e72922605ca19ab14c15d948adf8cbfc811312259bcd1921
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5fe53be328db98bda90530baad431676e
SHA1a73466b04efee54c4b6ba90c21560037c08d4497
SHA256887cce2ebd588fda871444d32b91a926dbce0486d8fae85441c4e49226038035
SHA512941342a8e41407d8df821c9860ac6b6dd9b6b063c3c9b428da3f20b452ba73b04a0a40b7f6899b88049815b23226d1840e5199f9ba049445e7f99564b9168136
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a69f6.TMPFilesize
201B
MD51d095a20cd6164a8fbdd79aa119e7a2c
SHA17bc5dabc07e5969e9f3df7c482cfa24b19a6ce76
SHA2566d92a44b8dfc3f9ab882586c4aaf1f6c0c233c2dcc3d37c04163a52788e856ab
SHA5124a787f752307e434ed639580ff48a141eb6e86542bcc9ebc40f50b878cd9d70116de387db56e74217e3506a73364334a0437dbab99678be94034f5edfc4b779f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD555beda4796f427be92820e9c0eca9a5d
SHA163a005149554321591a8d0fd07a4ebda6550eba2
SHA256a275a41b873bcdbd53a40eaaf58c55f9a4273085c40bff3a12fd741369c32d48
SHA5123b73bdda389000ac4c1fe8accd78f23226160a79ecd4b18878a188a926125fa24eb5ac83870052853e5b0a95bba3e9fb7735a241a12a23be4aa82cf54920d690
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD511efc912c677a9265e2271c0f39591b0
SHA108ae6cc8c65971170098439256ce2d079365f484
SHA25681f4c0c5a54ee67659e60c6f3c75de4fa688669523fddd3c188cb725dbf5365b
SHA512c2b143b328bf714cfd30649ccba199b7fd3d59abd36171fe637d3d14c3d1ab71c9b21078aca52d91684a555fd8853d19cf2f282d8573a412669860ce00f092ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e1406e40bc90234838ab278843448a11
SHA17e056692cfcf53a92ba8582a5fc0d2a418ef0c81
SHA256fdc53165753f599dd5a22b0bd229f8e4c63e73dc47aece0b475c79a7255b1d10
SHA5128ada81e44b16bfca0141dfe52a0b63e3cc7827b8dc45bfea87f834ffb759eeac87426c722b75fd76a447ab5efb69e0053b9fb34bd42d40b413a48f702eb70ab7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohdhzbts.sac.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_5108_RMYJUNJRYSHCTUXDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2400-15-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmpFilesize
10.8MB
-
memory/2400-18-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmpFilesize
10.8MB
-
memory/2400-14-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmpFilesize
10.8MB
-
memory/2400-13-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmpFilesize
10.8MB
-
memory/2400-12-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmpFilesize
10.8MB
-
memory/2400-11-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmpFilesize
10.8MB
-
memory/2400-10-0x000001D9F90C0000-0x000001D9F90E2000-memory.dmpFilesize
136KB
-
memory/4324-0-0x00007FFE1AF73000-0x00007FFE1AF75000-memory.dmpFilesize
8KB
-
memory/4324-54-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmpFilesize
10.8MB
-
memory/4324-1-0x00000000003B0000-0x00000000003C6000-memory.dmpFilesize
88KB
-
memory/4324-55-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmpFilesize
10.8MB
-
memory/4324-457-0x00007FFE1AF70000-0x00007FFE1BA32000-memory.dmpFilesize
10.8MB